DNS Over TLS
Summary
Fedora will attempt to use DNS over TLS (DoT) if supported by configured DNS servers.
Owner
- Name: Michael Catanzaro
- Email: <mcatanzaro@redhat.com>
- Name: Zbigniew Jędrzejewski-Szmek
- Email: <zbyszek@in.waw.pl>
Current status
- Targeted release: Fedora 34
- Last updated: 2020-10-07
- FESCo issue: #2486
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
We will build systemd with -Ddefault-dns-over-tls=opportunistic
to protect DNS queries against passive network attackers. An active network attacker can trivially subvert this protection, but we cannot make DoT mandatory because other operating systems do not do so and many (or most?) DNS servers do not support it. DoT will only be used if the configured DNS server supports it and if it is not blocked by an active network attacker.
Note that DoT is different from DNS over HTTPS (DoH). In particular, DoT is not an anti-censorship tool like DoH. It does not look like regular HTTPS traffic, and it can be blocked by network administrators if desired, so it should not be a problem for corporate networks.
Feedback
Benefit to Fedora
DNS queries are encrypted and private by default, if the user's ISP supports DoT. Most probably don't, but users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit from DNS over TLS.
Scope
- Proposal owners: change meson flags in systemd.spec
- Other developers: N/A (nothing should be required)
- Release engineering: #9772 (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A (nothing should be required)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: Nope
Upgrade/compatibility impact
DoT will be enabled automatically on upgrade to F34. If DoT is unsupported, systemd-resolved will fall back to unencrypted DNS, so there should be no compatibility impact.
How To Test
Load any website in a web browser. If you succeed, then name resolution probably works.
Try using resolvectl query fedoraproject.org
to see that resolvectl still works.
Bonus points: set your DNS server to 1.1.1.1 or 8.8.8.8, then use Wireshark to see if your DNS is really encrypted or not.
User Experience
Users should not notice any difference in behavior.
Dependencies
No dependencies.
Contingency Plan
- Contingency mechanism: revert the change
- Contingency deadline: can be done at any time, before F34 beta freeze would be best
- Blocks release? No
- Blocks product? No
Documentation
See the section DNSOverTLS=
in the manpage resolved.conf(5)
Release Notes
systemd-resolved now enables DNS over TLS (DoT) support by default, in opportunistic mode. DoT will be used only if supported by your DNS server, and provides only best-effort encryption to protect against passive network observers. For compatibility with existing DNS servers, systemd-resolved will fall back to unencrypted DNS if DoT does not appear to be supported, reducing the security benefit. If you wish to manually configure systemd-resolved to prevent fallback to unencrypted DNS, set DNSOverTLS=yes
in /etc/systemd/resolved.conf
. Note that DoT is different than DNS over HTTPS (DoH) in that it does not use HTTPS and is therefore easy to distinguish from HTTPS traffic.