Configure DNS over TLS on Linux Mint to Protect DNS Privacy

This tutorial will be showing you how to protect your DNS privacy on Linux Mint with DNS over TLS. We will use a tool called stubby, but first, let me tell you why DNS is not secure.

DNS Vulnerability

DNS is insecure because by default DNS queries are not encrypted. They are sent in plain text on the wire and can be exploited by middle entities. For example, the Great Firewall of China (GFW) uses a technique called DNS cache poison to censor Chinese Internet. (They also use other methods, which are beyond the scope of this article.)

GFW checks every DNS query that is sent to a DNS server outside of China. Since plain text DNS protocol is based on UDP, which is a connection-less protocol, GFW can spoof both the client IP and server IP.  When GFW finds a domain name on its block list, it changes the DNS response.

For instance, if a Chinese Internet user wants to visit google.com, GFW returns an IP address located in China instead of Google’s real IP address, to the user’s DNS resolver. Then the DNS resolver returns the fake IP address to the user’s computer, so the user cannot visit google.com.

What is DNS over TLS? How It Protects Your DNS Privacy?

DNS over TLS means that DNS queries are sent over a secure connection encrypted with TLS (Transport Layer Security), which is the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries. Combined with HTTPS sites and encrypted SNI (Server Name Indication), your web browsing history will be fully protected from ISP spying.

Stubby is an open-source DNS stub resolver. A stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8. Stubby is special in that it supports DNS over TLS. By default, it will only send encrypted DNS queries.

Note: This tutorial only works on Linux Mint 19, including 19.1 and 19.2. If you are using Linux Mint 18, please upgrade your system.

How to Use Stubby to Configure DNS over TLS on Linux Mint

Stubby is included in Linux Mint 19 software repository. Open up a terminal window and run the following command to install it.

sudo apt install stubby

Once installed, stubby automatically runs in the background. You you check its status with:

systemctl status stubby

systemctl status stubby

Hint: If the above command doesn’t quit immediately, you can press the Q key to quit the command and gain back control of the terminal.

Stubby listens on TCP and UDP port 53 of localhost (127.0.0.1), as can be seen by running this command:

sudo netstat -lnptu | grep stubby

linux mint stubby
The default stub resolver provided by systemd-resolved listens on TCP and UDP port 53 of 127.0.0.53.

sudo netstat -lnptu | grep systemd-resolve

linux mint stub resolver
Now that stubby is installed and running, we need to tell our Linux Mint system to use it. Click the Network Manager icon on the bottom-right corner of your desktop, then select Network Settings.

linux mint dns over tls

Click the gear icon to configure network.

linux mint configure dns server

Select IPv4 tab and switch off Automatic in DNS. This will prevent your Linux Mint system from getting DNS server address from your router. Then specify the address of Stubby (127.0.0.1) in the Server text field. Click the Apply button and close the Network window.

dns over tls linux mint

Then run the following command in terminal to restart NetworkManager, in order for the above changes to take effect.

sudo systemctl restart NetworkManager

Once you are reconnected to your router, click the Network Manager icon again and select Network Settings. You can see that your Linux Mint system is now using 127.0.0.1 (stubby) as the DNS server.

linux mint install configure stubby

How to Switch to Stubby From the Command Line

You can also make your Linux Mint system use stubby by configuring systemd-resolved from the command line. The default DNS server can be seen with this command.

systemd-resolve --status

systemd-resolve dns servers

To set Stubby as the default server, open the systemd-resolved configuration file with a command line text editor, such as Nano.

sudo nano /etc/systemd/resolved.conf

Use the arrow keys to move up and down. In the [Resolve] section, add the following line to make your system use Stubby.

DNS=127.0.0.1

systemd-resolve change dns server

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To exit, press Ctrl+X.)

