Concepts

DNS (Domain Name System) translates human-readable domain names into IP addresses. Without it, we would have to memorize raw IP addresses everytime we wanted to locate computers on a network.

DNS records are used to map a domain to an IP or other data. Common DNS records include: A (IPv4), AAAA (IPv6), MX (Email), CNAME (Alias for another domain), NS (specifies which server is authoritative for the domain).

Recursive DNS: Finds answers by querying others (e.g. ISP’s DNS).

Authoritative: Stores actual records (e.g. Cloudflare DNS).

Caching: Saves responses for speed (e.g., browser cache).

Configuring DNS in Linux can be done in multiple ways, depending on the purpose:

• Client-side DNS: for resolving domain names
• Local DNS caching: to improve performance
• DNS Server: for managing domain names in a network

On most Linux systems, /etc/resolv.conf is used by programs and libraries (e.g., ping, curl, glibc resolver, or musl’s resolver) to perform DNS lookups. It contains DNS server addresses and other configuration settings. On some systems, tools like systemd-resolved, NetworkManager, or dnsmasq may manage or modify it. Editing this file manually is not recommended because it might get overwritten by other programs.

The Name Service Switch (NSS) in glibc allows system databases (like DNS) to be handled by different services, with the search order configured in /etc/nsswitch.conf. For domain name resolution, the two main services are:

• files: Uses /etc/hosts for hostname resolution.
• dns: Uses /etc/resolv.conf for DNS resolution.

DNSSEC, or Domain Name System Security Extensions, is a set of specifications that adds security to the Domain Name System (DNS) by using cryptographic digital signatures to authenticate DNS queries and responses.

DNSCrypt is a protocol that encrypts and authenticates DNS traffic between your computer and a DNS resolver. It prevents DNS spoofing and tampering by using cryptographic signatures to verify that responses come from the intended resolver.

DNSSEC vs DNSCrypt:

• DNSSEC allows a resolver to verify the records received from authoritative servers. Ensures these records are identical to what whoever controls the zone actually configured.
• DNSCrypt allows a client to verify the records received from a resolver Ensures that these records are identical to what the resolver sent.

How to

We will see how to properly configure DNS on a Linux system, covering the NetworkManager way and another using dnscrypt-proxy for more security.

My prefered method of configuring networking on Linux tends to be using NetworkManager as it unifies all network configuration, offering a simple CLI, TUI, or GUI for simple management of connections, altough I find myself mostly using CLI or TUI.

For example, configuring a DNS server using NetworkManager CLI:

nmcli con mod "$CON" ipv4.dns "185.222.222.222 45.11.45.11"
nmcli con mod "$CON" ipv4.ignore-auto-dns yes
nmcli con up "$CON" && nmcli con up "$CON"

As you can see, DNS in NetworkManager CLI is a per-connection configuration.

If you want to set it globally for all connections you may alter /etc/resolv.conf but dont forget to lock the file using chattr so NetworkManager does not alter it.

For example:

sudo chattr -i /etc/resolv.conf

sudo tee /etc/resolv.conf << EOF
nameserver 185.222.222.222
nameserver 45.11.45.11
EOF

sudo chattr +i /etc/resolv.conf

If you have the possibility, you may also configure the DNS server directly in the router.

If you need to remove DNS settigns from NetworkManager connection:

nmcli con mod "$CON" ipv4.dns ""

How to: Secure DNS

The DNSCrypt implementation most commonly used is dnscrypt-proxy.

Lets fully hand off DNS to dnscrypt-proxy (instead of NetworkManager):

NOTE: This tutorial ommits IPv6 configuration for simplicity.

1. Stop NetworkManager from setting DNS from DHCP, instead use dnscrypt-proxy as the DNS server

sudo mkdir -p /etc/NetworkManager/conf.d

sudo tee /etc/NetworkManager/conf.d/00-dnscrypt-proxy.conf << EOF
[connection]
# Set static DNS for all connections
ipv4.dns=127.0.0.1

# Ignore DNS servers from DHCP
ipv4.ignore-auto-dns=true
EOF

2. Configure dnscrypt-proxy

Configuration is located and well documented at: /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Some notable options:

server_names = ['cloudflare'] # https://dnscrypt.info/public-servers
listen_addresses = ['127.0.0.1:53'] # Same as we configured for NetworkManager
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
cache = true

Test it:

dnscrypt-proxy -resolve example.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

3. Configure resolv.conf

NOTE: the developer mentions edns0 as a micro-optimization. It refers to Extension Mechanisms for DNS.

sudo chattr -i /etc/resolv.conf

sudo tee /etc/resolv.conf << EOF
nameserver 127.0.0.1
options edns0
EOF

sudo chattr +i /etc/resolv.conf

4. Enable dnscrypt-proxy system service and restart NetworkManager

(systemd)

sudo systemctl enable --now dnscrypt-proxy
sudo systemctl status dnscrypt-proxy

sudo systemctl restart NetworkManager
sudo systemctl status NetworkManager

(runit)

sudo ln -s /etc/sv/dnscrypt-proxy /var/service
sudo sv status dnscrypt-proxy

sudo sv restart NetworkManager
sudo sv status NetworkManager

Test it:

https://dnsleaktest.com/ -> Extended Text

If the results show servers that you have set in the configuration files it means that dnscrypt-proxy is working.

Troubleshooting

Inspect DNS server settings with:

nmcli con show "$CON" | grep -i dns
cat /etc/resolv.conf

Stop dnsmasq:

(systemd)

sudo systemctl stop dnsmasq

(runit)

sudo sv stop dnsmasq

Test with:

drill example.com
dig example.com
nslookup example.com

Best practices

1. Use Trusted Resolvers: Opt for privacy-focused services
2. Avoid Manual /etc/resolv.conf Edits: Let NetworkManager handle it to prevent conflicts.
3. Secure DNS: Enable DNS-over-TLS in NetworkManager or use dnscrypt-proxy
4. Monitor: Use sudo tcpdump -n port 53 to inspect raw DNS traffic.
5. Always make backup of files in case something fails. A simple copy like file to file.orig works 99% of times.
6. “drill if you can, dig if you have to, nslookup if you must”

Next steps

• Local DNS Server.
• Use Ansible (or another infrastructure tool) to deploy DNS settings across servers.
• Explore more about DNSSEC, zone files, and reverse DNS.

Resources

• http://www.steves-internet-guide.com/dns-guide-beginners/
• https://wiki.archlinux.org/title/Domain_name_resolution
• https://wiki.gentoo.org/wiki/Resolv.conf
• https://wiki.archlinux.org/title/Dnscrypt-proxy