Swag Industries

DNS over HTTPS on Ubuntu

Gaby -

Enhance your privacy and protect yourself from your ISP. Hide your DNS requests behind a random HTTPS connection. This guide will work on Ubuntu 24.04 (and soon 26.04). This guide also works with any other linux distribution based on systemd (debian, archlinux, fedora, etc).

Why?

I got tired of all these AI articles which are wrong! systemd does not support DoH and you will encounter bugs. My solution is "simple", tell systemd resolved to use dnscrypt in order to forward your DNS requests to a DoH provider.

What is "DoH"?

First, a quick recap: DNS runs on the port 53 in cleartext and over UDP. Therefore, your internet provider can see all the dns requests and thus, your browsing history. On top of that, your dns requests can get poisoned and you might encounter dns censorship.

Running DNS within https ensures your internet provider doesn't get to see your dns traffic anymore. No more cleartext DNS!

Installation:

1 - Install the package: dnscrypt-proxy

root@swagindustries:~# apt install dnscrypt-proxy
Reading package lists... Done
The following NEW packages will be installed:
  dnscrypt-proxy
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
Need to get 3236 kB of archives.
After this operation, 9554 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 dnscrypt-proxy amd64 2.0.45+ds1-1.2ubuntu0.24.04.3 [3236 kB]
Fetched 3236 kB in 0s (60.9 MB/s)
Preparing to unpack .../dnscrypt-proxy_2.0.45+ds1-1.2ubuntu0.24.04.3_amd64.deb ...
Unpacking dnscrypt-proxy (2.0.45+ds1-1.2ubuntu0.24.04.3) ...
Setting up dnscrypt-proxy (2.0.45+ds1-1.2ubuntu0.24.04.3) ...

2 - Edit the config file: /etc/dnscrypt-proxy/dnscrypt-proxy.toml

# nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
listen_addresses = ['127.0.0.1:5353']
server_names = ['dns.sb', 'fdn', 'dnscry.pt-geneva-ipv4', 'dnscry.pt-hafnarfjordur-ipv4', 'dnscry.pt-stockholm-ipv4']
max_clients = 250
[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
[sources]
  [sources.'public-resolvers']
  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

dnscrypt-proxy.toml with dns.sb, fdn & dnscrypt servers in Switzerland, Iceland and Sweden

3 - Edit systemd-resolved: /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.0.1:5353
DNSStubListener=yes
Cache=yes

4 - Restart the services: systemctl restart dnscrypt-proxy systemd-resolved

root@swagindustries:~# systemctl restart dnscrypt-proxy systemd-resolved

And voilà! Your system DNS will be forwarded to dnscrypt-proxy, which will again forward to a secure DoH provider of your choice. You can safely use "127.0.0.1" as a nameserver for your system.