Why not use DNS over HTTPS (DoH)?
-
Pull dnscrypt-proxy docker image from dockerhub
$ sudo podman pull docker.io/klutchell/dnscrypt-proxy -
Download
dnscrypt-proxy.tomlfrom github repo$ sudo mkdir /etc/dnscrypt-proxy $ sudo bash -c \ 'curl https://raw.githubusercontent.com/klutchell/dnscrypt-proxy-docker/main/dnscrypt-proxy.toml -o /etc/dnscrypt-proxy/dnscrypt-proxy.toml' -
doh_servers = false odoh_servers = true require_dnssec = true # comment out [sources.public-resolvers] # comment out [sources.relays] # uncomment [sources.'odoh-servers'] and [sources.'odoh-relays'] in [sources] section # add routes to [anonymized_dns] section for odoh servers, similar to the one given below routes = [ # { server_name='odoh-cloudflare', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', # 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-crypto-sx', via=[ 'odohrelay-ams', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-ibksturm', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se' ] }, { server_name='odoh-id-gmail', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-jp.tiar.app', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-jp.tiarap.org', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-koki-ams', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-koki-noads-ams', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-koki-noads-se', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-koki-se', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-marco.cx', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] }, { server_name='odoh-tiarap.org', via=[ 'odohrelay-ams', 'odohrelay-crypto-sx', 'odohrelay-se', 'odohrelay-ibksturm' ] } ]
-
$ sudo systemctl disable --now systemd-resolved.service $ sudo systemctl mask systemd-resolved.service $ sudo systemctl mask systemd-resolved-varlink.socket $ sudo systemctl mask systemd-resolved-monitor.socket -
nameserver 127.0.0.1 options edns0 single-request-reopen trust-ad
-
[main] dns=none
-
[Unit] Description=Podman container-dnscrypt-proxy.service Documentation=man:podman-generate-systemd(1) [Container] ContainerName=dnscrypt-proxy Image=docker.io/klutchell/dnscrypt-proxy AutoUpdate=registry PublishPort=53:5053/tcp PublishPort=53:5053/udp Volume=/etc/dnscrypt-proxy:/config:z [Install] WantedBy=default.target
-
$ sudo systemctl daemon-reload $ sudo systemctl start dnscrypt-proxy.service -
$ sudo systemctl reload NetworkManager
-
$ systemctl status dnscrypt-proxy.service # display the status of service $ sudo podman ps # display currently running podman containers $ ss -nlt # should have a line containing 0.0.0.0:53 $ dig fedoraproject.org # should have line containing 127.0.0.1#53 -
$ sudo systemctl stop dnscrypt-proxy.service $ sudo rm /etc/containers/systemd/dnscrypt-proxy.container $ sudo systemctl daemon-reload $ sudo systemctl unmask systemd-resolved.service $ sudo systemctl unmask systemd-resolved-varlink.socket $ sudo systemctl unmask systemd-resolved-monitor.socket $ sudo systemctl enable --now systemd-resolved.service $ sudo rm /etc/NetworkManager/conf.d/90-dns-none.conf $ sudo rm /etc/resolv.conf $ cd /etc $ sudo ln -s /run/systemd/resolve/stub-resolv.conf resolv.conf $ cd - $ sudo systemctl reload NetworkManager
Change selinux labeling options from Z to z, so that the bind mount content is shared among multiple containers.