Enhancing Security on Your Ubuntu Server: A Guide to Enabling DNS over HTTPS and DNS over TLS

In an era where online privacy and security are paramount, configuring your Ubuntu server to utilize DNS over HTTPS (DoH) or DNS over TLS (DoT) can significantly bolster its defenses. Both protocols encrypt DNS traffic, offering enhanced protection against various threats such as malware, fake DNS responses, and DNS spoofing. This article provides a comprehensive guide on how to set up these features on your Ubuntu server.

Choosing the Right DNS Provider for Your Needs

Before diving into the configuration, it’s crucial to select a reliable DNS provider. Numerous reputable options are available, each offering distinct advantages. Here’s a list of some top contenders:

• Cloudflare DNS: Known for its high speed, strong privacy policies, and solid security features.
• Google Public DNS: Delivers exceptional performance, robust security measures, and excellent reliability.
• Quad9 DNS: Focuses on security with features like malware detection, while also prioritizing user privacy.
• OpenDNS: Offers comprehensive security features, including content filtering and malware protection, enhancing overall safety.

Before proceeding, ensure you create an account with your chosen DNS provider, as you’ll need it to customize your DNS settings.

Step-by-Step Guide to Setting Up DNS over HTTPS (DoH) on Ubuntu Server

Once you’ve selected a DNS provider, initiate an SSH session to your Ubuntu server. The next step is to locate the DNS over HTTPS endpoint URL. Below are the endpoints for some of the top DNS providers:

• Cloudflare DNS: https://1.1.1.1/dns-query
• Google Public DNS: https://dns.google/dns-query
• Quad9 DNS: https://dns.quad9.net/dns-query
• OpenDNS: https://doh.opendns.com/dns-query

With your DNS over HTTPS endpoint URL ready, the next step involves installing dnscrypt-proxy, a tool that facilitates the DoH configuration on your Ubuntu server.

Installing dnscrypt-proxy

Log in to your Ubuntu server via SSH and execute the command below to install dnscrypt-proxy:

sudo apt install dnscrypt-proxy

After installation, you’ll need to modify the configuration file. Open it using the Nano text editor:

sudo nano -w /etc/dnscrypt-proxy/dnscrypt-proxy.toml

By default, the resolver is set to Cloudflare. If you prefer a different resolver, adjust the server_names parameter accordingly:

• Use google for Google DNS,
• Use quad9 for Quad9,
• Use opendns for OpenDNS.

To effectuate the changes, save the configuration file by pressing Ctrl + O, and then exit by pressing Ctrl + X.

Finalizing Configuration

With your new configurations in place, restart the dnscrypt-proxy service to apply the changes:

sudo systemctl restart dnscrypt-proxy

You can then use the command below to confirm that your settings are functioning correctly:

sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve google.com

A Simple Approach to Enable DNS over TLS

Setting up DNS over TLS is straightforward in comparison. To begin, edit the /etc/systemd/resolved.conf file using Nano:

sudo nano /etc/systemd/resolved.conf

Next, input the relevant DNS server of your choice, along with enabling DNS over TLS. Below are the configurations for popular DNS providers:

Google DNS

[Resolve]
DNS=8.8.8.8
DNSOverTLS=yes

Cloudflare DNS

[Resolve]
DNS=1.1.1.1
DNSOverTLS=yes

Quad9 DNS

[Resolve]
DNS=9.9.9.9
DNSOverTLS=yes

OpenDNS

[Resolve]
DNS=208.67.222.222
DNSOverTLS=yes

After adding the appropriate configurations, save the file and exit as before. To apply the changes, restart the systemd-resolved service using the command:

sudo systemctl restart systemd-resolved

In some cases, changes may take a moment to reflect. If you experience issues, you can confirm the status of your DNS configuration with:

systemd-resolve --status

Conclusion

By following these steps, you can significantly enhance the privacy and security of your Ubuntu server through encrypted DNS queries. Implementing DNS over HTTPS or DNS over TLS not only protects against common online threats but also grants you greater control over your server’s DNS settings. For any further assistance or troubleshooting, feel free to explore additional community resources or reach out to your DNS provider’s support team.