Skip to main content
Ask Ubuntu

Return to Answer

fixed typo
Source Link
UbuntuUser
UbuntuUser
  • 287
  • 1
  • 4
  • 13

Thank you to everyone who made suggestions! In particularly I thoughthought the approach that modified /etc/netplan/00-installer-config.yaml should have worked, but the minute I added those "dhcp4-overrides:" and "use-dns: false" line I had no DNS at all, and had to reboot to get it back!

Thank you to everyone who made suggestions! In particularly I though the approach that modified /etc/netplan/00-installer-config.yaml should have worked, but the minute I added those "dhcp4-overrides:" and "use-dns: false" line I had no DNS at all, and had to reboot to get it back!

Thank you to everyone who made suggestions! In particularly I thought the approach that modified /etc/netplan/00-installer-config.yaml should have worked, but the minute I added those "dhcp4-overrides:" and "use-dns: false" line I had no DNS at all, and had to reboot to get it back!

Source Link
UbuntuUser
UbuntuUser
  • 287
  • 1
  • 4
  • 13

Well after trying a bunch of stuff including the suggestions made in other answers, what actually tentatively appears to be working is this:

Lines added to /etc/systemd/resolved.conf:

Domains=~.
DNS=9.9.9.9 149.112.112.112
FallbackDNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes
DNSSEC=allow-downgrade

Use the default resolv.conf which is by default symlinked to

../run/systemd/resolve/stub-resolv.conf

Use the default netplan (no dhcp4-overrides additions!)

Now if I run sudo tcpdump -ni enp0s10 -p port 53 or port 853 I see no output, whereas if I run sudo tcpdump -ni tun0 -p port 53 or port 853 I see DNS requests going out on port 853. Though, strangely, if I stop tcpdump and then restart it, it sometimes won't show anything, but the DNS requests appear to still work. Rebooting fixes that but I am not sure why that happens.

If I run resolvectl status I see this:

Global
           Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub
  Current DNS Server: 9.9.9.9
         DNS Servers: 9.9.9.9 149.112.112.112
Fallback DNS Servers: 1.1.1.1 1.0.0.1
          DNS Domain: ~.

Link 2 (enp0s10)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1
        DNS Domain: localdomain

Link 3 (tun0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported

Link 4 (wlp5s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported

My suspicion is that it is the Domains=~. in /etc/systemd/resolved.conf that makes the difference. The page at https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd/ is where I found that, and it explains as follows:

Finally, setting ‘Domains’ to ‘~.’ instructs ‘systemd-resolved’ to prefer the specified nameserver over any per-link DNS server that may be available. This is an important setting as otherwise a non-DoT per-link DNS resolver could take precedence over the DoT resolver.

Now honestly I don't completely understand that but in practice it seems to prevent DNS-over-TLS requests from being sent first to my router. It was a case of grasping at straws, I saw this and thought it was worth a try and it APPEARS to be working.

That said, getting this to work really should not have been this hard! I have spent many hours trying to make this work and just because it worked for me tonight, I would not guarantee it will work for anyone else, particularly if you are running anything other than Ubuntu 22.04 server!

Thank you to everyone who made suggestions! In particularly I though the approach that modified /etc/netplan/00-installer-config.yaml should have worked, but the minute I added those "dhcp4-overrides:" and "use-dns: false" line I had no DNS at all, and had to reboot to get it back!