Your overall online privacy "profile" is highly dependent on where your DNS requests go. Typically your initial DNS server address is provided by your local router (or other DHCP server) which is a private IP address, however, the router simply forwards the requests to another DNS server configured in the router (typically your ISP provides these addresses).
Before making any changes, you can test your current settings with the following URLs:
The upshot of the above is your implicit trust in the humans who operate those DNS servers, yet you have no idea how much data they log or where it goes. But it gets worse, since (legacy) DNS is plain-text and easily intercepted by anyone on the network. Sure you can try a commercial VPN provider or configure your system to use one of Google's public DNS servers, but plain-text DNS is a well-documented tracking and data collection method.
In order to rectify the problem you'll need to collect some system info:
- what tools own/manage your network config?
- what tools own/manage your DNS config?
For Ubuntu bionic and focal, the answer is most likely one or more of the following.
Net config:
- netplan
- cloud-init
- NetworkManager
- connman
DNS config:
- DHCP/netplan
- systemd-resolved
- NetworkManager
- connman
For Gentoo the answer is similar.
- netifrc/DHCP and openrc
- systemd-resolved
- NetworkManager
- connman
Underneath everything you most likely have a netplan configuration file (which is auto-generated by cloud-init on the "official" Ubuntu cloud image and rootfs builds).
To find out, open a terminal and issue the following command:
$ ls /etc/netplan/ 01-network-manager-all.yaml
The answer above is from the Ubuntu Mate rpi image. Now cat the file:
$ cat /etc/netplan/01-network-manager-all.yaml # Let NetworkManager manage all devices on this system network: version: 2 renderer: NetworkManager
The above shows netplan does an immediate handoff to NetworkManager (which will use either an external or internal DHCP client to handle the network configuration).
Now we can look at the DNS configuration, mainly your /etc/resolv.conf
file. This can be ether a file or a symlink (if the latter, it will show
who is currently managing your DNS servers).
$ ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 32 Sep 4 21:54 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
The above shows systemd-resolved is operating as your local DNS stub resolver, where "stub resolver" means it is 1) local to your device only, and 2) non-recursive.
To see what DNS servers are used for name resolution, issue the following command in a terminal:
$ systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 3 (enx84e714006ef7)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.1.1
DNS Domain: local.domain
Link 2 (wlan0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
What can we learn from the above output?
- There are no global nameservers configured (if so, they would appear near the top)
- The ethernet interface has one local nameserver
- The wifi interface is currently not configured
Now we can look at the DNS server address(es) your system is actually
using by checking the contents of resolv.conf. In your terminal,
cat the file:
$ cat /etc/resolv.conf # This file is managed by man:systemd-resolved(8). Do not edit. # (more comments suppressed) nameserver 127.0.0.53 options edns0 search local.domain
The above shows systemd is indeed "managing" the contents and will wipe any changes if edited directly, and we also need to make sure NetworkManager isn't going to do the same thing.
If your netplan config file above shows renderer: NetworkManager and
you want to change it, you can make it "unmanaged" by NetworkManager.
The following netplan config will make NetworkManager stop managing your (wired) ethernet config:
network:
ethernets:
eth0:
dhcp4: true
optional: true
version: 2
Be careful not to change the indenting in yaml config files (any file
ending in .yml or .yaml).
If your ethernet interface has a different name, substitute that name in
the config above. Check your network interfaces using the ifconfig or
ip addr show commands.
Since we'd like to use only the secure DNS servers you choose, we need
to tell systemd-resolved it no longer owns (or manages) resolv.conf,
and the way we do that is by removing the symlink and creating a file
in its place. But first we need to install a dnscrpyt-enabled resolver;
for this example we use the getdnsapi stub resolver (aka stubby).
By default NetworkManager will avoid making DNS server changes if-and-only-if
it detects /etc/resolv.conf is a symlink to one of the systemd-resolved
files. If it sees /etc/resolv.conf is an actual file it will start
"managing" it (ie, overwrite any changes you make to it). In order to stop
that behavior, you'll need to change the NetworkManager.conf by adding
dns=none to the [main] section of the config file. Run:
$ sudo nano /etc/NetworkManager/NetworkManager.conf
and change the following:
[main] plugins=ifupdown,keyfile dns=none <== add or edit this line [ifupdown] managed=false [device] wifi.scan-rand-mac-address=no
Then save and exit the file and restart NetworkManager:
$ sudo systemctl restart NetworkManager.service
One available/working example is the getdns resolver, stubby; use the appropriate package manager to install the package for your distro:
- Gentoo -
sudo USE="stubby" emerge net-dns/getdns - Ubuntu -
sudo apt-get install stubby
Then view the config file:
$ less /etc/stubby/stubby.yml
The default settings should work fine out-of-the-box, however, you should
review the default DNS providers in the un-commented portions under the
upstream_recursive_servers section of the file. The fpnd package
also installs some example config files, including an example stubby.yml
with some alternate dns providers (note this is only the provider section
and not a complete config file).
By default stubby will only listen for DNS requests on the loopback interface
on port 53, ie, 127.0.0.1:53 so you'll need to set this in your new
resolv.conf file (see below).
To verify your changes, you will need the dig command, so if you
don't have it already, then you should install it with the following:
* Gentoo - ``sudo emerge net-dns/bind-tools`` * Ubuntu - ``sudo apt-get install bind9utils``
Note
Depending on the Ubuntu release/version, you may need to install
the dnsutils package instead of the above.
Now you can remove the symlink and set your new resolver address in the
(new) resolv.conf file:
$ sudo rm /etc/resolv.conf
then run:
$ sudo nano /etc/resolv.conf
and add the following content to the new file:
# use stubby as secure local resolver nameserver 127.0.0.1
and finally, restart the relevant services:
$ sudo systemctl restart systemd-resolved.service $ sudo systemctl restart stubby.service
then check your new config:
$ systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 127.0.0.1
DNS Servers: 127.0.0.1
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
(more output suppressed)
and make sure your new nameserver address appears in the Global section as shown above (note your output may look slightly different).
Finally, try to resolve something:
$ dig www.gentoo.org ; <<>> DiG 9.16.1-Ubuntu <<>> www.gentoo.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20166 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.gentoo.org. IN A ;; ANSWER SECTION: www.gentoo.org. 43199 IN CNAME www-bytemark-v4v6.gentoo.org. www-bytemark-v4v6.gentoo.org. 43200 IN A 89.16.167.134 ;; AUTHORITY SECTION: gentoo.org. 86399 IN NS ns3.gentoo.org. gentoo.org. 86399 IN NS ns1.gentoo.org. ;; ADDITIONAL SECTION: ns1.gentoo.org. 43199 IN AAAA 2001:470:ea4a:1:225:90ff:fe02:16e5 ns3.gentoo.org. 43199 IN AAAA 2001:470:1f06:a91::2 ns1.gentoo.org. 43199 IN A 140.211.166.189 ns3.gentoo.org. 43199 IN A 208.116.51.2 ;; Query time: 935 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Sep 21 00:01:19 UTC 2020 ;; MSG SIZE rcvd: 363
Two interesting things to note about the above:
- the
flagsline near the top should includeadwhen the server supports DNSSEC - the
SERVERline near the bottom should show the default address for your shiny new secure DNS resolver
Although the stubby resolver works fine as a primary resolver (ie,
you have stubby running on localhost port 53 and all you need is external
name resolution), if you need access to private LAN resources then you
most likely need a more flexible solution than just a hosts file.
If so, take a look at Scenario 3 in the example scenarios.