I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called 'drop-in' files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.
Modern browsers use their buit-in DNS settings which adds to the confusion.
I think this is one area that Linux needs more work and more standardization.
How do you think it should be fixed?
There's no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there's a toggle to turn it off, I'm okay with that.
The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.
Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (
~home.arpa
for virtual machines and~lan
for machines in my home network).There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I'll have to enable
DNSDefaultRoute=
in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It's a lot of steps but I can automate most of them with a script for now.Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.
Edit: link to some blog post