LoginSignup
0

posted at

updated at

DNS over TLS - Ubuntu 22.04 LTS(クライアント)

最近のUbuntuには標準でDNS over TLSの機能がインストールされていて、設定を変更することで簡単にセキュアなDNSを利用できるようです。

ネームサーバーの設定を変更する

Systemdの名前解決の設定ファイルを下記のように変更します。

Cloudflare DNSを使用する場合
/etc/systemd/resolved.conf
  [Resolve]
  # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
  # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
- #DNS=
+ DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  #FallbackDNS=
  #Domains=
  #DNSSEC=no
- #DNSOverTLS=no
+ DNSOverTLS=yes
  #MulticastDNS=no
  #LLMNR=no
  #Cache=no-negative
  #CacheFromLocalhost=no
  #DNSStubListener=yes
  #DNSStubListenerExtra=
  #ReadEtcHosts=yes
  #ResolveUnicastSingleLabel=no

Google DNSを使用する場合
/etc/systemd/resolved.conf
  [Resolve]
  # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
  # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
- #DNS=
+ DNS=8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  #FallbackDNS=
  #Domains=
  #DNSSEC=no
- #DNSOverTLS=no
+ DNSOverTLS=yes
  #MulticastDNS=no
  #LLMNR=no
  #Cache=no-negative
  #CacheFromLocalhost=no
  #DNSStubListener=yes
  #DNSStubListenerExtra=
  #ReadEtcHosts=yes
  #ResolveUnicastSingleLabel=no

Quad9を使用する場合
/etc/systemd/resolved.conf
  [Resolve]
  # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
  # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
- #DNS=
+ DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
  #FallbackDNS=
  #Domains=
  #DNSSEC=no
- #DNSOverTLS=no
+ DNSOverTLS=yes
  #MulticastDNS=no
  #LLMNR=no
  #Cache=no-negative
  #CacheFromLocalhost=no
  #DNSStubListener=yes
  #DNSStubListenerExtra=
  #ReadEtcHosts=yes
  #ResolveUnicastSingleLabel=no

OpenDNSを使用する場合
/etc/systemd/resolved.conf
  [Resolve]
  # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
  # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
- #DNS=
+ DNS=208.67.222.222#dns.opendns.com 208.67.220.220#dns.umbrella.com 2620:119:35::35#dns.opendns.com 2620:119:53::53#dns.umbrella.com
  #FallbackDNS=
  #Domains=
  #DNSSEC=no
- #DNSOverTLS=no
+ DNSOverTLS=yes
  #MulticastDNS=no
  #LLMNR=no
  #Cache=no-negative
  #CacheFromLocalhost=no
  #DNSStubListener=yes
  #DNSStubListenerExtra=
  #ReadEtcHosts=yes
  #ResolveUnicastSingleLabel=no

AdGuard DNSを使用する場合
/etc/systemd/resolved.conf
  [Resolve]
  # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
  # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
  # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
  # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
- #DNS=
+ DNS=94.140.14.14#dns.adguard-dns.com 94.140.15.15#dns.adguard-dns.com 2a10:50c0::ad1:ff#dns.adguard-dns.com 2a10:50c0::ad2:ff#dns.adguard-dns.com
  #FallbackDNS=
  #Domains=
  #DNSSEC=no
- #DNSOverTLS=no
+ DNSOverTLS=yes
  #MulticastDNS=no
  #LLMNR=no
  #Cache=no-negative
  #CacheFromLocalhost=no
  #DNSStubListener=yes
  #DNSStubListenerExtra=
  #ReadEtcHosts=yes
  #ResolveUnicastSingleLabel=no

systemd-resolvedを再起動します。

$ systemctl restart systemd-resolved.service

tcpdumpコマンドで、暗号化DNSに使用する「ポート853」でパケットが流れていることを確認します。

$ sudo tcpdump -i any 'port 853'

参考

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up
0