Can someone help me setup DNS-over-HTTPS / DNS-over-TLS

General system Newbie
1

Hello,

My goal is to use the Mullvad DNS over HTTPS or DNS over TLS service.
They provide a setup tutorial for Linux using systemd-resolved but I don’t use systemd-resolved - so it’s not applicable to me.

So here is my question: How can I setup DNS over HTTPS or DNS over TLS in an easy way on KDE Plasma?

I found the DNS-over-HTTPS Arch Wiki page but I am already having troubles with one of the first steps (also I don’t know if the dns-over-https is the easiest way):

2.2 Change system DNS server

Change your system’s DNS server to an address in the listen = section of the configuration file. If you don’t know what you’re doing, 127.0.0.1 is recommended.

This can be accomplished either through your Network Manager or through editing /etc/resolv.conf.

because Network Manager seems to manage my /etc/resolv.conf file and all manual edits get removed again:

❯ bat /etc/resolv.conf
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /etc/resolv.conf
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ # Generated by NetworkManager
   2   │ search fritz.box
...

Any help and ideas would be appreciated.

Thank you.

2

To prevent this, you could create a file called dns.conf in /etc/NetworkManager/conf.d with the following content:

[main]
dns=none
3

Thank you, I’ll give it a try and see how far along I come this time :).

1 Like
4

Doesn’t this mean that you can also open your Network Manager (connection settings), set “Method” to “Automatic (Only addresses)” and where you have DNS field just enter 127.0.0.1?

You don’t have to manually edit etc/resolv.conf

1 Like
5

AFAIK, NetworkManager generates or overwrite /etc/resolv.conf if it is not a symlink.
However, I don’t think NetworkManager supports native DoH/DoT, but it can use the third party systemd-resolved to support DoT.

You do not want systemd-resolved, try to setup unbound for DoT and learn how to config it.

6

I came to the same conclusion. Today I spent 5 hours trying to get one of these DNS servers working but without any success. I tried DNS-over-HTTPS, Stubby & Unbound… but I am just way over my head in this and network stuff is definitely not my area of expertise…

I was hoping there would be a basic tutorial with every step explained.

Anyways thanks for the all the help but I shelve this project for now.

7

You can always enable DoH on a browser level - very easy to do and definitely better than nothing.

8

Thanks, I just did that!
Like you said: better than nothing :see_no_evil:.

1 Like
9

I would have tried cloudflared with a mullvad server.

https://wiki.archlinux.org/title/Cloudflared#Endpoints

2 Likes
10

EDIT: I edited the post to showcase my working cloudflared.service file.

https://wiki.archlinux.org/title/Cloudflared#Usage

1)

image
image1171×220 23.8 KB

2)

───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /etc/systemd/system/cloudflared.service
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ [Unit]
   2   │ Description=DNS over HTTPS proxy client
   3   │ Wants=network-online.target nss-lookup.target
   4   │ Before=nss-lookup.target
   5   │ 
   6   │ [Service]
   7   │ AmbientCapabilities=CAP_NET_BIND_SERVICE
   8   │ CapabilityBoundingSet=CAP_NET_BIND_SERVICE
   9   │ DynamicUser=yes
  10   │ ExecStart=/usr/bin/cloudflared proxy-dns --upstream https://dns.mullvad.net/dns-query
  11   │ 
  12   │ [Install]
  13   │ WantedBy=multi-user.target
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

3) start cloudflared.service or reboot

11

I can’t help you much, because I don’t want to touch my config, I’m running Unbound as my local DNS server.

12

Where is a DNS resolver to resolve this domain name de-fra-dns-001.mullvad.net ?
Try changing this URL to a static IP address with a specific port.

1 Like
13

Thank you for pointing me in the right direction!

I made a mistake in my /etc/systemd/system/cloudflared.service file :neutral_face:.

After re-reading https://wiki.archlinux.org/title/Cloudflared#Endpoints again:

cloudflared proxy-dns --upstream https://dns.mullvad.net/dns-query works for me.

I was not using the --upstream but the --address option.

image
image1245×289 22.3 KB

Thanks again for all the help that I got from everyone!

14

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.