DNS over TLS is a security protocol that forces all connections with DNS servers to be made securely using TLS. This effectively keeps ISPs from seeing what website you’re accessing.
For the GNU/Linux distributions using systemd, you can setup this easily by following the below steps.
First, edit the /etc/systemd/resolved.conf and changed the value of DNSOverTLS as :
Now, configure your DNS servers. You need to use DNS server that support DNS over TLS. Examples are Cloudflare DNS 22.214.171.124 or 126.96.36.199. Google DNS 188.8.131.52 also support it. To configure you can use Network manager graphical interface.
Then restart the systemd-resolved using:
sudo systemctl restart systemd-resolved
You are done. To check whether settings are correctly applied, you can try:
$ resolvectl status
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
If you really want to see how DNS resolution requests are happening, you may use wireshark and inspect port 53 – the usual DNS port. You should not see any traffic on that port. Instead, if you inspect port 853, you can see DNS over TLS requests.