How to enable DNS-over-TLS and DNSSEC on Solus?

[deleted]

I would like to use DNS-over-TLS and DNSSEC system-wide. The easiest way would be to configure it directly in the router, but that's not possible.

Is there a wiki or recommendation on how to do this in Solus? I tried to set a conf for systemd-resolved as described for Ubuntu, but after that no connection is established at all.

silke

I believe the way to setup systemd-resolved with DNS-over-TLS is as described below.

Create a configuration for systemd-resolved in /etc/systemd/resolved.conf.d/local.conf with the following contents:

[Resolve]
DNSSEC=yes
DNSOverTLS=on
DNS=9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
Domains=~.

This example uses Quad9, but you can use whatever servers you like (that support DNS-over-TLS).

Stop and enable systemd-resolved (it will be started automatically):

sudo systemctl stop systemd-resolved
sudo systemctl enable systemd-resolved

Test if the resolver works:


$ resolvectl query example.com
example.com: 2606:2800:220:1:248:1893:25c8:1946 -- link: wlp0s20f3
             93.184.216.34                     -- link: wlp0s20f3

-- Information acquired via protocol DNS in 155.9ms.
-- Data is authenticated: yes

Finally, create a symlink for /etc/resolv.conf to hand control over to systemd-resolved:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

There is one major caveat: If your local router sends a DNS search domain, that domain will be resolved against your local DNS server. If this server doesn't support DoT, all queries for that domain will fail.

silke

silke I can't edit this in, but the DNS= line should probably be:

DNS=9.9.9.9#dns9.quad9.net 149.112.112.112#dns9.quad9.net 2620:fe::fe#dns9.quad9.net 2620:fe::9#dns9.quad9.net

[deleted]

Thank you for your instructions. Except for the symlink, this is the same procedure for Ubuntu. This means that in the end, no connection can be made with it again.

I searched the forum again and found another thread that describes a similar problem: Which DNS resolver does Solus use by default?

silke

[deleted] what do you mean 'no connection can be made with it'? What output do you get from the resolvectl query command in the instructions?

[deleted]

No DNS queries can be resolved. resolvectl raises the error: resolve call failed: No appropriate name servers or networks for name found

silke

[deleted] What is the output of resolvectl (without any arguments)?

[deleted]

silke resolvectl outputs the following:

Global
LLMNR setting: yes
MulticastDNS setting: yes
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
DNS Servers: ipv4 adress#dns.provider.com
ipv4 adress#dns.provider.com
ipv6 adress#dns.provider.com
Fallback DNS Servers: 1.1.1.1
8.8.8.8
1.0.0.1
8.8.4.4
2606:4700:4700::1111
2001:4860:4860::8888
2606:4700:4700::1001
2001:4860:4860::8844
DNS Domain: ~.

Link 2 (enp12s0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes

Link 3 (wlp3s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: ipv4 adress router
DNS Servers: ipv4 adress router
ipv6 adress router
DNS Domain: ~.
router.domain

The global configuration seems to be correct, but it is not applied to the WLAN connection. Then the NetworkManager is still interfering, isn't it?

By the way, the IP address of the selected DNS server works with DoH in Firefox - so the error cannot be caused by that.

silke

Hmm, that looks pretty much identical to what I have here.

The global configuration seems to be correct, but it is not applied to the WLAN connection. Then the NetworkManager is still interfering, isn't it?

systemd-resolved is designed to have different DNS servers per connection, so seeing the config for your WLAN connection isn't strange. The global Domains=~. setting should override all local connection setting (except when the domain is something different), though.

You can turn on debug logging to find the issue (Without the symlink, so your DNS works and you have less logging). Edit the service using sudo systemctl edit systemd-resolved and paste the following:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

Now restart the service using sudo systemctl restart systemd-resolved. Try resolvectl query example.com again, and see if there are any apparent issues in the log with sudo journalctl -u systemd-resolved. You're probably looking for something like this:

Transaction 39044 for <example.com IN A> scope dns on eno1.1/*.
Using feature level TLS+EDNS0+D0 for transaction 39044.
Using DNS server <server> for transaction 39044.
Sending query via TCP since UDP isn't supported.
Using feature level TLS+EDNS0+D0 for transaction 39044.
Failed to invoke gnutls_handshake: Error in the push function.
Connection failure for DNS TCP stream: Connection refused

silke

By the way, the IP address of the selected DNS server works with DoH in Firefox - so the error cannot be caused by that.

DoT and DoH are different protocols. Does it work against Quad9?

[deleted]

silke Thank you for your detailed help! It was indeed due to the DNS server used. However, the IP addresses are indeed identical for DoT and DoH, even though they are of course different protocols. Possibly it was because I did not specify port 853. It works now with the other DNS servers.

How do I turn off debug logging for systemd-resolved again? Is it enough to delete the override.conf in /etc/system/systemd-resolved.service.d?

And one last question: is there a difference between the symlink sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf and setting a conf for NetworkManager?

[main]
dns=none
systemd-resolved=false

silke

No problem!

How do I turn off debug logging for systemd-resolved again? Is it enough to delete the override.conf in /etc/system/systemd-resolved.service.d?

Yes! Followed by a sudo systemctl daemon-reload (to reload the systemd config) and sudo systemctl restart systemd-resolved.

And one last question: is there a difference between the symlink sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf and setting a conf for NetworkManager?

The symlink is detected by NetworkManager, which sets dns=systemd-resolved automatically (and systemd-resolved=true is the default). In this case setting the conf to dns=none and systemd-resolved=false might actually be better, as it should avoid the issue with search domains I mentioned earlier.

[deleted]

If you run into connectivity issues (the resolving starts timing out), it's most likely this
https://github.com/systemd/systemd/issues/6490

silke

For anyone still finding this post, there is an open issue for systemd-resolved when both DNSSEC and DNS over TLS are enabled: https://github.com/systemd/systemd/issues/9867

For the time being I don't recommend enabling both, unless you want to restart systemd-resolved periodically.