DoT: Setting up DNS over TLS on OpenRC

A few weeks ago I set up DNS over TLS (DoT) on my OpenRC Gentoo machine, and want to share the process since it's not as straight forward as on a systemd based system.

DoT is a mechanism for encrypting DNS traffic via TLS, which provides a layer of privacy against man in the middle attacks. This does not hide the IP addresses you are accessing, but it's a lot better than no encryption at all.

Overview

The basic steps are as follows:

• Set up Dnsmasq
• Set up Stubby
• Configure DNS for system connections

Setting up Dnsmasq

I believe that Dnsmasq is not strictly necessary for this setup, but it provides a few key benefits, namely DNS caching, which reduces latency significantly: ~300ms after the first resolution of a given domain, so I highly recommend you use it.

The first step is to install Dnsmasq. On a Gentoo system, that would look something like this:

emerge -av net-dns/dnsmasq

It will likely be installed with a default configuration file; I recommend that you back up/rename it, since we'll be creating a new one from scratch.

Configuration

In my case /etc/dnsmasq.conf contains the following:

no-resolv
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces

no-resolv instructs Dnsmasq to not use/etc/resolv.conf, which in my case is auto generated by NetworkManager, and would point back to Dnsmasq.

The other lines instruct Dnsmasq to forward DNS requests to Stubby, which we will set up to use port 53000, though you can opt to use a diffrent port if that is unavailable on your system. Make sure that you do not use port 53, as that is what Dnsmasq uses.

Setting up Stubby

Stubby is the DNS resolver that I use for DoT, namely for the that fact it supports it.

If using Gentoo like me, make sure you enable thestubby USE flag for net-dns/getdns, and then install like normal:

emerge -av net-dns/getdns

Configuration

Stubby is configured in /etc/stubby/stubby.yml. Similarly to Dnsmasq, it may be a good idea to back up/rename the original configuration.

I've left a few notes underneath the configuration on options that you way want to change depending on your use case.

For my configuration I use LibreDNS, so adapt as necessary:

log_level: GETDNS_LOG_NOTICE
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128

edns_client_subnet_private : 1

round_robin_upstreams: 0

idle_timeout: 10000

listen_addresses:
  - 127.0.0.1@53000
  - 0::1@53000

# Change to fit the settings given by your provider.
# Can have as many DNS providers as you want.
upstream_recursive_servers:
  - address_data: 116.202.176.26
    tls_auth_name: "dot.libredns.gr"

edns_client_subnet_private

This option I strongly suggest you leave as is. When0, it enables support for resolvers that send ECS, which supports better geolocation of content at the expense of revealing a portion of your IP address to authoritative servers, which provides some fingerprinting potential.

If set to 1, it avoids this issue, but content may not be as geographically relevant. I recommend this and setting search engine options instead.

round_robin_upstreams

If you only have servers that you trust equally, you can set this to1 instead, since it will distribute queries between them.

If you have one or two that you trust fully, and then some backups that are a bit less privacy respecting, you'll want to keep this as0, and order them from most trustworthy to least.

listen_addresses

If you can't use port 53000 for Stubby, change it to the number you set in/etc/dnsmasq.conf

Configuring DNS for system connections

Now that everything is set up, we can enable Dnsmasq and Stubby to start at boot:

rc-update add dnsmasq default
rc-update add stubby default

And then start them:

rc-service dnsmasq start
rc-service stubby start

This next part will differ depending on what system you use to manage your network connections. As I use NetworkManager, I need to change the[ipv4] sections in my .nmconnection files in/etc/NetworkManager/system-connections/ from this:

[ipv4]
method=auto

To this:

[ipv4]
dns=127.0.0.1;
ignore-auto-dns=true
method=auto

ipv6 would require additional configuration, however my ISP does not provide it, and so I wouldn't be able to put instructions here in good faith. Please consult the documentation of your network management service.

I imagine the process is similar on wpa_supplicant or iwl, but you'll need to consult their documentation.

At this point, you can restart your network management service, or reboot, and it should work. In my case:

rc-service NetworkManager restart

Summary

We have now set up Dnsmasq to use Stubby as a resolver, configured our connections to use our local Dnsmasq server for DNS resolution, and have DNS over TLS for all outgoing DNS queries, providing an additional layer of privacy to our network stack.