Skip to content

qq33tt66/dns

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

Cloudflare DNS Setup

systemd-networkd · systemd-resolved · DNS-over-TLS

Overview

Configures Cloudflare DNS (1.1.1.1 / 1.0.0.1) with encrypted DNS-over-TLS, fully replacing ISP-provided DNS using native systemd tooling.

Applies to: systems running systemd-networkd + systemd-resolved Does not apply to: NetworkManager setups

1. Confirm Network Stack

ps aux | grep -E "NetworkManager|systemd-networkd|dhcpcd"

Expected output includes systemd-networkd. If NetworkManager appears instead, this guide does not apply.

2. Enable systemd-resolved

systemctl status systemd-resolved
# If inactive:
sudo systemctl enable --now systemd-resolved

3. Configure systemd-networkd

Locate your network config:

ls /etc/systemd/network/

Edit the relevant file (e.g. 20-ethernet.network):

sudo nano /etc/systemd/network/20-ethernet.network
[Match]
Name=en*
Name=eth*

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes
MulticastDNS=yes
DNS=1.1.1.1
DNS=1.0.0.1

[DHCPv4]
RouteMetric=100
UseDNS=no

[IPv6AcceptRA]
RouteMetric=100
UseDNS=no

UseDNS=no prevents DHCP from injecting ISP DNS servers.

4. Configure systemd-resolved

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo nano /etc/systemd/resolved.conf.d/cloudflare.conf
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
FallbackDNS=2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=no

The #cloudflare-dns.com suffix enables TLS certificate verification. Without it, connections may fall back to opportunistic (unverified) mode.

5. Fix resolv.conf Symlink

ls -l /etc/resolv.conf

Must point to /run/systemd/resolve/stub-resolv.conf. If not:

sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

6. Apply Changes

sudo systemctl restart systemd-networkd systemd-resolved

7. Verify

resolvectl status

Global section should show:

DNS Servers: 1.1.1.1#cloudflare-dns.com
             1.0.0.1#cloudflare-dns.com
DNSOverTLS: yes

Interface section should show only Cloudflare IPs — no ISP addresses (e.g. 103.x.x.x).

8. Optional: Disable LLMNR and mDNS

Append to /etc/systemd/resolved.conf.d/cloudflare.conf:

LLMNR=no
MulticastDNS=no

Then restart: sudo systemctl restart systemd-resolved

Scope

This setup provides:

  • Cloudflare DNS exclusively
  • Encrypted DNS queries via DNS-over-TLS
  • No ISP DNS leakage

This setup does not:

  • Change your public IP
  • Route traffic through Cloudflare
  • Act as a VPN or bypass ISP throttling

About

No description or website provided.

Topics

dns dnsovertls

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors