[ <- back to blog ]

Linux DNS Security Guide

May 3, 2026 (1mo ago)

This guide outlines the steps to secure your DNS traffic on Linux (Fedora/GNOME) using DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNSSEC validation.

ℹ️

Note that for the purposes of this guide, we will use Quad9 as the DNS provider. For more information on DNS providers and their respective DNSSEC validation support, please refer to the DNS Provider Table section or look into their respective websites.

TL;DR

  1. Change System DNS: Update your NetworkManager settings to use Quad9 IPs.
  2. Secure the Browser: Enable "Max Protection" DoH in Firefox using the Quad9 endpoint.
  3. Secure the OS: Edit /etc/systemd/resolved.conf to enforce DoT and DNSSEC globally.
  4. Verify: Use resolvectl and tcpdump to ensure no plaintext leaks on port 53.

Step 1: Update System DNS (IPv4 & IPv6)

Update your connection settings to use trusted resolvers instead of your ISP's defaults.

  1. Open GNOME Settings -> Network (or Wi-Fi).
  2. Click the Cog/Gear icon next to your active connection.
  3. IPv4 Tab:
    • Turn off Automatic for DNS.
    • Enter: 9.9.9.9, 149.112.112.112
  4. IPv6 Tab:
    • Turn off Automatic for DNS.
    • Enter: 2620:fe::fe, 2620:fe::9
  5. Click Apply.

Step 2: Configure Firefox (DNS-over-HTTPS)

This ensures your browser traffic is encrypted and hidden within standard HTTPS (port 443) traffic.

  1. In Firefox, go to Settings -> Privacy & Security.
  2. Scroll to the bottom to DNS over HTTPS.
  3. Select Max Protection.
  4. Set Choose provider to Custom.
  5. Paste the Quad9 endpoint: https://dns.quad9.net/dnsquery
  6. Close the settings tab.

Step 3: Configure systemd-resolved (System-wide DoT)

This protects all terminal commands, background services, and apps that don't have built-in DoH.

  1. Open the configuration file:

    sudo nano /etc/systemd/resolved.conf

  2. Modify the [Resolve] section as follows (uncommenting lines if necessary):

    [Resolve]
DNS=9.9.9.9#dns.quad9.net
149.112.112.112#dns.quad9.net
2620:fe::fe#dns.quad9.net
2620:fe::9#dns.quad9.net
FallbackDNS=
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
Cache=yes

  3. Save and Exit (Ctrl+O, Enter, Ctrl+X).

  4. Restart the services:

    # Apply network changes
sudo systemctl restart NetworkManager
# Apply resolver changes
sudo systemctl restart systemd-resolved

Step 4: Verification Tests

1. Check Global Status

Verify that the protocols are active on your interface:

resolvectl status

Look for +DNSOverTLS and +DNSSEC under your active link.

2. Verify DNSSEC Authenticated Data

Run a lookup and check for the ad (Authenticated Data) flag:

dig +dnssec meinard.dev

If you see flags: qr rd ra ad;, DNSSEC is working.

3. Monitor Traffic (The "Leak Test")

Clear your local cache and run a packet capture to ensure no traffic hits port 53.

# Flush cache
resolvectl flush-caches
 
# Capture ports 53 (Plaintext), 853 (DoT), and 443 (DoH)
sudo tcpdump -i any -n -vvv -c 80 '(port 53 or port 853 or port 443)' > tcpdump_output1.txt 2>&1

Run this then visit a website. You may use the tcpdump_output1.txt file to see the output.

  • Success: You only see traffic on 853 or 443.
  • Failure: You see traffic on port 53.

You can use the following prompt to have an AI analyze the output file for easier identification of successful/failed tests.

# Role
You are a Senior Network Security Engineer and DNS Specialist.
 
# Task
Analyze the provided `tcpdump` output to verify if the DNS configuration is correctly leaking no plaintext traffic and is successfully utilizing Quad9 for DoT, DoH, and DNSSEC.
 
# Context & Success Criteria
- **No Leakage:** There must be ZERO traffic hitting Port 53 (Plaintext DNS).
- **Encryption:** Valid DNS traffic should only appear on Port 853 (DNS over TLS) or Port 443 (DNS over HTTPS).
- **Target IPs:** Verify connections are specifically going to Quad9 resolvers: `9.9.9.9` or `149.112.112.112`.
- **DNSSEC:** Look for DNSSEC-related flags (e.g., `DO` bit, `RRSIG`, `DNSKEY`) in the packet metadata if visible.
 
# Analysis Instructions
1. **Identify Port 53 Traffic:** If any exists, flag it immediately as a "CRITICAL LEAK FAILURE."
2. **Identify Port 853/443 Traffic:** Confirm these sessions are active and directed to Quad9 IPs.
3. **Verdict:** Provide a final status: 
- **SUCCESS:** Only encrypted traffic to Quad9 detected.
- **FAILURE:** Plaintext traffic detected or non-Quad9 resolvers used.
 
# Input Data
[PASTE YOUR tcpdump_output1.txt CONTENT HERE]

Configuration Reference

ProviderIPv4IPv6DoH Endpoint
Quad99.9.9.92620:fe::fehttps://dns.quad9.net/dnsquery
Cloudflare1.1.1.12606:4700:4700::1111https://cloudflare-dns.com/dns-query
Google8.8.8.82001:4860:4827:7700::https://dns.google/dns-query

Reference

Followed this video on YouTube: