Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use DNS over TLS", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use DNS over TLS" this article.

Step 1: set up systemd-resolved

Similar to the modification / etc/systemd/resolved.conf shown below. Ensure that DNS over TLS is enabled and configure the IP address of the DNS server you want to use.

$cat / etc/systemd/ resolved.confs [resolve] DNS=1.1.1.1 9.9.9.9DNSOverTLS=yesDNSSEC=yesFallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4#Domains=~.#LLMNR=yes#MulticastDNS=yes#Cache=yes#DNSStubListener=yes#ReadEtcHosts=yes

A brief description of the options:

DNS: a space-separated list of IPv4 and IPv6 addresses used as a system DNS server.

FallbackDNS: a list of IPv4 and IPv6 addresses separated by spaces, used as a backup DNS server.

Domains: these domain names are used to search for suffixes when resolving single-label host names. ~. Represents that for all domain names, the system DNS server defined by DNS= is preferred.

DNSOverTLS: if enabled, all connections to the server will be encrypted. Note that this mode requires that the DNS server support DNS-over-TLS and have a valid certificate for its IP.

Note: the DNS server listed in the above example is my personal choice. You need to determine which DNS server to use. Pay attention to who you want to ask for IP.

Step 2: tell NetworkManager to push the information to systemd-resolved

Create a file called 10-dns-systemd-resolved.conf in / etc/NetworkManager/conf.d.

$cat / etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf [main] dns=systemd-resolved

The above setting (dns=systemd-resolved) causes NetworkManager to push the DNS information obtained from DHCP to the systemd-resolved service. This overrides the DNS settings configured in step 1. This is fine on a trusted network, but it can also be set to dns=none to use the DNS server configured in / etc/systemd/resolved.conf.

Step 3: start and restart the service

For the configuration in the above steps to take effect, start and enable the systemd-resolved service. Then restart the NetworkManager service.

Note: when NetworkManager restarts, the connection will be interrupted for a few seconds.

$sudo systemctl start systemd-resolved$ sudo systemctl enable systemd-resolved$ sudo systemctl restart NetworkManager

Note: currently, the systemd-resolved service is disabled by default and is optional. [planned] [33] systemd-resolved is enabled by default in Fedora 33.

Step 4: check that everything is all right

By now, you should be using DNS over TLS. Check the DNS parsing status to confirm this:

$resolvectl statusMulticastDNS setting: yes DNSOverTLS setting: yes DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 1.1.1.1 DNS Servers: 1.1.1.1 9.9.9.9Fallback DNS Servers: 8.8.8.8 1.0.0.1 8.4.4

/ etc/resolv.conf should point to 127.0.0.53.

$cat / etc/resolv.conf# Generated by NetworkManagersearch lannameserver 127.0.0.53

To view the address and port on which systemd-resolved sends and receives security queries, run:

$sudo ss-lntp | grep'\ (State\ |: 53\) 'State Recv-Q Send-Q Local Address:Port Peer Address:Port ProcessLISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0 State Recv-Q Send-Q Local Address:Port Peer Address:Port ProcessLISTEN * users: (("systemd-resolve", pid=10410,fd=18))

To make a security query, run:

$resolvectl query fedoraproject.orgfedoraproject.org: 8.43.85.67-- link: wlp58s0 8.43.85.73-- link: wlp58s0 [..]-- Information acquired via protocol DNS in 36.3ms.Murray-Data is authenticated: yes extra step 5: verify the configuration using Wireshark

First, install and run Wireshark:

$sudo dnf install wireshark$ sudo wireshark

It will ask you on which device to capture the packet. In my case, because I use the wireless interface, I use wlp58s0. Set the filter in Wireshark, tcp.port = = 853, which is the DNS over TLS protocol port. Before capturing the DNS query, you need to flush the local DNS cache:

$sudo resolvectl flush-caches

Now run:

$nslookup fedoramagazine.org

You should see the TLS encrypted exchange between your computer and the configured DNS server:

The above is all the contents of the article "how to use DNS over TLS". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.