How to Configure DNS over HTTPS on Linux

This guide will help you set up and configure DNS over HTTPS (DoH) on your Linux system, covering multiple configuration methods and best practices.

Prerequisites

• Linux operating system
• Administrator (root) privileges
• Basic command-line knowledge
• Stable network connection

Using systemd-resolved

Step 1: Check systemd-resolved Version

systemctl --version
systemd-resolve --version

Ensure the version is 247 or higher, as these versions support DoH.

Step 2: Configure resolved.conf

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes
DNSSEC=yes
Cache=yes
DNSStubListener=yes

For DoH, add the following configuration:

[Resolve]
DNS=https://cloudflare-dns.com/dns-query
     https://dns.google/dns-query
DNSOverTLS=no
DNSSEC=yes
Cache=yes
DNSStubListener=yes

Step 3: Restart Service

sudo systemctl restart systemd-resolved
sudo systemctl status systemd-resolved

Using NetworkManager

Step 1: Check NetworkManager Version

nmcli --version

Ensure the version supports DoH functionality.

Step 2: Configure Connection

Configure DoH using nmcli:

# List current connections
nmcli connection show

# Modify specified connection
sudo nmcli connection modify "Connection Name" ipv4.dns "1.1.1.1,1.0.0.1" ipv4.dns-over-tls yes
sudo nmcli connection modify "Connection Name" ipv6.dns "2606:4700:4700::1111,2606:4700:4700::1001" ipv6.dns-over-tls yes

Step 3: Apply Changes

sudo nmcli connection up "Connection Name"

Using Standalone Clients

dnscrypt-proxy

1. Installation

# Debian/Ubuntu
sudo apt install dnscrypt-proxy

# Fedora
sudo dnf install dnscrypt-proxy

# Arch Linux
sudo pacman -S dnscrypt-proxy

2. Configuration

Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

server_names = ['cloudflare', 'google']
listen_addresses = ['127.0.0.1:53']
max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = true
force_tcp = false
timeout = 2500
keepalive = 30

3. Start Service

sudo systemctl enable dnscrypt-proxy
sudo systemctl start dnscrypt-proxy
sudo systemctl status dnscrypt-proxy

Stubby

1. Installation

# Debian/Ubuntu
sudo apt install stubby

# Fedora
sudo dnf install stubby

# Arch Linux
sudo pacman -S stubby

2. Configuration

Edit /etc/stubby/stubby.yml:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1@53
  - 0::1@53
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

3. Start Service

sudo systemctl enable stubby
sudo systemctl start stubby
sudo systemctl status stubby

Verify Configuration

Method 1: Using dig

# Test DNS resolution
dig @127.0.0.1 example.com

# Check DNSSEC
dig @127.0.0.1 example.com +dnssec

# Verify DoH server
dig @127.0.0.1 whoami.cloudflare CH TXT

Method 2: Using resolvectl

# View current DNS settings
resolvectl status

# Test DNS resolution
resolvectl query example.com

# Check DNSSEC
resolvectl query --dnssec example.com

Method 3: Online Testing

1. Visit DNS leak test website
2. Run comprehensive test
3. Verify DNS request routing

Troubleshooting

Common Issues

1. Resolution Failure

   • Check network connection
   • Verify configuration files
   • Check service status
   • Review system logs

2. Performance Issues

   • Choose nearest server
   • Optimize cache settings
   • Monitor response time
   • Check system resources

3. Compatibility Issues

   • Update packages
   • Check dependencies
   • Verify system requirements
   • Test alternative configurations

Log Analysis

1. System Logs

# View systemd-resolved logs
journalctl -u systemd-resolved

# Check NetworkManager logs
journalctl -u NetworkManager

# View dnscrypt-proxy logs
journalctl -u dnscrypt-proxy

2. Network Diagnostics

# Test network connectivity
ping 1.1.1.1

# Check DNS resolution
nslookup example.com

# Verify DNSSEC
dig example.com +dnssec

Best Practices

1. Provider Selection

   • Evaluate privacy policies
   • Check service availability
   • Consider geographical location
   • Test connection speed

2. Security Recommendations

   • Use trusted providers
   • Enable DNSSEC
   • Regular system updates
   • Monitor network activity

3. Performance Optimization

   • Choose nearest servers
   • Optimize cache settings
   • Monitor performance metrics
   • Regular maintenance

Enterprise Deployment

System-wide Configuration

1. Create Configuration Files

   • Set up systemd-resolved
   • Configure NetworkManager
   • Deploy client software

2. Deployment Strategy

   • Use configuration management
   • Implement monitoring
   • Plan maintenance windows

3. Maintenance Management

   • Regular updates
   • Performance monitoring
   • Issue tracking
   • Backup procedures

Next Steps

• Server List - Browse available DoH providers
• Security Guide - Learn more about security configuration
• Performance Optimization - Improve DNS performance
• FAQ - Get more help