Software & AppsOperating SystemLinux

Enabling DNS over TLS with systemd-resolved: Why is the server closing the connection?

Ubuntu 16

In this article, we will explore how to enable DNS over TLS with systemd-resolved and understand why the server might be closing the connection.

Quick Answer

The server may be closing the connection when enabling DNS over TLS with systemd-resolved due to compatibility issues or limitations with the DNS server being used. Some DNS servers do not support DNS over TLS or have specific requirements for its implementation. It is recommended to try using a different DNS server to troubleshoot the issue.

Introduction

DNS over TLS is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of DNS over TLS is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

systemd-resolved is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as LLMNR and MulticastDNS resolver and responder.

Enabling DNS over TLS with systemd-resolved

To enable DNS over TLS with systemd-resolved, you need to edit the /etc/systemd/resolved.conf file. This file contains the configuration settings for systemd-resolved.

Here is an example of what your resolved.conf file should look like:

[Resolve]
DNS=1.1.1.1
Domains=~.
DNSOverTLS=opportunistic

In this configuration:

  • DNS specifies the IP address of the DNS server.
  • Domains is used to specify the routing domains for which this DNS server is used.
  • DNSOverTLS is set to opportunistic, which means that systemd-resolved will use DNS over TLS when possible.

After editing the resolved.conf file, you need to restart the systemd-resolved service for the changes to take effect. You can do this with the following command:

systemctl restart systemd-resolved.service

You can check if DNS over TLS is working by using the resolvectl command:

resolvectl status

This command will display the current DNS configuration, including whether DNS over TLS is enabled.

Why is the server closing the connection?

If you are experiencing issues with the TLS connection being closed by the server, it could be due to compatibility issues or limitations with the DNS server you are using.

Some DNS servers do not support DNS over TLS, or they may have specific requirements for how it should be implemented. For example, some servers do not support reusing connections and may open a new connection for each request. This can result in slower performance and may cause the server to close the connection.

To troubleshoot this issue, you can try using a different DNS server, such as Google’s public DNS server at 8.8.8.8, to see if the issue persists.

Conclusion

Enabling DNS over TLS with systemd-resolved is a straightforward process that can significantly enhance the security of your DNS queries. However, it’s important to be aware of potential compatibility issues with different DNS servers and to troubleshoot as necessary.

Remember, the goal is to ensure that your DNS queries are as secure and private as possible, so take the time to understand and correctly implement DNS over TLS.

What is DNS over TLS?

DNS over TLS is a security protocol that encrypts and wraps DNS queries and answers using the Transport Layer Security (TLS) protocol. It aims to enhance user privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks.

What is systemd-resolved?

systemd-resolved is a system service that provides network name resolution to local applications. It acts as a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR and MulticastDNS resolver and responder.

How do I enable DNS over TLS with systemd-resolved?

To enable DNS over TLS with systemd-resolved, you need to edit the /etc/systemd/resolved.conf file and specify the DNS server IP address, routing domains, and enable DNSOverTLS. After making the changes, restart the systemd-resolved service for the configuration to take effect.

How can I check if DNS over TLS is working with systemd-resolved?

You can check the DNS configuration and whether DNS over TLS is enabled by using the resolvectl status command.

Why is the server closing the DNS over TLS connection?

The server may close the DNS over TLS connection due to compatibility issues or limitations with the DNS server being used. Some servers may not support DNS over TLS or have specific requirements for its implementation. For example, servers that do not support connection reuse may open a new connection for each request, potentially leading to slower performance and connection closures.

What can I do if the TLS connection is being closed by the server?

If you are experiencing issues with the server closing the TLS connection, you can try using a different DNS server, such as Google’s public DNS server at 8.8.8.8, to see if the issue persists. It’s also important to ensure that the DNS server you are using supports DNS over TLS and that you have correctly implemented it according to the server’s requirements.

Why is DNS over TLS important?

DNS over TLS is important because it adds an additional layer of security to DNS queries. It helps protect against eavesdropping, data manipulation, and other potential attacks that can compromise the privacy and integrity of DNS data. By encrypting DNS queries and answers, DNS over TLS ensures that the information exchanged between the client and server remains confidential and cannot be easily intercepted or tampered with.

Leave a Comment

Your email address will not be published. Required fields are marked *