DNS-over-TLS on Linux (systemd)
Protect your DNS queries from ISP monitoring and tampering by enabling encrypted DNS (DoT) on Linux (systemd-resolved). This guide walks you through each step with real settings and menu paths.
Last updated
Why Enable Encrypted DNS on Linux (systemd-resolved)?
By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.
- DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
- DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.
This guide shows you how to configure DoT on Linux (systemd-resolved).
Step-by-Step Setup Instructions
Follow these steps to enable encrypted DNS on Linux (systemd-resolved):
-
Check systemd-resolved status
Open a terminal and run: systemctl status systemd-resolved. If it is not running, enable it with: sudo systemctl enable --now systemd-resolved. This service is available on most modern Linux distributions including Ubuntu, Fedora, and Arch Linux. -
Edit the resolved configuration
Open the configuration file with: sudo nano /etc/systemd/resolved.conf. Find the [Resolve] section (or add it if missing). -
Configure DNS servers
Add or modify these lines under [Resolve]:\nDNS=1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one\nFallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net\n\nThe format is IP#hostname where the hostname is used for TLS certificate verification. -
Enable DNS-over-TLS
Add the line: DNSOverTLS=yes\n\nThis enforces strict DNS-over-TLS. Use DNSOverTLS=opportunistic to try encrypted DNS but fall back to unencrypted if TLS fails. The strict mode (yes) is recommended for maximum privacy. -
Enable DNSSEC validation
Add the line: DNSSEC=yes\n\nThis validates DNSSEC signatures on DNS responses, protecting against DNS spoofing and cache poisoning attacks. -
Restart and verify
Restart the service: sudo systemctl restart systemd-resolved. Verify with: resolvectl status. You should see "DNSOverTLS setting: yes" and your configured DNS servers listed. Test with: resolvectl query example.com — look for the encrypted protocol indicator.
After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.
Recommended Encrypted DNS Providers
These providers support encrypted DNS and are compatible with Linux (systemd-resolved):
| Provider | Primary IP | Secondary IP | DoH URL | DoT Hostname | |
|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 |
1.0.0.1 |
https://cloudflare-dns.com/dns-query |
one.one.one.one |
|
8.8.8.8 |
8.8.4.4 |
https://dns.google/dns-query |
dns.google |
||
| Quad9 | 9.9.9.9 |
149.112.112.112 |
https://dns.quad9.net/dns-query |
dns.quad9.net |
|
| Mullvad | 194.242.2.2 |
194.242.2.3 |
https://dns.mullvad.net/dns-query |
dns.mullvad.net |
Verify Your Encrypted DNS Setup
After configuring encrypted DNS on Linux (systemd-resolved), run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.
Run DNS Privacy CheckEncrypted DNS Guides for Other Platforms
Set up encrypted DNS on all your devices for comprehensive protection:
- Windows 11 (DoH)
- macOS (DoH & DoT)
- Android (DoT)
- iPhone & iPad (DoH & DoT)
- Firefox (DoH)
- Chrome (DoH)
- Microsoft Edge (DoH)
- Unbound (DoT)
- Router (DoH & DoT)
Related Resources
Frequently Asked Questions
Which Linux distributions support DNS-over-TLS via systemd-resolved?
Most modern Linux distributions with systemd 239+ support DNS-over-TLS. This includes Ubuntu 18.10+, Fedora 29+, Debian 10+, Arch Linux, openSUSE Tumbleweed, and many others. Check your systemd version with: systemd --version.
What is the difference between strict and opportunistic DNS-over-TLS?
Strict mode (DNSOverTLS=yes) requires TLS encryption for all DNS queries — if TLS fails, DNS queries fail entirely. Opportunistic mode (DNSOverTLS=opportunistic) tries TLS first but falls back to unencrypted DNS if TLS is unavailable. Strict mode provides guaranteed privacy but may break DNS on networks that block port 853.
How do I use DNS-over-HTTPS on Linux instead of DoT?
systemd-resolved supports DoT natively but not DoH. For DoH on Linux, use a local proxy like cloudflared (Cloudflare Argo Tunnel client) or dnscrypt-proxy. These listen on localhost and forward queries over HTTPS. Alternatively, use Unbound with DNS-over-TLS forwarding.
Can I use encrypted DNS alongside NetworkManager?
Yes. Configure NetworkManager to use systemd-resolved as its DNS backend by adding dns=systemd-resolved to the [main] section of /etc/NetworkManager/NetworkManager.conf. Then configure DoT in resolved.conf. NetworkManager handles network connections while systemd-resolved handles encrypted DNS resolution.