đź“… Updated: February 1, 2026 (Originally published: December 30, 2022)
DNS is a plain-text protocol, and many countries have employed censorship on their citizens by simply hijacking the standard DNS port 53 and inspecting it while denying much of what is being accessed.
Cloudflare provides a secure DNS system via several protocols. In this guide, we cover how to encrypt your DNS traffic on RHEL-based systems, from the simple built-in solution in RHEL 10 to the more flexible dnscrypt-proxy approach for older systems.
This guide is useful for both workstation and server RHEL-based systems.
RHEL 10+ / Rocky Linux 10+: The Simple Way
RHEL 10 and derivatives include systemd-resolved which has built-in DNS-over-TLS (DoT) support. This is the simplest approach for modern systems.
Install and Enable systemd-resolved
sudo dnf install systemd-resolved
sudo systemctl enable --now systemd-resolved
Configure DNS-over-TLS with Cloudflare
Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
FallbackDNS=9.9.9.9#dns.quad9.net
DNSOverTLS=yes
The #cloudflare-dns.com suffix specifies the server name for TLS certificate verification (SNI).
Restart the service:
sudo systemctl restart systemd-resolved
Verify DNS-over-TLS is Working
Check the status:
resolvectl status
You should see +DNSOverTLS in the output:
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
Test a query:
resolvectl query example.com
The output should show “Data was acquired via local or encrypted transport: yes“:
example.com: 104.18.26.120
104.18.27.120
-- Information acquired via protocol DNS in 45.2ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
That’s it for RHEL 10+. Your DNS queries are now encrypted.
Optional: Make systemd-resolved the System Resolver
By default, NetworkManager may still manage /etc/resolv.conf. To use systemd-resolved system-wide:
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
RHEL 7-9: Using dnscrypt-proxy
For older RHEL versions without systemd-resolved DNS-over-TLS support, use dnscrypt-proxy with dnsmasq.
Internet censorship via DNS: Indonesia example
An example of a country that practices DNS censorship is Indonesia. Many legitimate websites are blocked on a DNS level, and the bypass is as easy as setting a hosts file entry or using a proxy.
The blocking system uses wildcards that can severely degrade internet access. Even without blocking, the open DNS protocol allows inspection and blocking of requests to any website. This is a breach of privacy, allowing anyone with appropriate access to see your website visit history on a domain basis, whether those websites employ TLS encryption or not.
Architecture Overview
Here’s the typical insecure setup: <your browser> -> <dnsmasq> -> <ISP nameservers>.
In censored locations, ISPs hijack the DNS port on the network level.
The secure setup: <your browser> -> <dnsmasq> -> <dnscrypt-proxy> -> <Cloudflare secure DNS>.
Install dnscrypt-proxy
On CentOS/RHEL 7:
yum -y install dnscrypt-proxy2
On CentOS/RHEL 8 and 9:
dnf -y install dnscrypt-proxy
Configure dnscrypt-proxy
Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml:
Change the listen address to avoid conflicts with dnsmasq:
listen_addresses = ['127.0.0.53:53']
Configure Cloudflare as the upstream:
server_names = ['cloudflare', 'cloudflare-ipv6']
Start the service:
systemctl enable --now dnscrypt-proxy.service
Verify the configuration:
dnscrypt-proxy -resolve cloudflare-dns.com -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Sample output:
Resolving [cloudflare-dns.com] using 127.0.0.53 port 53
Resolver : 162.158.161.89
Canonical name: cloudflare-dns.com.
IPv4 addresses: 104.16.249.249, 104.16.248.249
IPv6 addresses: 2606:4700::6810:f9f9, 2606:4700::6810:f8f9
DNSSEC signed : yes
Configure NetworkManager and dnsmasq
Tell NetworkManager to use dnscrypt-proxy as the upstream DNS:
nmcli connection modify eth0 ipv4.dns 127.0.0.53
nmcli connection modify eth0 ipv4.ignore-auto-dns yes
This makes NetworkManager ignore DNS servers from DHCP and use dnscrypt-proxy instead.
Create /etc/NetworkManager/dnsmasq.d/custom.conf:
server=127.0.0.53
Apply the changes:
systemctl restart NetworkManager
Now dnsmasq caches your DNS requests while routing them securely through dnscrypt-proxy. Your DNS requests never leave your machine unencrypted.
Alternative: NGINX DNS over HTTPS Server
For organizations wanting to provide encrypted DNS to multiple clients, consider running an NGINX DNS over HTTPS server. This approach lets you deploy a DoH endpoint that browsers can use directly, with full control over logging and upstream resolver selection.
Summary
| RHEL Version | Recommended Solution | Protocols Supported |
|---|---|---|
| RHEL 10+ | systemd-resolved | DNS-over-TLS |
| RHEL 7-9 | dnscrypt-proxy | DNS-over-HTTPS, DNSCrypt |
Both approaches encrypt your DNS traffic, preventing ISPs and network observers from seeing which domains you resolve. Choose systemd-resolved for simplicity on modern systems, or dnscrypt-proxy for maximum flexibility and protocol support on older systems.