Install systemd-resolved
# apt-get install systemd-resolved
Enable it
# systemctl enable systemd-resolved
Old fashion /etc/resolv.conf
# Generated by NetworkManager
nameserver 45.90.28.186
nameserver 8.8.8.8
nameserver 1.1.1.1
Change/Edit configuration file /etc/systemd/resolved.conf
DNS=45.90.28.186 8.8.8.8 1.1.1.1
DNSOverTLS=yes
Optional
DNS=45.90.28.186 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2006:4700:4700::1111#cloudflare-dns.com 2606:4700:4700:1001#cloudflare-dns.com
DNSOverTLS=yes
Enable systemd-resolved in Network Manager, edit /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=systed-resovled
Restart Network Manager
# systemctl restart NetworkManager
Restart systemd-resolved
# systemctl restart systemd-resolved
Test it
# nslookup duckduckgo.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: duckduckgo.com
Address: 20.43.161.105
Done. This configuration can be used to protect your dns resolved from dns query hijacking.
Handy diagnostics guide:
Dig
# dig duckduckgo.com @1.1.1.1 +short
safe.duckduckgo.com.
202.169.44.80
Nslookup
# nslookup duckduckgo.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
duckduckgo.com canonical name = safe.duckduckgo.com.
Name: safe.duckduckgo.com
Address: 202.169.44.80
Name: safe.duckduckgo.com
Address: 2404:8000:11:2::2
Whois
# whois 202.168.44.80
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '202.168.0.0 - 202.168.63.255'
% Abuse contact for '202.168.0.0 - 202.168.63.255' is 'hostmaster@tpgtelecom.com.au'
inetnum: 202.168.0.0 - 202.168.63.255
netname: TPG-AU
descr: TPG Internet Pty Ltd.
country: AU
org: ORG-TIPL2-AP
admin-c: TH178-AP
tech-c: TH178-AP
abuse-c: AT937-AP
status: ALLOCATED PORTABLE
remarks: Australian Internet Service Provider (ISP)
remarks: http://www.tpg.com.au
Curl
# curl -I https://www.duckduckgo.com
curl: (7) Failed to connect to www.duckduckgo.com port 443 after 4129 ms: Could not connect to server
Note: curl and whois showing duckduckgo.com directing to wrong address.