I would prefer if my server utilized DNS over TLS instead of Plain 53 port. I did it, and it works really well. Furthermore, I no longer have an attack from 53 ports now.
Use DNS Over TLS (DOT) on generic Linux systems
So for Specific Ubuntu 22.04.4 LTS
- edit
/etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
#FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
#Domains=
#LLMNR=yes
#MulticastDNS=yes
#DNSSEC=allow-downgrade
#DNSOverTLS=opportunistic
#DNSSEC=yes
#DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
Ubuntu 22.04.04 LTS specific resolved.conf remove hashtag on these highlights.
[Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
FallbackDNS=1.1.1.1 8.8.8.10 8.8.8.8
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
- Assume
systemd-resolvedis enabled, restart the service
systemctl restart systemd-resolved.service
- Use local stub resolver
systemd-resolved provides a local DNS stub listener on IP address 127.0.0.53 on the local loopback interface, so to use the DNS over TLS capable stub resolver, we’ll need to somehow manage /etc/resolv.conf and make sure 127.0.0.53 is used as a nameserver.
NOTE: systemd maintains /run/systemd/resolve/stub-resolv.conf for compatibility with traditional Linux programs. We can simply link to this file by symlinking.
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.confDone.