Configure DNS-over-HTTPS in Linux
To configure DNS-over-HTTPS in Linux, you will need a DoH address prefix from a Virtual Site.
Creating a Virtual Site for Off-Network Clients and DoH Urls
Replace {doh_prefix} with your DoH prefix.
systemd-resolved
/etc/systemd/resolved.conf or /etc/systemd/resolved.conf.d/*.conf
[Resolve]
DNS=142.202.107.1@853{doh_prefix}.dns.securd.com 142.202.107.2@853{doh_prefix}.dns.securd.com 2620:82:6000::1@853{doh_prefix}.dns.securd.com 2620:82:6000::2@853{doh_prefix}.dns.securd.com
DNSOverTLS=yes
Domains=~.
Warning: Prior to systemd version 245.2-2, systemd-resolved only validated the DNS server certificate if it was issued for the server's IP address (a rare occurrence). DNS server certificates without an IP address were not checked making systemd-resolved vulnerable to man-in-the-middle attacks.
unbound 1.8.1 or later (Ubuntu/Debian)
/etc/unbound/unbound.conf
server:
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 142.202.107.1@853{doh_prefix}.dns.securd.com
forward-addr: 142.202.107.2@853{doh_prefix}.dns.securd.com
forward-addr: 2620:82:6000::1@853{doh_prefix}.dns.securd.com
forward-addr: 2620:82:6000::2@853{doh_prefix}.dns.securd.com
unbound 1.8.1 or later (Fedora)
/etc/unbound/unbound.conf
Updated about 1 year ago