Erik Rigtorp

DNS Privacy and Security on Fedora

This is a short guide how to setup DNS Privacy on Fedora Workstation. The guide will show how to setup the stubby DNS-over-TLS (DoT) stub resolver and dnsmasq to cache resolved DNS queries.

In the future this will be simpler when Fedora enables systemd-resolved.

Install stubby and dnsmasq:

$ sudo dnf install dnsmasq getdns-stubby

Configure stubby to resolve queries using upstream Cloudflare 1.1.1.1 servers and listen on local port 5300:

$ sudo tee /etc/stubby/stubby.yml <<EOF
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
    - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1
idle_timeout: 10000
listen_addresses:
    - 127.0.0.1@5300
    - 0::1@5300
round_robin_upstreams: 0
upstream_recursive_servers:
    - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
    - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"
EOF

Configure dnsmasq to cache queries and use stubby as resolver:

$ sudo tee /etc/dnsmasq.conf <<EOF
listen-address=127.0.0.1
interface=lo
bind-interfaces
no-resolv
cache-size=32768
server=127.0.0.1#5300
EOF

Enable stubby and dnsmasq:

$ sudo systemctl enable stubby && sudo systemctl start stubby
$ sudo systemctl enable dnsmasq && sudo systemctl start dnsmasq

Update your NetworkManager settings to use 127.0.0.1 port 5300 as your DNS server.

Verify that DNSSEC is validated using one of:

References: