Assume:
- NetworkManager and Systemd-Resolved already work
Install unbound
# apt-get install unbound
Edit /etc/systemd/resolved.conf and set:
[Resolve]
DNS=127.0.0.1:5335
Domains=~.
Make sure this line in /etc/unbound/unbound.conf
...
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
...
Create and edit /etc/unbound/unbound.conf.d/google-doh.conf
server:
# Port 5335 is safer for laptops than 5353 (mDNS)
port: 5335
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
# Required for TLS verification
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
# Using DoT (Port 853) instead of DoH (Port 443)
forward-tls-upstream: yes
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
Enable unbound and restart all services
# systemctl enable unbound
# systemctl start unbound
# systemctl restart systemd-resolved
# systemctl restart NetworkManager
Test
# resolvectl query google.com
google.com: 172.253.118.138
172.253.118.102
172.253.118.101
172.253.118.113
172.253.118.139
172.253.118.100
2404:6800:4003:c11::8a
2404:6800:4003:c11::71
2404:6800:4003:c11::64
2404:6800:4003:c11::8b
# resolvectl query duckduckgo.com
duckduckgo.com: 20.43.161.105
-- Information acquired via protocol DNS in 54.3ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
