I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.
Modern browsers use their buit-in DNS settings which adds to the confusion.
I think this is one area that Linux needs more work and more standardization.
How do you think it should be fixed?
I don’t think systemd-resolved has support for DNS-over-HTTPS yet but it has support for DNS over TLS which I have used issue free for years now.
All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.
DNS is not broken on Linux, your configuration is.
Not necessarily. Firefox ships with its own DoH enabled out of the box, which uses Cloudflare servers.
Then Firefox is broken in this context. It should respect the user’s system DNS settings.
Edit: You are wrong. The correct answer is somewhere along the lines of borderline confusing and you don’t have to worry about it if everything is working. In my case, it used my DNS provider set by systemd-resolved and not cloudflare but YMMV.
This is what the default menu for Firefox DNS settings say:
Enable secure DNS using: ... Firefox decides when to use secure DNS to protect your privacy. Use secure DNS in regions where it’s available Use your default DNS resolver if there is a problem with the secure DNS provider Use a local provider, if possible .... Turn off when VPN, parental control, or enterprise policies are active Turn off when a network tells Firefox it shouldn’t use secure DNS
Firefox DoH has been enabled by default for the US for a couple of years now.
The US is not the world!
And neither Firefox nor its broken? DNS implementation have anything to do with the topic(Linux DNS)…
You said all browsers would follow your system DNS, I just explained that’s not always the case.
And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.
Both Firefox & Chrome follow my system DNS at default settings. Just because Firefox forcefully enrolled US users to Cloudflare’s DOH doesn’t mean that DNS is broken for every one else.
Again. Has nothing to do with the topic i.e Linux DNS. Applications can use their own custom DOH/DOQ resolvers to bypass system DNS, this has no bearing on the brokeness or not of systemd-resolved or any other system DNS resolver.
Your suggested solution would leak DNS for everything except thr browser. That’s a broken implementation
How so?