I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.

Modern browsers use their buit-in DNS settings which adds to the confusion.

I think this is one area that Linux needs more work and more standardization.

How do you think it should be fixed?

  • redd@discuss.tchncs.de
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    That doesn’t help outside of home. When we are in an untrusted network then the DNS mess makes us vulnerable for spoofing attacks.

    • krolden@lemmy.ml
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      Wireguard to home or a vps running a pihole. Block all dns other than over wireguard.

    • samsy@feddit.de
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago
      1. Wireguard
      2. I run my own DoT/DoH server and able to connect it from everywhere. This makes option 1 mostly obsolete.

      PS. And yes, I fucking love to solve captchas. No, I am not a Robot.