I have Ubuntu 20.04 server. This server is set up to run WordPress sites (LEMP stack). In this server, I have set up an ubuntu DNS resolver to use "DNS Over TLS". Use Cloudflare DNS service.
When I run the following commands I can see that it use port 53, not use DNS Over TLS port 853. In my CSF firewall, I have allowed port 853 in TPC and UDP (in/out).
What could be the reason for this? How do I force ubuntu to use DNSOverTLS?
resolved.conf configurations.
[Resolve]
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes
These are my testing results.
root@server:~# nslookup google.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: google.com
Address: 142.250.65.174
Name: google.com
Address: 2607:f8b0:4006:81e::200e
root@server:~# kdig -d google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(53), protocol(UDP)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51182
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 246 IN A 142.251.40.142
;; Received 44 B
;; Time 2022-01-30 16:17:34 +0530
;; From 1.1.1.1@53(UDP) in 1.3 ms
However, when I run the following command, it uses DNS over TLS (port 853).
root@server:~# kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG: SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16525
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 68347 IN A 93.184.216.34
;; Received 468 B
;; Time 2022-01-30 16:02:33 +0530
;; From 1.1.1.1@853(TCP) in 1.7 ms
When I check the resolver status, it shows DNS over TLS enabled.
root@server:~# systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
DNS Servers: 1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
94.237.127.9
94.237.40.9
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 4 (eth2)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
