Encrypted DNS on Bluefin and Linux | Customizing your immutable / image-based Linux so that it uses your preferred servers and method of DNS encryption (DNS over TLS or DNS over HTTPS).

Master the KiwiSDR for awesome shortwave listening.

Configuring encrypted DNS on your Bluefin Linux system is easier than you might expect. There is a lot of wrong information out there saying image based Linux is difficult to customize. Don't believe it. Customization is a matter of knowingwhere to make your edits so that they persist through reboots and updates. I remember the first time I configured my legacy Ubuntu and Debian machines to run DNS over TLS, then DNS over HTTPS. It worked, but wasn't as easy as setting it up on Bluefin.

The good news is that Bluefin uses a component named systemd-resolved and is already configured for DNS over TLS. If you want to change to a different server, an edit to one file is all that is needed. Switching the encryption scheme to DNS over HTTPS is a little more complex; I will show you how it is done.

Changing the DNS-over-TLS Server on Bluefin

Manage the DNS-over-TLS settings by editing the content of file /etc/systemd/resolved.conf:

[Resolve]
# Cloudflare DNS servers with TLS hostname verification
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com

# Enable DNS-over-TLS
DNSOverTLS=yes

# Enable DNSSEC validation
DNSSEC=yes

# Optional: Enable caching
Cache=yes

Key Configuration Details:

DNS=: Specifies the primary DNS servers. The #cloudflare-dns.com suffix ensures TLS certificate validation against Cloudflare's hostname.
FallbackDNS=: Used if the primary servers are unreachable.
DNSOverTLS=yes: Enforces encrypted DNS queries (strict mode).
DNSSEC=yes: Enables DNS security extensions for validation.

Using Unbound for Alternative DNS over TLS

If you have a reason to not use the built-in systemd-resolved framework for DNS over TLS, consider Unbound, which primarily uses DNS-over-TLS and offers advanced recursive resolving features. It validates DNSSEC and caches results locally.

1. Install Unbound:

sudo rpm-ostree install unbound

2. Configure /etc/unbound/unbound.conf:

server:
    interface: 127.0.0.1@53
    access-control: 127.0.0.1/32 allow
    do-ip4: yes
    do-udp: no
    do-tcp: yes
    do-daemonize: yes
    tls-cert-bundle: /etc/pki/tls/certs/ca-bundle.crt # Path on Fedora/Bluefin

forward-zone:
    name: "."
    forward-tls-upstream: yes
    # Quad9 DoT with DNSSEC validation
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

3. Point systemd-resolved to unbound: Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=127.0.0.1
DNSOverTLS=no
DNSSEC=yes

4. Restart Services:

sudo systemctl enable --now unbound
sudo systemctl restart systemd-resolved

DNSCrypt-Proxy for DNS over HTTPS

The most robust and widely recommended alternative is dnscrypt-proxy. It supports DNS over HTTPS for many providers (not just Cloudflare) and is actively maintained. It can provide DNS over HTTPS through servers of Quad9, Google, NextDNS, Mullvad, and others.

1. Install dnscrypt-proxy: On Bluefin, you may need to layer it or run it in a toolbox/container if not in the default repos:

sudo rpm-ostree install dnscrypt-proxy

2. Configure /etc/dnscrypt-proxy/dnscrypt-proxy.toml to enable DNS over HTTPS and select your servers.

listen_addresses = ['127.0.0.1:5053']

# Enable only DNS over HTTPS servers
dnscrypt_servers = false
doh_servers = true

# Select servers (e.g., Quad9, Google, NextDNS)
# Run 'dnscrypt-proxy -list' to see all available names
server_names = ['quad9-doh-ip4-port443-filter-pri', 'google', 'nextdns']

# Optional: Force IPv4/IPv6 or specific protocols
ipv4_servers = true
ipv6_servers = false

3. Point systemd-resolved to the proxy: Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=127.0.0.1:5053
FallbackDNS=127.0.0.1:5053
DNSOverTLS=no
DNSSEC=yes

4. Restart Services:

sudo systemctl enable --now dnscrypt-proxy
sudo systemctl restart systemd-resolved

Among the several options available for using encrypted DNS on Bluefin, other than the built in DNS over TLS, Unbound and DNSCrypt-Proxy are the most workable. You should know there is yet another option, named DNSS. I have used DNSS on Ubuntu and Debian. It works, although I found the customized server setup to be a bit more tricky.

The setup methods and configuraton information given above should work fine on other Universal Blue operating systems too. For a more permanent configuration, if you used rpm-ostree, consider replacing your layering work with customizing the image itself. Then, you clone the image as a Git repository, add the new packages (Unbound or DNSCrypt-Proxy) to the build declaration.

Whichever way you do it, you get the stability and ease of Bluefin along with the customizations you want. Image based Linux works for you!

© 2005 - 2026 AB9IL.net, All Rights Reserved.
Written and curated by Philip Collier / AB9IL.
About Philip Collier / AB9IL, Commentaries and Op-Eds, Contact, Privacy Policy and Disclosures, XML Sitemap.