|
|
Subscribe / Log in / New account

How to enable system-wide encrypted DNS

[Posted May 19, 2025 by jzb]

May 21, 2025

This article was contributed by Pavel Březina and Francisco Triviño García

This guide accompanies the article "System-wide encrypted DNS".

The encrypted DNS for new installations can be enabled by providing a set of kernel arguments when booting the installation media. The following example uses Cloudflare's DNS server in an exclusive mode that enforces this server on all interfaces and instructs NetworkManager to use the dnsconfd backend, which is currently required.

    rd.net.dns=dns+tls://1.1.1.1#one.one.one.one
    rd.net.dns-resolve-mode=exclusive
    rd.net.dns-backend=dnsconfd

Note that #one.one.one.one is part of the DNS server URI, and is used to verify the TLS signature for the server. If a custom CA certificate is needed, it can be installed via kickstart into the expected location: /etc/pki/dns/extracted/pem/tls-ca-bundle.pem using the new %certificate section in the kickstart file.

    %certificate --dir /etc/pki/dns/extracted/pem/ --filename tls-ca-bundle.pem
    
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    %end

Booting the installer with these kernel arguments makes it switch to encrypted DNS during installation, which will be enabled in the installed system right away.

Existing systems

To enable the feature on an existing system, installing and enabling dnsconfd is required; see the configuration snippet for NetworkManager. Note that if the system is currently using systemd-resolved, it needs to be disabled to avoid conflicts with dnsconfd. For example:

    $ cat /etc/NetworkManager/conf.d/global-dot.conf
    [main]
    dns=dnsconfd
    
    [global-dns]
    resolve-mode=exclusive
    
    [global-dns-domain-*]
    servers=dns+tls://1.1.1.1

If a user requires DNS during the boot process, they can also install dnsconfd-dracut and set the kernel arguments in the boot loader.

Enabling encrypted DNS in FreeIPA

FreeIPA's encrypted DNS feature is designed to provide flexible deployment options while maintaining strong defaults for security. Whether a user is installing a new FreeIPA environment or integrating encrypted DNS into an existing one, the tools and options available give administrators granular control over how DNS is handled.

To enable encrypted DNS when installing a FreeIPA server or client, one would use the --dns-over-tls option:

Server installation:

    # ipa-server-install --setup-dns --dns-over-tls

or replica installation:

    # ipa-replica-install --setup-dns --dns-over-tls

This enables the integrated DNS service with DoT support. It sets up BIND to handle incoming DNS queries and Unbound to securely forward external queries using DoT. TLS certificates are either obtained automatically via the FreeIPA CA or provided by the user, as described below.

Client installation:

    # ipa-client-install --dns-over-tls

This deploys Unbound as the local resolver and sets /etc/resolv.conf to forward all queries to 127.0.0.53, using DoT to reach upstream DNS servers (such as FreeIPA servers or public DoT-enabled resolvers).

Choosing a DNS policy

The --dns-policy option is used to define the system's behavior regarding encrypted DNS. The --dns-policy=relaxed setting allows falling back to unencrypted DNS if DoT is unavailable, making it suitable for mixed environments or gradual rollouts. In contrast, --dns-policy=enforced requires the use of DoT and will fail DNS resolution if encryption is not available, making it appropriate for security-critical setups where all DNS traffic must be encrypted, for example:

    # ipa-client-install --dns-over-tls --dns-policy=enforced

Note that, when DoT use is enforced, the system must already be configured to reach a DoT-enabled resolver (e.g., a FreeIPA server with DoT or a trusted upstream DNS server), or installation and service discovery may fail.

Configuring upstream DoT forwarders

If the FreeIPA server or client should forward queries to an external DoT-capable resolver, use the --dot-forwarder option:

    # ipa-server-install --setup-dns --dns-over-tls --dot-forwarder=1.2.3.4#dns.example.org

The IP address and domain must match the subject of the TLS certificate presented by the upstream server. This requirement ensures proper validation during encrypted DNS resolution. You can combine this setting with the --forwarder, --auto-forwarders, or --no-forwarders options to control how traditional DNS resolution is handled alongside DoT.

Managing TLS certificates

Administrators can provide their own certificates and private keys for DoT by using the following options: --dns-over-tls-cert to specify the path to the PEM-formatted TLS certificate, and --dns-over-tls-key to specify the path to the corresponding private key. If not provided, FreeIPA will request a certificate from its CA and manage renewal automatically through its certmonger subsystem.

In enforced mode, DNS discovery (such as SRV lookups for _ldap._tcp) must also occur over encrypted channels. To prepare the system for this, users should configure NetworkManager to use a resolver that supports DoT. Future versions of ipa-client-install will automate this process by preconfiguring Unbound to handle encrypted DNS resolution out of the box.

Return to the main article, "System-wide encrypted DNS".


to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds