You are not logged in.
Hi everyone,
I'm trying to set up NextDNS as a custom DNS on a server running Mullvad VPN, but systemd-resolved doesn't seem to use DNSOverTLS (DoT) on the WireGuard interface, even though I think my configuration is correct.
Here is what I'm seeing:
mullvad dns get
Custom DNS: yes
Servers:
45.90.28.xx
45.90.30.xxresolvectl status
Global
Protocols: +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4
Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Link 4 (wg0-mullvad)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supportedAs you can see, wg0-mullvad has -DNSOverTLS instead of +DNSOverTLS.
Here is my resolved.conf
[Resolve]
DNS=45.90.28.0#mindegy.dns.nextdns.io
DNS=45.90.30.0#mindegy.dns.nextdns.io
DNSOverTLS=yes
DNSSEC=yes
Domains=~.And the output of resolvectl state for the interfaces:
Server: 45.90.28.0#mindegy.dns.nextdns.io
Type: system
Verified feature level: TLS+EDNS0+DO
Possible feature level: TLS+EDNS0+DO
DNSSEC Mode: yes
DNSSEC Supported: yes
Server: 45.90.30.0#mindegy.dns.nextdns.io
Type: system
Verified feature level: n/a
Possible feature level: TLS+EDNS0+DO
DNSSEC Mode: yes
Server: 45.90.28.0#mindegy.dns.nextdns.io
Type: link
Interface: wlan0
Interface Index: 3
Verified feature level: TLS+EDNS0+DO
Possible feature level: TLS+EDNS0+DO
DNSSEC Mode: yes
DNSSEC Supported: yes
Server: 45.90.30.0#mindegy.dns.nextdns.io
Type: link
Interface: wlan0
Interface Index: 3
Verified feature level: n/a
Possible feature level: TLS+EDNS0+DO
DNSSEC Mode: yes
DNSSEC Supported: yes
Server: 45.90.28.xx
Type: link
Interface: wg0-mullvad
Interface Index: 5
Verified feature level: UDP+EDNS0+DO
Possible feature level: UDP+EDNS0+DO
DNSSEC Mode: yes
DNSSEC Supported: yes
Server: 45.90.30.xx
Type: link
Interface: wg0-mullvad
Interface Index: 5
Verified feature level: n/a
Possible feature level: TLS+EDNS0+DO
DNSSEC Mode: yes
DNSSEC Supported: yesOn wg0-mullvad, it falls back to UDP+EDNS0+DO (plain UDP) instead of TLS.
My questions:
1. What could be causing systemd-resolved or Mullvad to strip/ignore DoT on the WireGuard link?
2. Does it even make sense to force DoT inside an already encrypted VPN tunnel (since Mullvad encrypts everything end-to-end to their server anyway)?
Any insights would be highly appreciated!
Offline
1. What could be causing systemd-resolved or Mullvad to strip/ignore DoT on the WireGuard link?
I'm not sure. I use a self-hosted WireGuard VPN with a self-hosted DoT server and my combo (NM/system-resolved) doesn't show this behavior. But: I have enabled DoT only on the WireGuard link (via NM) and not globally (via resolved.conf).
My best guess: NextDNS "realizes" that your connection comes from the Mullvad VPN IP space and "decides" DoT isn't needed.
2. Does it even make sense to force DoT inside an already encrypted VPN tunnel (since Mullvad encrypts everything end-to-end to their server anyway)?
That depends on your level of paranoia. If your only goal is to prevent your provider/government/whatever to eavesdrop on your DNS queries either DoT or a VPN is sufficient. In your current config Mullvad is able to eavesdrop on your DNS queries. And when either the VPN or DoT fails...
Offline