Then restart systemd-resolved service.

sudo systemctl restart systemd-resolved

Now run the following command to check the default DNS server.

systemd-resolve --status

You will see 127.0.0.1 is set as the DNS server in the Global section.

systemd-resolve global dns server

How to Check if Your DNS Traffic is Encrypted

We can use WireShark to monitor DNS traffic. Run the following command in terminal to install WireShark from Linux Mint repository.

sudo apt install wireshark

If you are asked “Should non-superusers be able to capture packets?”, use the arrow key to select Yes and press Enter.

linux mint wireshark capture traffic

Once it’s installed, run the following command to add your user account to the wireshark group so that you can capture packets. Replace your-username with your real username.

sudo adduser your-username wireshark

Log out and log back in for the changes to take effect. Then open WireShark from your application menu.

wireshark linux mint

Select your network interface in WireShark. For example, my Ethernet interface name is enp0s3. If you are using Wi-Fi, then your network interface name will be something like wlp0s3. Then enter port 853 as the capture filter. This will make WireShark only capture traffic on port 853, which is the port used by DNS over TLS.

linux mint wireshare capture dns over tls traffic

Press Enter to start capturing traffic. After that, in terminal window, run the following command to query a domain name by using the dig utility. For instance, I can query the A record of my domain name.

dig A linuxbabe.com

Now you can see the captured DNS traffic in WireShark. As you can see, my DNS query was sent to 185.49.141.37, 145.100.185.15 or 145.100.185.16, which are the 3 default DNS resolvers defined in stubby configuration file. Connections were made over TCP and encrypted with TLS, which is what I want. Click the red button on the upper-left corner to stop capturing traffic.

linux mint dns over tls stubby
If DNS queries are sent without encryption, then the computer would contact DNS server on port 53. You can capture packets again with port 53 as the capture filter, but you won’t see any packets in WireShark, which means stubby is encrypting your DNS queries.

Wrapping Up

I hope this tutorial helped you protect your DNS privacy on Linux Mint with DNS over TLS. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.

Rate this tutorial
[Total: 5 Average: 5]

10 Responses to “Configure DNS over TLS on Linux Mint to Protect DNS Privacy

  • Great !

  • Is that for one time installing n setup process? Next time if we want to use DoT (DNS over TLS) all we have to do is turn on the stubby?

    • Xiao Guoan (Admin)
      4 years ago

      If you followed this tutorial exactly, then stubby would automatically start at boot time. All your DNS requests are encrypted. It is a one time setup process.

  • how to undo this? After installing Stubby, I cannot run steam

  • Otis Michaud
    3 years ago

    All this is wonderful – but there’s a logical loop. If DNS is not enabled we can’t download the package (or any other update)

    /etc$ sudo apt install stubby
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    The following packages were automatically installed and are no longer required:
    linux-headers-5.4.0-65 linux-headers-5.4.0-65-generic linux-image-5.4.0-65-generic linux-modules-5.4.0-65-generic linux-modules-extra-5.4.0-65-generic
    Use ‘sudo apt autoremove’ to remove them.
    The following additional packages will be installed:
    libev4 libgetdns10 libunbound8
    The following NEW packages will be installed:
    libev4 libgetdns10 libunbound8 stubby
    0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
    Need to get 601 kB of archives.
    After this operation, 1,801 kB of additional disk space will be used.
    Do you want to continue? [Y/n] y
    Err:1 http://archive.ubuntu.com/ubuntu focal/universe amd64 libev4 amd64 1:4.31-1
    Could not resolve ‘archive.ubuntu.com’
    Ign:2 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libunbound8 amd64 1.9.4-2ubuntu1.2

    • Xiao Guoan (Admin)
      3 years ago

      You can use any other DNS resolver like 8.8.8.8 before installing stubby. After that, configure the stubby to use a DNS over TLS resolver.

      If your system can’t resolve DNS, I’m wondering why can you browse this web page?

  • Can no longer ping after setup. Any reason?

  • can ping ips but not fqdn

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here