[solved] Enable DNS over TLS on Debian 11

[Terminal Velocity]

What I have tried:

I followed this tutorial for Ubuntu:

Enable Browsing with DNS Over TLS (DoT) on Ubuntu Made Easy

Today we increasingly saw the importance of privacy and security in computing. This includes our browsing activity, which now needs protecti...

www.ubuntubuzz.com

And in the ''Testing'' section they suggest to run from the terminal the command:

sudo tcpdump -i 'port 853'

In my system this command returns the following:

sudo: tcpdump: command not found

Also I have never install and setup firewall on my computer and I don't know if it has by default.

Any directions are welcomed

 

[f33dm3bits]

It's telling you the package is not installed, you really don't know how to install a package on Debian?

sudo apt install tcpdump

 

[Terminal Velocity]

Why you are so surprised? I am new and I use this forum for learning, this is my favorite way of learning, to try to do something and learning on the way. Thank you for the answer

After installing tcpdump the command returns the following:

$ sudo tcpdump -i 'port 853'

tcpdump: port 853: No such device exists
(SIOCGIFHWADDR: No such device)

 

[f33dm3bits]

Seeing how long you have been a member I would have thought you would have known how to install a package by now, I was mistaken

$ sudo tcpdump -i 'port 853'

tcpdump: port 853: No such device exists
(SIOCGIFHWADDR: No such device)

The correct format for that is the following.

tcpdump -i any port 583

The -i stands for interface. I don't think any firewall is installed on Debian by default so you can install what you find easier which is in most cases firewalld or ufw.

 

[Terminal Velocity]

My original username was ''slow learning'' that explains everything

The result of this command is the following:

# tcpdump -i any port 853
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

 

[f33dm3bits]

That means no traffic is going is being seeing going to port 853, try doing the following.

tcpdump -i any port 53

Then you will see all dns traffic when you do a query for a website or you can do the following to see all traffic.

tcpdump -i any

Then you will see all network traffic going on on your pc.

I also just checked it about the firewall thing for Debian, it looks like Debian install "nftables" by default but it isn't enabled so you can just install ufw or firewalld yourself.
To install ufw, enable and start it.

apt install ufw gufw
systemctl enable ufw --now

or to install firewalld:

apt install firewalld  firewall-applet
systemctl enable firewalld --now

My original username was ''slow learning'' that explains everything

I didn't know that, Terminal Velocity seems to opposite since it indicates speed

 

[Terminal Velocity]

Both ''tcpdump -i any port 53'' and ''tcpdump -i any'' they fill the terminal with data when I visit a page with the browser...

While ''tcpdump -i any port 853'' does nothing, so this is how we know that my DNS over TLS does not work

So how do I proceed to make DNS over TLS to work? do I need a firewall for that?

I didn't know that, Terminal Velocity seems to opposite since it indicates speed

That's why I changed it, I thought that my old username was slowing me down but it seems the usernames have no effect on me

 

[f33dm3bits]

I have never tried it before but I did as the steps in the article you linked in your other topic and it just works for me.

Enable Browsing with DNS Over TLS (DoT) on Ubuntu Made Easy

Today we increasingly saw the importance of privacy and security in computing. This includes our browsing activity, which now needs protecti...

www.ubuntubuzz.com

1. Edit: /etc/systemd/resolved.conf -> DNSOverTLS=yes
2. Change your dns servers to quad dns servers: 9.9.9.9, 149.112.112.112
3. Restart systemd-resolved and NetworkManager
4. Verify by running and then doing a dns query or opening a website: tcpdump -i andy port 853

 

[Terminal Velocity]

I have followed that article, this is what my DNS looks

$  cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 9.9.9.9
nameserver 149.112.112.112

And this is what my /etc/systemd/resolved.conf file looks like:

$ cat /etc/systemd/resolved.conf
#DNS=
#FallbackDNS=
#Domains=
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

I have restarted the machine since yesterday and yet it doesn't work. Might I have a firewall enabled without knowing? what do you think?

