DNS Privacy and Security on Fedora
This is a short guide how to setup DNS Privacy on
Fedora Workstation. The guide will show how to setup the stubby DNS-over-TLS
(DoT) stub resolver and dnsmasq
to cache resolved DNS queries.
In the future this will be simpler when Fedora enables systemd-resolved.
Install stubby and dnsmasq:
$ sudo dnf install dnsmasq getdns-stubby
Configure stubby to resolve queries using upstream Cloudflare
1.1.1.1 servers and listen on local port 5300:
$ sudo tee /etc/stubby/stubby.yml <<EOF
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@5300
- 0::1@5300
round_robin_upstreams: 0
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
EOF
Configure dnsmasq to cache
queries and use stubby as resolver:
$ sudo tee /etc/dnsmasq.conf <<EOF
listen-address=127.0.0.1
interface=lo
bind-interfaces
no-resolv
cache-size=32768
server=127.0.0.1#5300
EOF
Enable stubby and dnsmasq:
$ sudo systemctl enable stubby && sudo systemctl start stubby
$ sudo systemctl enable dnsmasq && sudo systemctl start dnsmasq
Update your NetworkManager
settings to use 127.0.0.1 port 5300 as your DNS server.
Verify that DNSSEC is validated using one of:
References:
- https://1.1.1.1/
- https://dnsprivacy.org/
- https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
- https://fedoraproject.org/wiki/Changes/systemd-resolved
- https://wiki.archlinux.org/index.php/Stubby
- https://wiki.archlinux.org/index.php/Systemd-resolved
- https://wiki.gnome.org/Projects/NetworkManager
- https://www.dnssec.net/