[solved] Enable DNS over TLS on Debian 11

[Terminal Velocity]

Today I have no traffic in port 53, only with tcpdump -i any I see traffic, I will post that traffic:

16:39:13.308901 wwx582c80139263 In  IP 239.237.117.34.bc.googleusercontent.com.https > tard-82c7.56468: Flags [.], ack 2007647298, win 272, options [nop,nop,TS val 2877711785 ecr 1981960385,nop,nop,sack 1 {4294967258:1}], length 0
16:39:13.395207 wwx582c80139263 Out IP tard-82c7.47181 > dns9.quad9.net.domain: 12031+ PTR? 69.54.160.10.in-addr.arpa. (43)
16:39:13.588914 wwx582c80139263 In  IP dns9.quad9.net.domain > tard-82c7.47181: 12031 NXDomain* 0/1/0 (102)
16:39:13.589530 wwx582c80139263 Out IP tard-82c7.57806 > dns9.quad9.net.domain: 10373+ PTR? 239.237.117.34.in-addr.arpa. (45)
16:39:13.898928 wwx582c80139263 In  IP dns9.quad9.net.domain > tard-82c7.57806: 10373 1/0/0 PTR 239.237.117.34.bc.googleusercontent.com. (98)
16:39:13.899495 wwx582c80139263 Out IP tard-82c7.57561 > dns9.quad9.net.domain: 20460+ PTR? 9.9.9.9.in-addr.arpa. (38)
16:39:14.089383 wwx582c80139263 In  IP dns9.quad9.net.domain > tard-82c7.57561: 20460 1/0/0 PTR dns9.quad9.net. (66)

Since yesterday I edited the /etc/systemd/resolved.conf file like this:

$ cat /etc/systemd/resolved.conf
DNS=9.9.9.9
FallbackDNS=149.112.112.112
Domains=~.
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

 

[f33dm3bits]

I will try it on a debian vm to see what happens for me.

 

[f33dm3bits]

I just tried it with the same dns settings and setup as you, having configured DNSOverTLS and when I do queries and view the traffic on 853 I see nothing but when I then view the traffic on 53 I do see dns traffc so seems Debian might need something extra configured. I will see if I have time later to figure it out.

 

[Terminal Velocity]

I just tried it with the same dns settings and setup as you, having configured DNSOverTLS and when I do queries and view the traffic on 853 I see nothing but when I then view the traffic on 53 I do see dns traffc so seems Debian might need something extra configured. I will see if I have time later to figure it out.

Thank you man for checking it out

 

[f33dm3bits]

Can you also provide met with the output of the following?

systemctl list-unit-files | grep -i network

 

[Terminal Velocity]

$ systemctl list-unit-files | grep -i network
networking.service                                                        enabled         enabled
NetworkManager-dispatcher.service                                         enabled         enabled
NetworkManager-wait-online.service                                        enabled         enabled
NetworkManager.service                                                    enabled         enabled
systemd-network-generator.service                                         disabled        disabled
systemd-networkd-wait-online.service                                      disabled        disabled
systemd-networkd.service                                                  disabled        enabled
systemd-networkd.socket                                                   disabled        enabled
network-online.target                                                     static          -
network-pre.target                                                        static          -
network.target                                                            static          -

 

[craigevil]

Add these two lines :
DNSOverTLS=yes
DNSSEC=allow-downgrade

to your /etc/systemd/resolved.conf along with whichever dns server you want to use.
Restart the service. Then you can check that it is working:

resolvectl status

On Firefox edit the trr lines. You can just use the default or edit the custom line.
You can also change network.trr.mode to 2 so Firefox always uses the custom dns server.

quad9 has a easy to follow article; it does assume you have your DNS server setup)

https://support.quad9.net/hc/en-us/articles/4409119438349-DNS-over-TLS-Ubuntu-20-04-Linux-Mint-20-3-Native-

 

[f33dm3bits]

Add these two lines :
DNSOverTLS=yes
DNSSEC=allow-downgrade

quad9 has a easy to follow article; it does assume you have your DNS server setup)

https://support.quad9.net/hc/en-us/articles/4409119438349-DNS-over-TLS-Ubuntu-20-04-Linux-Mint-20-3-Native-

I used that article to test it out on Fedora and that worked, when trying it out on a Debian vm I got the same result as @Terminal Velocity. I hadn't though of that option(DNSSEC=allow-downgrade) yet.

 

[Terminal Velocity]

Finally it worked

I edited my /etc/resolv.conf like this:

# Generated by NetworkManager
nameserver 127.0.0.53

127.0.0.53 is a loopback address that needed for systemd resolved service to work

I also edited my /etc/systemd/resolved.conf like this:

$ cat /etc/systemd/resolved.conf
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=149.112.112.112
Domains=~.
DNSSEC=yes
DNSSEC=allow-downgrade
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

And I disabled the DNS over HTTPS from the browser and now I have traffic in port 853, thank you all for the help