I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.

Modern browsers use their buit-in DNS settings which adds to the confusion.

I think this is one area that Linux needs more work and more standardization.

How do you think it should be fixed?

  • @hottari@lemmy.ml
    link
    fedilink
    131 year ago

    I don’t think systemd-resolved has support for DNS-over-HTTPS yet but it has support for DNS over TLS which I have used issue free for years now.

    All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

    DNS is not broken on Linux, your configuration is.

    • lemmyvore
      link
      fedilink
      English
      51 year ago

      All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

      Not necessarily. Firefox ships with its own DoH enabled out of the box, which uses Cloudflare servers.

      • @hottari@lemmy.ml
        link
        fedilink
        3
        edit-2
        1 year ago

        Then Firefox is broken in this context. It should respect the user’s system DNS settings.

        Edit: You are wrong. The correct answer is somewhere along the lines of borderline confusing and you don’t have to worry about it if everything is working. In my case, it used my DNS provider set by systemd-resolved and not cloudflare but YMMV.

        This is what the default menu for Firefox DNS settings say:

        Enable secure DNS using:
        ...
        Firefox decides when to use secure DNS to protect your privacy.
        Use secure DNS in regions where it’s available
        Use your default DNS resolver if there is a problem with the secure DNS provider
        Use a local provider, if possible
        ....
        Turn off when VPN, parental control, or enterprise policies are active
        Turn off when a network tells Firefox it shouldn’t use secure DNS
        
        • lemmyvore
          link
          fedilink
          English
          -11 year ago

          Firefox DoH has been enabled by default for the US for a couple of years now.

          • @hottari@lemmy.ml
            link
            fedilink
            41 year ago

            The US is not the world!

            And neither Firefox nor its broken? DNS implementation have anything to do with the topic(Linux DNS)…

            • lemmyvore
              link
              fedilink
              English
              11 year ago

              You said all browsers would follow your system DNS, I just explained that’s not always the case.

              And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

              • @hottari@lemmy.ml
                link
                fedilink
                41 year ago

                You said all browsers would follow your system DNS, I just explained that’s not always the case.

                Both Firefox & Chrome follow my system DNS at default settings. Just because Firefox forcefully enrolled US users to Cloudflare’s DOH doesn’t mean that DNS is broken for every one else.

                And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

                Again. Has nothing to do with the topic i.e Linux DNS. Applications can use their own custom DOH/DOQ resolvers to bypass system DNS, this has no bearing on the brokeness or not of systemd-resolved or any other system DNS resolver.

    • @library_napper
      link
      41 year ago

      Your suggested solution would leak DNS for everything except thr browser. That’s a broken implementation