I want to enable resolved to take advantage of its DNSSec and DNS over TLS features, how do I do those on Tumbleweed? I’m entirely new to the openSUSE ecosystem, so please bear with me.
According to Arch Wiki, stub-resolv file symlinks or explicit NetworkManager configuration will do the trick, but I’m not sure if there are openSUSE-specific behaviors that I need to take account of.
If you’re setting up on a workstation/laptop or other personal device and not your own full DNS server,
I recommend instead running dnscrypt-proxy, I’ve been running it on my personal machine for many years and have been pretty happy with it.
https://software.opensuse.org/search?utf8=✓&baseproject=ALL&q=dnscrypt
I see there is a dnscrypt-proxy2, but not sure what it is… The github project links to the main dnscrypt-proxy project so if the main project is fully updated I suspect they are the same.
The idea of dnscrypt proxy is to run a DNS proxy locally on your machine… You re-direct your /etc/resolv.conf to point to localhost and the proxy encrypts your DNS traffic and connects to public DNS which support both DNS over HTTPS and its own proprietary encrypted protocol. Technically, you can’t use DNSSEC because its current implementations are only server/server and AFAIK has never been implemented as client/server.
Since I posted that the default DNS dnscrypt-proxy was pointing to filtered results to fight spam and tracking, I haven’t seen that happening (someone apparently didn’t think that was a good default)… But be aware that option is available if you want to specify DNS (AFAICR default is actually a pool of DNS servers selected on first connection). If I decide to disable dnscrypt use for any reason, I simply modify /etc/resolv.conf for that session (no need to make a permanent modification so the file can be edited directly).
There should be other posts about dnscrypt-proxy in these openSUSE Forums…
An additional benefit is that you won’t have to worry about DNS leaking when using an improperly configured VPN… Ordinarily, a VPN should include pointing to its own DNS to encrypt DNS traffic but some VPNs are set up wrong. If yo’re using dnscrypt-proxy, it won’t matter since your DNS traffic will be encrypted no matter the situation.
HTH,
TSU