DNS over TLS doesn't seem to work with any IPs other than quad9/cloudflare/google?

Hello

I am experimenting with dns over tls

I configured my system using these instructions:

I’m testing services from this list:

I’ve tested several of them, such as LibreDNS, NextDNS, Snopyta. They all ping fine.

I can add 1.1.1.1, 9.9.9.9, etc to my /etc/systemd/resolved.conf primary dns… those work fine. But when I use any other service, websites stop loading.

Google, Quad9 and Cloudflare are the only ones that work. Does anyone have any ideas why this might be happening? Thank you

Hey!

did you check at the wiki?

On this computer I enabled DoT only in my webbrowsers options (not system wide)…

I’m not the one who can really help you… :confused:

Cheers!

I did check that page (sort of). It doesn’t provide any instructions using systemd-resolved how I have it configured using the link I posted in my original post

I guess I could use a different method for system-wide DoT, but this generally seems to work well other than the weird issue I’m having.

I tested stubby yesterday also, and I had the same issue. Network manager was reporting “limited connectivity” any time I tried to use one of these dns providers … same issue, google/quad9/cloudflare all worked, but the others reported limited connectivity

Did you try these settings?

Take a look at the following tutorial, I used it to setup my DNS settings and everything works well. Maybe you can find some hints that help you.
https://geekflare.com/linux-server-local-dns-caching/

1 Like

Yes, except I didn’t use FallbackDNS=127.0.0.1 ::1 … instead I used different dns provider IPs as the fallback addresses and didn’t include 127.0.0.1 for any of them.

When testing services such as LibreDNS, my config looks like this:

[Resolve]
DNS=116.202.176.26
FallbackDNS=9.9.9.9 1.1.1.1
Domains=~.
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

In KDE, NetworkManager shows “limited connectivity” with a :warning: icon, and sites won’t load. If I swap the values of DNS and FallbackDNS such that DNS is set to 1.1.1.1 and FallbackDNS is set to 116.202.176.26 … everything works. But the other way, it doesn’t work.

EDIT: I’m no longer using KDE, and XFCE doesn’t show the icon or limited connectivity messages in NetworkManager… however the issue is the same.

Everything seems to be set up as described, except I didn’t need to do a manual symlink

$ cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 127.0.0.53
options edns0 trust-ad

And for good measure, here’s my networkmanager config

$ cat /etc/NetworkManager/conf.d/00-use-resolved.conf 
[main]
plugins=keyfile
dns=systemd-resolved

Uh isn’t that your PUBLIC facing IP Address in that post?
You may not want to be sharing that online…

What’s the output of

$ resolvectl status

?

@TOGLK if you’re talkin about 116.202.176.26 I guess it’s a public DNS server

No, that’s LibreDNS’s address

Below screenshot: With LibreDNS as primary and 9.9.9.9 as fallback, I can’t load anything.

When I change primary to 9.9.9.9 and fallback to LibreDNS, the connection works fine.

The problem is not just LibreDNS, all that I’ve tested in the original post fail to work

Do you

$ sudo systemctl start systemd-resolved
$ sudo systemctl enable systemd-resolved
$ sudo systemctl restart NetworkManager

when you make changes ? (did you check if it’s well running then doing systemctl status systemd-resolved.service)
(and is your port 443 open? …well I guess)

And I think those two addresses don’t need to be erased, as localhostandlocalhost.localdomainare resolved to those. (sytemd man) Not sure if it helps anything though… But you can leave it there I assume, these are loopback addresses anyway.

What would be the output of
$ cat /etc/systemd/resolved.conf | grep -v '^#'
???

.
Anywoo… you should definitely check this “tuto”, and most definitely the comment section

.

another way ?

Maybe one should just go with something like Stubby… idk…

Cause, I don’t know if that’s outdated or not, didn’t deep check, but seams to be (used to be?) some leaks and/or problems using systemd resolver service for DNSoverTLS.
https://wiki.archlinux.org/title/Talk:Systemd-resolved
https://wiki.archlinux.org/title/Systemd-resolved#DNS_over_TLS
systemd resolved.conf man
https://www.internetsociety.org/fr/blog/2019/01/dns-over-tls-sous-linux-systemd/

.
Btw, if you look at arch wiki it says

Using drop-ins for local configuration is recommended over modifications to the main configuration file

check the resolved.conf(5) man