How to setup DNS over TLS using systemd-resolved

DNS over TLS is a security protocol that forces all connections with DNS servers to be made securely using TLS. This effectively keeps ISPs from seeing what website you’re accessing.

For the GNU/Linux distributions using systemd, you can setup this easily by following the below steps.

First, edit the /etc/systemd/resolved.conf and changed the value of DNSOverTLS as :

DNSOverTLS=opportunistic

Now, configure your DNS servers. You need to use DNS server that support DNS over TLS. Examples are Cloudflare DNS 1.1.1.1 or 1.0.0.1. Google DNS 8.8.8.8 also support it. To configure you can use Network manager graphical interface.

Then restart the systemd-resolved using:

sudo systemctl restart systemd-resolved

You are done. To check whether settings are correctly applied, you can try:

$ resolvectl status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic

If you really want to see how DNS resolution requests are happening, you may use wireshark and inspect port 53 – the usual DNS port. You should not see any traffic on that port. Instead, if you inspect port 853, you can see DNS over TLS requests.