 

[f33dm3bits]

I didn't change anything on my firewall, just have a default firewall configuration, looks like the Quad howto doesn't have Firewall configuration requirement either.

 

[KGIII]

If you're using Firefox, I think it's just a checkmark in the settings somewhere.

 

[Terminal Velocity]

That option in Firefox is called DNS over HTTPS. I have it enabled. Here we do DNS over TLS which is more complicated if you are unlucky like me

I found out that Systemd-resolved service is not enabled by default in Debian so enebled it with those two comands:

sudo systemctl enable systemd-resolved.service
sudo systemctl start systemd-resolved.service

Now I have this new info:

$ resolvectl status
Global
       Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: foreign

Link 2 (wwx582c80139263)
    Current Scopes: DNS LLMNR/IPv4
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 149.112.112.112

Link 3 (wlp1s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported

 

[KGIII]

What benefits do you have with TLS over HTTPS? They're both secure protocols.

On a positive note, you do appear to be defaulting to the DNS server you wanted to use. So, that's good.

 

[f33dm3bits]

If you're using Firefox, I think it's just a checkmark in the settings somewhere.

I didn't change any setting in my browser to make it work, I would think the Quad howto would have mentioned it if needed.

$ resolvectl status
Global
       Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: foreign

Link 2 (wwx582c80139263)
    Current Scopes: DNS LLMNR/IPv4
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 149.112.112.112

Link 3 (wlp1s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported

It looks like DNSOverTLS is configured since it is mentioned in the list of Protocols active, now when you do a tcpdump on port 853 you should see dns traffic.

 

[f33dm3bits]

What benefits do you have with TLS over HTTPS? They're both secure protocols.

Also it's more about who do you trust more because even though the traffic is encrypted once your request gets to the dns server they will still be able to see what requests you make.

 

[Terminal Velocity]

It looks like DNSOverTLS is configured since it is mentioned in the list of Protocols active, now when you do a tcpdump on port 853 you should see dns traffic.

Yet, there is no traffic in the port 853, any further ideas are welcomed

 

[f33dm3bits]

Did you try restarting whatever networkmanager Debian uses, network or NeworkManager?

 

[Terminal Velocity]

Did you try restarting whatever networkmanager Debian uses, network or NeworkManager?

I restarted the computer not the network manager. does that makes a difference?

 

[sphen]

I was the one who mentioned firewall and now I regret it. At the time, I wondered whether a firewall was blocking port 853. Considering that a firewall is not active on @Terminal Velocity's system, the question is moot. Asked and answered.

I recommend NOT installing a firewall until later. A firewall can only cause more problems with blocking communications. Once the existing DNS over TLS question in this thread is resolved, then consider adding a firewall.

The OP, Terminal Velocity, is trying to do something more advanced than most casual Linux users attempt. While I admire the sense of fearlessness and adventure, they seem to be operating without the safety net of having mastered basic Linux usage skills. Considering that Terminal Velocity is not experienced with "apt install ..." what are the chances of success to switch ordinary DNS to DNS over TLS? Maybe the chance of success is decent with a good tutorial, but if something goes wrong, Terminal Velocity appears to lack the basic troubleshooting skills to fall back on. There is nothing wrong with that, but it implies a steeper learning curve to understand and accomplish the goal than Terminal Velocity expected.

I am concerned that this is not going to turn out well, mostly because Linux.org is not a school that can easily bootstrap Terminal Velocity up to a higher experience level. People here will try, but Terminal Velocity should also seek out additional basic learning resources that can help.

By the way, I assume that the reason Terminal Velocity wants to switch from ordinary DNS to DNS over TLS is to prevent their ISP and others from seeing and recording their DNS activity for tracking and monetizing purposes.

 

[f33dm3bits]

I restarted the computer not the network manager. does that makes a difference?

Yeah that should be enough. What do you see currently when you run tcpdump on port 53 and then browse to a random website?

tcpdump -i any port 53