Ade Malsasa Akbar contact
Senior author, Open Source enthusiast.
Thursday, April 21, 2022 at 23:21

Today we increasingly saw the importance of privacy and security in computing. This includes our browsing activity, which now needs protection even more than before. This tutorial will help you enable  DNS over TLS (DoT) on Ubuntu using Quad9 service, an alternative technology to DNSCrypt or DoH, that helps preventing anybody to wiretap and/or hijack what website you are visiting on web browser. This feature is already built-in on Ubuntu 22.04 LTS Jammy Jellyfish and we do not need to install additional software.  

Subscribe to UbuntuBuzz Telegram Channel to get article updates.


Overview

We will enable ability to encrypt DNS queries system-wide on Ubuntu. This means all applications including web browser and chat messengers will be protected without individual setup in each one of them. The difference to the usual is that this uses TLS instead of HTTPS, thus called DNS over TLS (DoT). This feature is part of systemd-resolved program preinstalled on Ubuntu. Lastly, we would love to thank Quad9 the free secure DNS provider we picked here.


Configure Systemd-Resolved

Step 1. Edit your /etc/systemd/resolved.conf by adding the following single line of text.

DNSOverTLS=yes

Step 2. Save the configuration and continue next step.

 

Configure Network Manager

It's quickest to configure by clicks your Network Manager:

Step 1. Click wifi logo on top. 

Step 2. Click Wifi Settings. 


 Step 3. Click Gear logo on the connected Wifi network you use daily. 

Step 4. Enter two IP address numbers of Quad9 DNS servers.

9.9.9.9, 149.112.112.112

Step 5. Enter two IPv6 address numbers of Quad9, if you use IPv6.

2620:fe::fe, 2620:fe::9

Step 6. Save the configuration and continue next step.


Restart the Services

Restart your computer is the easiest way, otherwise do the two command lines below. Continue next step after that.

$ sudo systemctl restart systemd-resolved
$ sudo systemctl restart NetworkManager

 

Testing

There are three ways to test this new configuration. 

Option 1. is by using Terminal and Firefox simultaneously. Open your Terminal then type sudo tcpdump -i 'port 853' while at the same time open Firefox to visit www.ubuntubuzz.com. It should displays many messages going via Quad9 addresses.

Option 2. is by visiting a certain website that's able to test your DNS security. In Quad9 case, visit https://on.quad9.net. The page will say "YES" if your configuration is correct, otherwise "NO".

Option 3. is, the clearest way, to visit any website previously you could not visit, also known as blocked / wiretapped / hijacked, in your country. For example, in Indonesia now we can visit reddit.com.

 

Browse the Internet 

Finally, now you can surf the web with ease in mind. Please bear in mind that security is a fast moving thing and when this article get obsolete sooner or later in the future you should find another way to secure your internet access. Thank you and see you next time!

(Visiting /r/Ubuntu is now okay!)


References

Setup DNS over TLS on Ubuntu by Quad9

Setup Quad9 DNS on Ubuntu

List of Quad9 DNS Servers' IP Addresses

Enabling DNS over HTTPS and ESNI on Firefox


This article is licensed under CC BY-SA 3.0.