DNS-over-TLS with Unbound on OpenSUSE
Please read the whole guide before starting because you may lose internet connection during the process and be unable to return to the guide.
DNS-over-TLS (DoT) is a modern standard for encrypted DNS requests. This enhances user privacy, prevents censorship, and generally helps make the web safer. It is a fairly new standard and not yet a common option on most systems.
There is also DNS-over-HTTPS (DoH) which is a separate standard that uses the HTTPS port 443 instead of the DNS port 53. You can read more about the difference here.
There are a number of ways to provide DoT support on your machine, the approach I will be using is running an local DNS server on your own machine and using that as your system’s DNS. The local server connects to the remote server via DoT. In this guide I will be using the Unbound DNS server.
This guide was specifically created for OpenSUSE. It may work on other distributions but if so that is entirely accidental. I have tested and used this on OpenSUSE Tumbleweed snapshot 20190822 but it should work on Leap 15.1 as well.
This guide also assumes that you are using NetworkManager and not Wicked. If you are using Wicked make sure to read the note in Step 3.
0. Choose a DNS provider
There are a number of DNS providers that support DNS-over-TLS such as Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8
However I recommend using NextDNS for the expanded features and control that it provides. It’s what I am using and what prompted me to start this escapade and then write this guide.
However for the purposes of this guide I will be using Cloudflare’s 1.1.1.1 as
an example. Anywhere you see 1.1.1.1 or cloudflare-dns.com you can replace
it with the appropriate IP and domain.
1. Install and Start Unbound
On OpenSUSE this is a simple
sudo zypper in unboundOr you could use the YaST software GUI.
Then you have to enable and start Unbound. This can be done at once with:
sudo systemctl enable --now unboundAnd Unbound should be running!
2. Configure Unbound
The config file is located at /etc/unbound/unbound.conf. It contains detailed
comments explaining each option, but I am going to omit those for space. I do
suggest reading them so you understand what is happening more fully.
Here are the options that need to be set specifically. The rest can be left the way they are.
server:
access-control: 127.0.0.0/8 allow
access-control: 127.0.0.1/32 allow_snoop
access-control: ::1 allow_snoop
# This option is not present in the config by default
tls-cert-bundle: /etc/ssl/ca-bundle.pem
remote-control:
control-enable: no
forward-zone:
name: "."
forward-tls-upstrem: yes
# These are for Cloudflare
# replace with the proper IP and Domain
forward-addr: 1.1.1.1#cloudflare-dns.com
forward-addr: 1.0.0.1#cloudflare-dns.comDomain
The first section defines the options for the Unbound server itself. The first
three lines allow only the local device to access via IPv4 (127.0.0.1) and
IPv6 (::1). The fourth line is not present in the default unbound.conf but
is very important since it sets the location of the TLS certificates that are
needed for DoT. These are found at /etc/ssl/ca-bundle.pem on OpenSUSE.
The next section is for the Unbound remote control system which we promptly disable.
The final section sets up the forwarding rules that actually perform the DoT
connection to, in this example, CloudFlare. First we define the name of the
domain we are forwarding, in this case we are using the special . name which
means “all domains”. We then set Unbound to forward TLS. The last lines are the
most important since they point Unbound to the provider’s DNS servers. These are
in the format IP#domain which is a bit confusing because the domains look like
a comment, but they are part of the configuration and are very important since
that is what defines the domain the TLS certificate is for. Without the domains
it is not DNS-over-TLS.
3. Set your system to use the DNS
If you are using the Wicked network system skip to step 3.3
There are a lot of different configuration options and files related to system
DNS settings, and they’re all a bit of a confusing mess revolving around the
/etc/resolv.conf file.
When using NetworkManager this becomes even more complicated. So there are two approaches from here3:
3.1 Only use local DNS
The first approach is to disable NetworkManager from editing resolv.conf and
then edit that file manually. This only allows us to use the local DNS
server and DNS settings cannot be set-per connection, but it does make it the
new default across all interfaces
To do this edit /etc/NetworkManager/NetworkManager.conf and add the following
to the main section.
[main]dns=nonerc-manager=unmanaged
then you have to delete /etc/resov.conf since it is now a possibly invalid
symlink.
sudo rm /etc/resolv.confand create it again with the following content:
nameserver 127.0.0.1
nameserver ::1This will set your system to only use the local name server you setup earlier.
3.2 Per-Connection DNS settings
The other approach is to configure the DNS settings for each connection
individually. This can be done easily from the NetworkManager GUI by going to
the IPv4 tab and setting the “Method” to “Automatic (Only Addresses)” and adding
127.0.0.1 to the DNS Servers list, then repeating this for the IPv6 tab but
setting the address to ::1.
With this approach you have to set this manually for each connection, but you get greater control since you can have different settings for each connection.
3.3 SysConfig DNS (optional)
This is required if you are using the Wicked network driver.
An additional step you can (and probably should) do is set the DNS servers in
the SysConfig. You can either edit the /etc/sysconfig/network/config file
directly or use the YaST SysConfig editor.
In either case you are looking for the key NETCONFIG_DNS_STATIC_SERVERS and
you want to set it to the value 127.0.0.0 ::1. Notice the space, that’s what
separates the addresses. This of course points the system to use the local DNS
server.
If you are using the Wicked network system then your DNS servers should have
automatically updated in the YaST Network settings module under the
“Hostname/DNS” tab. If they haven’t add 127.0.0.1 and ::1 in the “Name
Server” boxes.
4. Finish Up
Now that your system has been configured you can just restart and away you go! If restarting is not an option run the following command to restart the necessary services:
sudo systemctl restart systemd-resolved networkAlternative Options
- Use Stubby instead of Unbound
- Use Cloudflared for DNS-over-HTTPS
- Use Firefox’s built in DNS-over-HTTPS support