How to DNSOverTLS=yes on /etc/systemd/resolved.conf

Ubuntu Server 22.04.4 | Webmin 2.202 | Usermin 2.102 | Virtualmin 7.20.2 | Theme 21.20.7 | Perl 5.034000 | Apache 2.4.52 | Python 3.10.12 | BIND 9.18 | MariaDB 10.6.18 | PHP 8.3.11 | Postfix 3.6.4 | Dovecot 2.3.16 | SpamAssassin 3.4.6 | CSF 14.21 | ClamAV 0.103.11 | OpenSSH 8.9 | OpenSSL 3.0.2 | Certbot 1.21.0 | Logrotate 3.19.0 | NTP 1:4.2.8p15 | Lynis 3.1.1
Package updates [All installed packages are up to date]

Name-based Virtual Hosts share 3 IP addresses (2x IPv4 + 1x IPV6)

The domains and the server have passed all the following tests with absolute success.

hstspreload.org, intodns.com, dnsviz.net, dnssec-analyzer.verisignlabs.com
zonemaster.net, en.internet.nl, www.mail-tester.com, www.hardenize.com
www.mailhardener.com/tools/, easydmarc.com/tools/, www.ssllabs.com

All registry entries (dns records) work flawlessly for all services. Mail, Databases, Firewall, Anti-Spam, Wordpress, SSH, etc. The communication of the server with the outside world works seamlessly, without any error anywhere.

mta-sts, mx, spf, dmarc, dkim, bimi, tlsa, dnssec, dane, rdns

I try to enable DNSOverTLS=yes option in resolved.conf document but every time after restarting systemd-resolved.service curl, dig, delv don’t bring results to terminal queries…

I also tried DNSOverTLS=opportunistic but again to no avail.
Tried enabling DNS=ip_address#hostname as well but no luck with that either.

Could the problem be that the DNS of my server works on a Name-based basis because I have to divide the IPs into 3 domains and all the rdns look at the hostname?

Does anyone know how to enable DNSOverTLS?

Why do you believe the DNS servers you’re using offer DNS over TLS? I mean, do they say they do? Most do not, a small few do. ISPs and hosting providers tend to be in the “do not” category. Google is among the few that offers it for their DNS resolvers.

When you enable DNS over TLS in a browser, it uses whatever DNS server they use, it no longer uses your system-configured resolver.

Thank you for the response Joe :slight_smile:

My hosting provider is Contabo… They do not offer DNS over TLS. Right.
I thought that since I manage the DNS records myself, it would be something simple and possible to be able to do the DNS resolution on my server - through the IPs I manage…

But it seems I misunderstood…
Then what is the reason for DNSOverTLS to exist in systemd/resolved.conf ?

And why doesn’t terminal resolution work even with Google and Cloudflare DNS servers?

DNS=9.9.9.9 1.0.0.1 8.8.8.8
FallbackDNS=149.112.112.112 1.1.1.1 8.8.4.4
DNSOverTLS=yes
DNSSEC=yes

Is it because I have enabled DNSSEC?
The reason I have it enabled is for spam control via postfix.

You can enable DoT or DoH for BIND 9.18, so on Ubuntu newish and Debian newish. It does not work natively on RHEL9 derivatives and as of now it will not be backported.

Instructions here for example, but in german, but shows config parameters:

Bind 9.18 mit DoH und DoT – -=Kernel-Error=-

BIND 9 Administrator Reference Manual — BIND 9 9.21.1-dev documentation

but the standard between resolvers and authorative is not used yet.

RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS (ietf.org)

if you enable it then in the future maybe other nameservers will talk to yours with dot/doh.

as of right now you can enable it clientwise from home easily windows and most public dns services support it.

1 Like

It is to use DNS over TLS for local name resolution when communicating with the DNS server(s) you use. It is a client-side service.

systemd-resolved is a caching name resolver. It has nothing to do with serving DNS for your domains or Virtualmin (the DNS server in a Virtualmin system is BIND, if you’re hosting DNS locally). systemd-resolved is the DNS resolver your local clients use to lookup names on the internet; for e.g. system updates, web requests with curl, etc.

DNSSEC has nothing to do with any of this.

DNSSEC has nothing to do with spam control, either. (DNSSEC is basically useless. We support it, but I don’t use it, and I see no reason to recommend it.)

Thanks for the reply mate
I will study the links you sent me extensively.
My understanding so far is that I know nothing about DNS

Yes. Like this it works. True.

Yes, wrong, not for spam control but for smtp security. OK.

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

I do not agree for DNSSEC. It is important.

  1. Authentication: DNSSEC provides authentication and data integrity of DNS responses, ensuring that the data received from a DNS server is legitimate and has not been tampered with.
  2. Security: DNSSEC helps protect against various DNS-based attacks, such as DNS spoofing, cache poisoning, and man-in-the-middle attacks.
  3. Trust: DNSSEC builds trust in the DNS system, as it ensures that the domain name system is secured and verified, and that users are communicating with the intended server.
  4. Privacy: DNSSEC provides privacy protection by preventing attackers from seeing the domain names being queried by users.

It doesn’t provide any useful security feature to SMTP that STARTTLS doesn’t provide more easily.

OK, we’ll agree to disagree. But, I know what all these things do, so… :man_shrugging:

TLS provides an easier method of providing everything you would get from DNSSEC. There is no reason to use DNSSEC today.

BIND server

Ubuntu as a client, see the section Enable DNS over TLS (DoT) in:

https://quantumwarp.com/kb/articles/34-web-server/1016-my-virtualmin-notes