A week ago, I have released the version 1.0 of what I call : The Privacy DNS Chooser Script. This very simple but very easy to use CLI script allows you to choose Quad9, Mullvad DNS and NextDNS (more coming soon!) and use them on Linux with the systemd-resolved package (which is nowadays installed on pretty much all Linux distros except Debian and openSUSE and distros who aren’t using systemd).
One of the cool features of the script is an NextDNS integration. This means that when the user chooses NextDNS to use it, the script will ask him to enter his configuration number (e.g. a12345)
Also, if you are in trouble (like if your Internet’s not working anymore after running the script). There’s a “rescue script” which will recover /etc/systemd/resolved.conf to his default state. Thus recovering your internet connection.
Why did I make this script? Well, I think on Linux, we are very late when it comes to setting up a DNS provider. We can only set up an IP address as an DNS while on Windows 11 and macOS Ventura, we have the ability to use DNS-over-HTTPS and DNS-over-TLS which are way more secure ways of using DNS directly into a GUI. Where on Linux, the only way to do that is via, you guessed it : /etc/systemd/resolved.conf a.k.a. systemd-resolved.
Upcoming features for the script :
Add Support for AdGuard (should come out at the end of the year)
Add options for the user to choose the Ad, Tracker and Malware blocking version of Mullvad DNS or the standard non-blocking DNS (Early January 2024)
Add Cloudflare and ControlD support (March/April 2024)
The other big issue I’ve found with this method is that it’ll break eg. .lan, .local domains.
If you run services on your LAN, you may instead consider doing DoT at your router level.
Or use DoH in Firefox/Chromium which also gives the benefit of ECH. Firefox will prompt to use local resolver for such domains too.
(Which is the approach Brace takes.)
I disabled DNSSEC since it has done some problem through my testing for some reason. I will try to enable it and see if there are still problems. If there’s no problem, it should be enabled in v1.1 (should be released in end of year.
Cool project, I am excited to follow its development. I have a couple questions
How do DNS settings set using this script interact with other applications that change DNS settings (for example a VPN client, or per network DNS configurations made via Gnome Settings (or KDE’s equivalent). In other words does using this script override per-network DNS settings, or prevent a VPN client from setting their own DNS when the VPN connection is active?
I’m curious about how this feature might work. How are you defining the “default state”?
Does default state =
Backing up a copy of /etc/systemd/resolved.conf just before running the script?
Reverting to a generic resolved.conf file from systemd-resolved?
Reverting to the unmodified version of resolved.conf that ships with the users distro?
Actually, if you look at the script, It has a predefined config of systemd-resolved pulled from a fresh installation of it. Though, I don’t think it’s the most optimal way to do.
Also, just a quick note : If you have suggestions or problems with the script, don’t hesitate to go to the GitHub issues page of the project. This would be easier to track issues for me.
I am not sure you should enable DNSSEC by default, as this is an experimental feature but is not decared as such. The reason is the maintainer would rather accept the PR to fix issues around DNSSEC than declaring the feature as experimental. I think it’s weird, but that’s that. See systemd’s PR #28386 .
Moreover, if the users choose Quad9, this feature is unnecessary anyway, as it’s already enabled on the server-side.
While it is pretty easy by using dnscrypt-proxy, it isn’t (AFAIK) installed by default on Linux distros and require the installation of the tool. The goal here is : make configuring pre-installed tools (systemd-resolved) much easier.
