Following this article I’m having a hard time to determine which DNS resolver my archlabs install uses. It looks like archlabs is using dnsmasq, however adding
address=/opera.technology/127.0.0.127
address=/opera.com/127.0.0.127
to /etc/dnsmasq.conf and doing a
systemctl restart dnsmasq.service
doesn’t blacklist opera’s domains and subdomains. /etc/hosts
isn’t helping here since I do not know all the names of opera’s subdomains.
Also I would like use dnssec and to switch to 9.9.9.9 as my system’s primary nameresolver instead of using my router’s or my provider’s DNS resolver.
systemctl status systemd-resolved.service
systemctl status NetworkManager.service
tell me, that NetworkManager is enabled and running, systemd-resolved is neither enabled or running.
edit: getting closer
/etc/NetworkManager/NetworkManager.conf is surprisingly taciturn, however putting additional .conf files in /etc/NetworkManager/conf.d might serve the purpose.
https://wiki.archlinux.org/index.php/NetworkManager#DNS_management
I’ll let you know in case I manage to achieve the forementioned objectives and how.
edit: sorry, I don’t get it.
Added cache.conf and dnssec.conf to /etc/NetworkManager/dnsmasq.d/ and restarted NetworkManager, but NetworkManager is still using my WLAN’s default. Any help would be greatly apprechiated.
Hi there, dnsmasq
is used by default in archlabs (see ps aux | rg dnsmasq
). However, obviously only when a /etc/NetworkManager/conf.d/dns.conf
is NetworkManager explicitly instructing so, the settings in /etc/NetworkManager/dnsmasq.d/
are loaded.
So I put a dnssec.conf
in/etc/NetworkManager/dnsmasq.d/
:
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
server=9.9.9.9
cache-size=1000
address=/opera.technology/127.0.0.127
address=/opera.com/127.0.0.127
and a dns.conf
in /etc/NetworkManager/conf.d/
:
[main]
dns=dnsmasq
peerdns=no
After a nmcli general reload
my resolver is running on DNSSEC now AND is preventing chatty software from calling home.
Thanks for your help, Head_on_a_Stick!
1 Like
just for the record:
in case you are running VMs on that host you might want to tell their NetworkManager to use DNSSEC as well.
Hmmmm, ok, that doesn’t work without any hassle… after a reboot I encountered further issues… dnsmasq.service has to be disabled now that NetworkManager starts dnsmasq:
systemctl disable --now dnsmasq.service
And obviosly one has to tell each and every network-connection to ignore the individual dhcp mediated dns resolver:
nmcli con mod ‘network-name’ ipv4.ignore-auto-dns yes
[…]
nmcli general reload
nmtui (offers the ignore-auto-dns setting also)
Originally I had assumed that
peerdns=no
in /etc/NetworkManager/conf.d/dns.conf
does that for me.
Any ideas how to make peerdns=no
work?
Also, I’m not entirely convinced that subdomains of above mentioned domains are redirected to localhost. Have been digging through Pi-Hole’s git repository (i.e. pi-hole/01-pihole.conf at master · pi-hole/pi-hole · GitHub) to figure out how Pi-hole’s dnsmasq achieves that.
Furthermore, systemctl status NetworkManager.service
gives me quite a bunch of
Insecure DS reply received, do upstream DNS servers support DNSSEC?
Are those answers discarded? Is there a log in which I could look to clarify? In /var/log
no file jumps at me.
journalctl --unit NetworkManager.service
Thanks for your help, Head_on_a_Stick. I tried
journalctl --unit NetworkManager.service -r -o verbose
which gave me far too much output. So I limited it a bit by
journalctl --unit NetworkManager.service -S ‘2020-02-17 17:48:52’ -o verbose
which tells me that dnsmasq is responsible for
Insecure DS reply received, do upstream DNS servers support DNSSEC?
but no further details on which process did the dns-request and why the request was forwarded to a non-dnssec resolver.
So I decided to revert all changes and try a different approach:
sudo su
cd /etc/NetworkManager
rm conf.d/dns.conf
rm dnsmasq.d/dnssec.conf
nmcli con mod ‘networkname’ ipv4.ignore-auto-dns no
systemctl restart NetworkManager.service
systemctl enable --now dnsmasq.service
nmcli general reload
By chance I stumbled across this article and so I decided to give dnscrypt-proxy a try:
sudo su
pacman -Syu
pacman -S dnscrypt-proxy
cd /etc/dnscrypt-proxy
ls -al
systemctl stop dnsmasq.service
rg -Nv ‘#’ dnscrypt-proxy.toml | rg . > dnscrypt-proxy.new
mv dnscrypt-proxy.toml dnscrypt-proxy.toml.backup
mv dnscrypt-proxy.new dnscrypt-proxy.toml
nano dnscrypt-proxy.toml
changed
listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
(line 1)
require_dnssec = true
(line 7)
cd /etc/
mv dnsmasq.conf dnsmasq.conf.backup
nano dnsmasq.conf
filled file with
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
no-resolv
server=::1#53000
server=127.0.0.1#53000
listen-address=::1,127.0.0.1
cd /etc/NetworkManager/conf.d
nano dns.conf
filled file with
[global-dns-domain-*]
servers=::1,127.0.0.1
and restarted / enabled the services concerned:
systemctl enable --now dnscrypt-proxy.service
systemctl start dnsmasq.service
systemctl restart NetworkManager.service
nmcli general reload
The whole thing seems to work stable now. The service dnscrypt-proxy obviously offers quite a bunch of features (i.e. a blacklist.txt
), but I haven’t had time to read into the details so far.
Hope I could inspire fellow forum members to make the internet a safer place.