Configure DNS-over-HTTPS in Linux

To configure DNS-over-HTTPS in Linux, you will need a DoH address prefix from a Virtual Site.

Creating a Virtual Site for Off-Network Clients and DoH Urls

Replace {doh_prefix} with your DoH prefix.

systemd-resolved

/etc/systemd/resolved.conf or /etc/systemd/resolved.conf.d/*.conf

[Resolve]
DNS=142.202.107.1@853{doh_prefix}.dns.securd.com 142.202.107.2@853{doh_prefix}.dns.securd.com 2620:82:6000::1@853{doh_prefix}.dns.securd.com 2620:82:6000::2@853{doh_prefix}.dns.securd.com
DNSOverTLS=yes
Domains=~.

Warning: Prior to systemd version 245.2-2, systemd-resolved only validated the DNS server certificate if it was issued for the server's IP address (a rare occurrence). DNS server certificates without an IP address were not checked making systemd-resolved vulnerable to man-in-the-middle attacks.

unbound 1.8.1 or later (Ubuntu/Debian)

/etc/unbound/unbound.conf

server:
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 142.202.107.1@853{doh_prefix}.dns.securd.com
forward-addr: 142.202.107.2@853{doh_prefix}.dns.securd.com
forward-addr: 2620:82:6000::1@853{doh_prefix}.dns.securd.com
forward-addr: 2620:82:6000::2@853{doh_prefix}.dns.securd.com

unbound 1.8.1 or later (Fedora)

/etc/unbound/unbound.conf