Sep 03, 2025
I wanted to set up DNS-over-TLS to encrypt my DNS queries. Systems with systemd
have this feature built in with systemd-resolved. Systems without systemd can
use Unbound, a DNS resolver with
DNS-over-TLS support.
First, install Unbound. If building it from source, compile it with TLS support. To install Unbound in Alpine Linux from the main repository:
# apk add unbound
Next, edit /etc/resolv.conf to direct the system resolver to localhost:
nameserver 127.0.0.1
Also, add the immutable flag to prevent this file from being overwritten:
# chattr +i /etc/resolv.conf
If supported, set the corresponding option in your DHCP client's configuration.
For udhcpc in Alpine Linux, add RESOLV_CONF=no to /etc/udhcpc/udhcpc.conf.
Then, edit the Unbound configuration file at /etc/unbound/unbound.conf. Use
the forward-zone block to specify the upstream server and TLS port. For
example, using the DNS server of Mullvad
VPN:
server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name "."
forward-tls-upstream: yes
forward-addr: 192.242.2.9@853#all.dns.mullvad.net
Finally, set the Unbound service to auto-start, and then start the Unbound daemon. Using OpenRC:
# rc-update add unbound
# rc-service unbound start
To verify that DNS-over-TLS is working, you can run a DNS query and capture the resulting TLS packets. For example:
# tcpdump -i any port 853
$ drill gnu.org