The Privacy DNS Chooser Script (for Linux)

Disclaimer : I’m the author of the project.

Hello everyone!

A week ago, I have released the version 1.0 of what I call : The Privacy DNS Chooser Script. This very simple but very easy to use CLI script allows you to choose Quad9, Mullvad DNS and NextDNS (more coming soon!) and use them on Linux with the systemd-resolved package (which is nowadays installed on pretty much all Linux distros except Debian and openSUSE and distros who aren’t using systemd).

One of the cool features of the script is an NextDNS integration. This means that when the user chooses NextDNS to use it, the script will ask him to enter his configuration number (e.g. a12345)

Also, if you are in trouble (like if your Internet’s not working anymore after running the script). There’s a “rescue script” which will recover /etc/systemd/resolved.conf to his default state. Thus recovering your internet connection.

Why did I make this script? Well, I think on Linux, we are very late when it comes to setting up a DNS provider. We can only set up an IP address as an DNS while on Windows 11 and macOS Ventura, we have the ability to use DNS-over-HTTPS and DNS-over-TLS which are way more secure ways of using DNS directly into a GUI. Where on Linux, the only way to do that is via, you guessed it : /etc/systemd/resolved.conf a.k.a. systemd-resolved.

Upcoming features for the script :

  • Add Support for AdGuard (should come out at the end of the year)
  • Add options for the user to choose the Ad, Tracker and Malware blocking version of Mullvad DNS or the standard non-blocking DNS (Early January 2024)
  • Add Cloudflare and ControlD support (March/April 2024)

The project’s source code is hosted in GitHub:

https://github.com/rollsicecream/privacy-dns-chooser

Thanks!

1 Like

Why does this disable DNSSEC!? privacy-dns-chooser/privacy_dns_chooser.sh at 5dedb71da6b6948f77fade161b628e6026a1b0d0 · rollsicecream/privacy-dns-chooser · GitHub


The other big issue I’ve found with this method is that it’ll break eg. .lan, .local domains.

If you run services on your LAN, you may instead consider doing DoT at your router level.
Or use DoH in Firefox/Chromium which also gives the benefit of ECH. Firefox will prompt to use local resolver for such domains too.
(Which is the approach Brace takes.)

4 Likes

I disabled DNSSEC since it has done some problem through my testing for some reason. I will try to enable it and see if there are still problems. If there’s no problem, it should be enabled in v1.1 (should be released in end of year.

@rollsicecream
verify your distro includes/updates the anchors.
Fedora does this by default.

I do use Fedora, but my testing is done through a Debian VM.

Cool project, I am excited to follow its development. I have a couple questions

How do DNS settings set using this script interact with other applications that change DNS settings (for example a VPN client, or per network DNS configurations made via Gnome Settings (or KDE’s equivalent). In other words does using this script override per-network DNS settings, or prevent a VPN client from setting their own DNS when the VPN connection is active?

I’m curious about how this feature might work. How are you defining the “default state”?

Does default state =

  • Backing up a copy of /etc/systemd/resolved.conf just before running the script?
  • Reverting to a generic resolved.conf file from systemd-resolved?
  • Reverting to the unmodified version of resolved.conf that ships with the users distro?
1 Like

You should also switch to a drop-in, as opposed to editing the real config: privacy-dns-chooser/privacy_dns_chooser.sh at 5dedb71da6b6948f77fade161b628e6026a1b0d0 · rollsicecream/privacy-dns-chooser · GitHub

eg. Brace/brace/usr/lib/systemd/resolved.conf.d/brace.conf at 4a258d4be7e83cfd822405cc104c820453edb99e · divestedcg/Brace · GitHub

and you’re missing the IPv6 for Mullvad and Quad9 and the fallbacks

4 Likes

Thank you for your question!

Actually, if you look at the script, It has a predefined config of systemd-resolved pulled from a fresh installation of it. Though, I don’t think it’s the most optimal way to do.

Also, just a quick note : If you have suggestions or problems with the script, don’t hesitate to go to the GitHub issues page of the project. This would be easier to track issues for me.

https://github.com/rollsicecream/privacy-dns-chooser/issues

1 Like

The v1.1 code-named ‘Oxford’ will now :

  • Enable DNSSEC

  • Add a dialog, so the user could type ‘yes’ before making the changes to resolved.conf (for security measures)

  • Add support for AdGuard DNS

It should be released the 21st December of this month.

1 Like

I am not sure you should enable DNSSEC by default, as this is an experimental feature but is not decared as such. The reason is the maintainer would rather accept the PR to fix issues around DNSSEC than declaring the feature as experimental. I think it’s weird, but that’s that. See systemd’s PR #28386 .

Moreover, if the users choose Quad9, this feature is unnecessary anyway, as it’s already enabled on the server-side.

Thanks for the script by the way :pray:

v1.1 released.

https://github.com/rollsicecream/privacy-dns-chooser/releases

Not on openSUSE, for example. And surely not on non-systemd systems like Slackware, Void, MX, Artix, Devuan, Gentoo, Alpine, Guix, PCLinuxOS, …

Thanks for the rectification for openSUSE. By the way, my goal is not to target the people who don’t use SystemD.

Im a bit confused of the purpose of this. Setting up Dnscrypt-proxy is already very easy…

While it is pretty easy by using dnscrypt-proxy, it isn’t (AFAIK) installed by default on Linux distros and require the installation of the tool. The goal here is : make configuring pre-installed tools (systemd-resolved) much easier.

1 Like

It might be good to know that DNSSEC feature in systemd-resolved is a CVE issue: 2222672 – (CVE-2023-7008) CVE-2023-7008 systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes. See: CVE Details.

A lot is going on at the corresponding issue on systemd tracker currently: resolved DNSSEC validation can be bypassed by MITM · Issue #25676 · systemd/systemd · GitHub.

2 Likes