DNS-over-TLS with Unbound on OpenSUSE
Please read the whole guide before starting because you may lose internet connection during the process and be unable to return to the guide.
DNS-over-TLS (DoT) is a modern standard for encrypted DNS requests. This enhances user privacy, prevents censorship, and generally helps make the web safer. It is a fairly new standard and not yet a common option on most systems.
There are a number of ways to provide DoT support on your machine, the approach I will be using is running an local DNS server on your own machine and using that as your system’s DNS. The local server connects to the remote server via DoT. In this guide I will be using the Unbound DNS server.
This guide was specifically created for OpenSUSE. It may work on other distributions but if so that is entirely accidental. I have tested and used this on OpenSUSE Tumbleweed snapshot 20190822 but it should work on Leap 15.1 as well.
This guide also assumes that you are using NetworkManager and not Wicked. If you are using Wicked make sure to read the note in Step 3.
0. Choose a DNS provider
However I recommend using NextDNS for the expanded features and control that it provides. It’s what I am using and what prompted me to start this escapade and then write this guide.
However for the purposes of this guide I will be using Cloudflare’s 188.8.131.52 as
an example. Anywhere you see
cloudflare-dns.com you can replace
it with the appropriate IP and domain.
1. Install and Start Unbound
On OpenSUSE this is a simple
sudo zypper in unbound
Or you could use the YaST software GUI.
Then you have to enable and start Unbound. This can be done at once with:
sudo systemctl enable --now unbound
And Unbound should be running!
2. Configure Unbound
The config file is located at
/etc/unbound/unbound.conf. It contains detailed
comments explaining each option, but I am going to omit those for space. I do
suggest reading them so you understand what is happening more fully.
Here are the options that need to be set specifically. The rest can be left the way they are.
server: access-control: 127.0.0.0/8 allow access-control: 127.0.0.1/32 allow_snoop access-control: ::1 allow_snoop # This option is not present in the config by default tls-cert-bundle: /etc/ssl/ca-bundle.pem remote-control: control-enable: no forward-zone: name: "." forward-tls-upstrem: yes # These are for Cloudflare # replace with the proper IP and Domain forward-addr: 184.108.40.206#cloudflare-dns.com forward-addr: 220.127.116.11#cloudflare-dns.comDomain
The first section defines the options for the Unbound server itself. The first
three lines allow only the local device to access via IPv4 (
::1). The fourth line is not present in the default
is very important since it sets the location of the TLS certificates that are
needed for DoT. These are found at
/etc/ssl/ca-bundle.pem on OpenSUSE.
The next section is for the Unbound remote control system which we promptly disable.
The final section sets up the forwarding rules that actually perform the DoT
connection to, in this example, CloudFlare. First we define the name of the
domain we are forwarding, in this case we are using the special
. name which
means “all domains”. We then set Unbound to forward TLS. The last lines are the
most important since they point Unbound to the provider’s DNS servers. These are
in the format
IP#domain which is a bit confusing because the domains look like
a comment, but they are part of the configuration and are very important since
that is what defines the domain the TLS certificate is for. Without the domains
it is not DNS-over-TLS.
3. Set your system to use the DNS
If you are using the Wicked network system skip to step 3.3
There are a lot of different configuration options and files related to system
DNS settings, and they’re all a bit of a confusing mess revolving around the
When using NetworkManager this becomes even more complicated. So there are two approaches from here3:
3.1 Only use local DNS
The first approach is to disable NetworkManager from editing
then edit that file manually. This only allows us to use the local DNS
server and DNS settings cannot be set-per connection, but it does make it the
new default across all interfaces
To do this edit
/etc/NetworkManager/NetworkManager.conf and add the following
to the main section.
then you have to delete
/etc/resov.conf since it is now a possibly invalid
sudo rm /etc/resolv.conf
and create it again with the following content:
nameserver 127.0.0.1 nameserver ::1
This will set your system to only use the local name server you setup earlier.
3.2 Per-Connection DNS settings
The other approach is to configure the DNS settings for each connection
individually. This can be done easily from the NetworkManager GUI by going to
the IPv4 tab and setting the “Method” to “Automatic (Only Addresses)” and adding
127.0.0.1 to the DNS Servers list, then repeating this for the IPv6 tab but
setting the address to
With this approach you have to set this manually for each connection, but you get greater control since you can have different settings for each connection.
3.3 SysConfig DNS (optional)
This is required if you are using the Wicked network driver.
An additional step you can (and probably should) do is set the DNS servers in
the SysConfig. You can either edit the
directly or use the YaST SysConfig editor.
In either case you are looking for the key
you want to set it to the value
127.0.0.0 ::1. Notice the space, that’s what
separates the addresses. This of course points the system to use the local DNS
If you are using the Wicked network system then your DNS servers should have
automatically updated in the YaST Network settings module under the
“Hostname/DNS” tab. If they haven’t add
::1 in the “Name
4. Finish Up
Now that your system has been configured you can just restart and away you go! If restarting is not an option run the following command to restart the necessary services:
sudo systemctl restart systemd-resolved network
- Use Stubby instead of Unbound
- Use Cloudflared for DNS-over-HTTPS
- Use Firefox’s built in DNS-over-HTTPS support