What
Add a dns module that configures DNS-over-TLS via systemd-resolved, using Quad9 (9.9.9.9) as the upstream resolver with DNSSEC enabled.
Why
By default, DNS queries on most VPS are sent in plaintext. DNS-over-TLS encrypts queries in transit, preventing ISPs and network observers from seeing which domains the server resolves. Quad9 also blocks known-malicious domains.
Suggested implementation
Write a systemd-resolved drop-in config at /etc/systemd/resolved.conf.d/dns-over-tls.conf:
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net
DNSOverTLS=yes
DNSSEC=yes
Then restart systemd-resolved. Should be ~30 lines following the existing module pattern (mod_dns()).
Add to mod_verify(): check that resolvectl status shows DNS-over-TLS active.
References
What
Add a
dnsmodule that configures DNS-over-TLS via systemd-resolved, using Quad9 (9.9.9.9) as the upstream resolver with DNSSEC enabled.Why
By default, DNS queries on most VPS are sent in plaintext. DNS-over-TLS encrypts queries in transit, preventing ISPs and network observers from seeing which domains the server resolves. Quad9 also blocks known-malicious domains.
Suggested implementation
Write a systemd-resolved drop-in config at
/etc/systemd/resolved.conf.d/dns-over-tls.conf:Then restart
systemd-resolved. Should be ~30 lines following the existing module pattern (mod_dns()).Add to
mod_verify(): check thatresolvectl statusshows DNS-over-TLS active.References