yumupgrades for production use, this is the repository for you.
Active subscription is required.
DNS is a plain-text protocol, and many countries have employed censorship on their citizens by simply hijacking the standard DNS port 53 and inspecting it while denying much of what is being accessed.
Cloudflare provides a secure DNS system via several protocols. In this guide, we’re picking up our previous article on DNS caching for your Linux machine and iteratively improve that setup by switching from plain insecure DNS to secure DNS.
This guide is useful for both workstation and server RHEL-based systems.
Internet censorship via DNS. Indonesia example
An example of such a country that practices censorship on its Internet space is Indonesia. Many quite legitimate websites are blocked on a DNS level, and the bypass is as easy as setting a hosts file entry, or a proxy.
There are many questions about that system. The block list is downloadable and publicly accessible.
Let’s review how this system works on a sample entry
s****ools.co.uk. What does it mean in practice?
- The domain
sools.co.ukseems not blocked and doesn’t exist.
- The domain
scools.co.ukis not blocked yet
scccccools.co.ukare all blocked.
In fact, such severe blocking varies per particular domain, but it can be observed that Internet access is very degraded with this wildcard blocking.
Even if there wouldn’t be any blocking in the first place, this clearly shows what the open DNS protocol allows for.
It provides the ability to inspect and block your requests to any website.
It is a high breach of your privacy, in that it allows anyone with the appropriate access levels, to see your actual website visit history, on a domain basis.
And that is, whether those websites employ TLS encryption or not.
Making your DNS secure
The best solution, for performance, and privacy-wise is to set up your DNS requests to be encrypted. There are currently few protocols and services allowing you to do it.
In this article, we will review how to make your existing RHEL machine setup with
dnsmasq and NetworkManager use secure DNS communication.
Here’s our current setup:
<your browser> -> <dnsmasq> -> <Cloudflare DNS servers>.
In the case of severely censored locations like the above, it actually works as
<your browser> -> <dnsmasq> -> <ISP nameservers>, due to ISPs hijacking the DNS port on the network level.
And here’s what our new setup will look like:
<your browser> -> <dnsmasq> -> <dnscrypt-proxy> -> <Cloudflare secure DNS servers>.
Set up and configure
dnscrypt-proxy is a software that acts as a standard DNS resolving nameserver, but is capable of talking to upstream DNS servers which support secure protocols like “DNS over HTTPS” or “DNS over TLS”. This is what we install on our machine, in order to configure it later to resolve all domains through it.
To install it, you can use the GetPageSpeed subscription-based repository or EPEL:
On CentOS/RHEL 7:
yum -y install dnscrypt-proxy2
On CentOS/RHEL 8+
dnf -y install dnscrypt-proxy
Then edit the configuration file
/etc/dnscrypt-proxy/dnscrypt-proxy.toml with the following changes.
listen_addresses = ['127.0.0.1:53']
listen_addresses = ['127.0.0.53:53']
That’s right. NetworkManager does not have the ability to specify the port
53, so we are actually making our
dnscrypt-proxy listen on a separate loopback address
Next, ensure these settings:
server_names = ['cloudflare', 'cloudflare-ipv6']
By this, we use Cloudflare’s secure DNS.
Now you can start the service by running:
systemctl enable --now dnscrypt-proxy.service
Check that your configuration is valid, by running a query against DNS:
dnscrypt-proxy -resolve cloudflare-dns.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Sample results would be:
Resolving [cloudflare-dns.com] using 127.0.0.53 port 53 Resolver : 184.108.40.206 Canonical name: cloudflare-dns.com. IPv4 addresses: 220.127.116.11, 18.104.22.168 IPv6 addresses: 2606:4700::6810:f9f9, 2606:4700::6810:f8f9 Name servers : ns1.cloudflare-dns.com., ns2.cloudflare-dns.com., ns3.cloudflare-dns.com. DNSSEC signed : yes Mail servers : no mail servers found HTTPS alias : - HTTPS info : [alpn]=[h3,h3-29,h2], [ipv4hint]=[22.214.171.124,126.96.36.199], [ipv6hint]=[2606:4700::6810:f8f9,2606:4700::6810:f9f9] Host info : - TXT records : xys2vzh7bp5r11pxl363wl8skcv8k2ss
Modify NetworkManager and dnsmasq configuration
Now to the most interesting part. We already have a secure DNS available at
Now we need
dnsmasq which is managed by NetworkManager, make sure to forward DNS requests over to our secure DNS proxy.
For this, we can use
nmcli, like so:
nmcli connection modify eth0 ipv4.dns 127.0.0.53 nmcli connection modify eth0 ipv4.ignore-auto-dns yes
This tells NetworkManager to set upstream DNS server to
We also make NetworkManager ignore the DNS nameservers obtained via DHCP, since in this case, we want to explicitly use
dnsmasq which is run by NetworkManager, will forward requests appropriately to
Also, you must explicitly tell Networkmanager’s
dnsmasq about the upstream DNS server. Without this, things wouldn’t work as expected.
Open the file
/etc/NetworkManager/dnsmasq.d/custom.conf and add:
Finally, you can apply all the changes by restarting NetworkManager:
service NetworkManager restart
Now NetworkManager restarts the
dnsmasq instance that it manages and that instance will cache your DNS requests while routing them securely through
This ensures that your DNS requests never leave your machine unsecured. From now on, they are always encrypted. The censored websites are working and your privacy is improved.