DNS-over-TLS with Unbound on OpenSUSE

tags: guideinfralinux

Please read the whole guide before starting because you may lose internet connection during the process and be unable to return to the guide.

DNS-over-TLS (DoT) is a modern standard for encrypted DNS requests. This enhances user privacy, prevents censorship, and generally helps make the web safer. It is a fairly new standard and not yet a common option on most systems.

There is also DNS-over-HTTPS (DoH) which is a separate standard that uses the HTTPS port 443 instead of the DNS port 53. You can read more about the difference here.

There are a number of ways to provide DoT support on your machine, the approach I will be using is running an local DNS server on your own machine and using that as your system’s DNS. The local server connects to the remote server via DoT. In this guide I will be using the Unbound DNS server.

This guide was specifically created for OpenSUSE. It may work on other distributions but if so that is entirely accidental. I have tested and used this on OpenSUSE Tumbleweed snapshot 20190822 but it should work on Leap 15.1 as well.

This guide also assumes that you are using NetworkManager and not Wicked. If you are using Wicked make sure to read the note in Step 3.

0. Choose a DNS provider

There are a number of DNS providers that support DNS-over-TLS such as Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8

However I recommend using NextDNS for the expanded features and control that it provides. It’s what I am using and what prompted me to start this escapade and then write this guide.

However for the purposes of this guide I will be using Cloudflare’s 1.1.1.1 as an example. Anywhere you see 1.1.1.1 or cloudflare-dns.com you can replace it with the appropriate IP and domain.

1. Install and Start Unbound

On OpenSUSE this is a simple

sudo zypper in unbound

Or you could use the YaST software GUI.

Then you have to enable and start Unbound. This can be done at once with:

sudo systemctl enable --now unbound

And Unbound should be running!

2. Configure Unbound

The config file is located at /etc/unbound/unbound.conf. It contains detailed comments explaining each option, but I am going to omit those for space. I do suggest reading them so you understand what is happening more fully.

Here are the options that need to be set specifically. The rest can be left the way they are.

server:
    access-control: 127.0.0.0/8 allow
    access-control: 127.0.0.1/32 allow_snoop
    access-control: ::1 allow_snoop
    
    # This option is not present in the config by default
    tls-cert-bundle: /etc/ssl/ca-bundle.pem

remote-control:
    control-enable: no

forward-zone:
    name: "."
    forward-tls-upstrem: yes

    # These are for Cloudflare
    # replace with the proper IP and Domain
    forward-addr: 1.1.1.1#cloudflare-dns.com
    forward-addr: 1.0.0.1#cloudflare-dns.comDomain

The first section defines the options for the Unbound server itself. The first three lines allow only the local device to access via IPv4 (127.0.0.1) and IPv6 (::1). The fourth line is not present in the default unbound.conf but is very important since it sets the location of the TLS certificates that are needed for DoT. These are found at /etc/ssl/ca-bundle.pem on OpenSUSE.

The next section is for the Unbound remote control system which we promptly disable.

The final section sets up the forwarding rules that actually perform the DoT connection to, in this example, CloudFlare. First we define the name of the domain we are forwarding, in this case we are using the special . name which means “all domains”. We then set Unbound to forward TLS. The last lines are the most important since they point Unbound to the provider’s DNS servers. These are in the format IP#domain which is a bit confusing because the domains look like a comment, but they are part of the configuration and are very important since that is what defines the domain the TLS certificate is for. Without the domains it is not DNS-over-TLS.

3. Set your system to use the DNS

If you are using the Wicked network system skip to step 3.3

There are a lot of different configuration options and files related to system DNS settings, and they’re all a bit of a confusing mess revolving around the /etc/resolv.conf file.

When using NetworkManager this becomes even more complicated. So there are two approaches from here3:

3.1 Only use local DNS

The first approach is to disable NetworkManager from editing resolv.conf and then edit that file manually. This only allows us to use the local DNS server and DNS settings cannot be set-per connection, but it does make it the new default across all interfaces

To do this edit /etc/NetworkManager/NetworkManager.conf and add the following to the main section.

[main]dns=nonerc-manager=unmanaged

then you have to delete /etc/resov.conf since it is now a possibly invalid symlink.

sudo rm /etc/resolv.conf

and create it again with the following content:

nameserver 127.0.0.1
nameserver ::1

This will set your system to only use the local name server you setup earlier.

3.2 Per-Connection DNS settings

The other approach is to configure the DNS settings for each connection individually. This can be done easily from the NetworkManager GUI by going to the IPv4 tab and setting the “Method” to “Automatic (Only Addresses)” and adding 127.0.0.1 to the DNS Servers list, then repeating this for the IPv6 tab but setting the address to ::1.

With this approach you have to set this manually for each connection, but you get greater control since you can have different settings for each connection.

3.3 SysConfig DNS (optional)

This is required if you are using the Wicked network driver.

An additional step you can (and probably should) do is set the DNS servers in the SysConfig. You can either edit the /etc/sysconfig/network/config file directly or use the YaST SysConfig editor.

In either case you are looking for the key NETCONFIG_DNS_STATIC_SERVERS and you want to set it to the value 127.0.0.0 ::1. Notice the space, that’s what separates the addresses. This of course points the system to use the local DNS server.

If you are using the Wicked network system then your DNS servers should have automatically updated in the YaST Network settings module under the “Hostname/DNS” tab. If they haven’t add 127.0.0.1 and ::1 in the “Name Server” boxes.

4. Finish Up

Now that your system has been configured you can just restart and away you go! If restarting is not an option run the following command to restart the necessary services:

sudo systemctl restart systemd-resolved network

Alternative Options

  • Use Stubby instead of Unbound
  • Use Cloudflared for DNS-over-HTTPS
  • Use Firefox’s built in DNS-over-HTTPS support

Other Resources