I wouldn’t call it a mess. There’s a reason it’s not standard. It’s because Linux is about having choices. Linux users have such a variety of use cases and there are a zillion different kinds of hardware it runs on. There’s no one thing that works for everyone.

I think this flexibility is a big part of what makes Linux special but also what makes it difficult for newcomers. The documentation on all the various software is typically very good to excellent. The harder part is figuring out which choice to make in the first place.

I don’t really have any answers except to take it all in and be more willing to do some research than some other platforms may require.

System-wide DoH is sort of a power user thing to begin with so other platforms will likely be similar. I think you would probably be using some kind of app to do it on Windows or Mac.

By the way, you might want to take a look at stubby for your situation. I did something similar a few weeks back and that’s what I used. It’s runs a little local DNS proxy that forwards requests to your upstream servers. Then you would set your DNS server to 127.0.0.1 in NetworkManager or whatever you’re using. You have to change like 3 lines in the default stubby config a typical distro may provide to make it work.

Very much agreed 👍 I realized when using the dnscrypt to set the DNS settings. There is resolv.conf which used to be the final authority regarding your DNS. Now I don’t know anymore

A bit confusing I agree. Just a little bit research.

I don’t touch my fedora DNS settings because my openwrt router handles DoT for the entire network.

deleted by creator

This isn’t really a “Linux” problem. Calling it a Linux problem implies all distros do the same thing out of the box because it’s a part of the core system. Systemd has a file, /etc/systemd/resolved.conf which has one line DNS= that you can add the servers you want. It’s as simple as that. If you’re using Dnsmasq for DNS instead, you’d edit the Dnsmasq file. If you’re not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the /etc/reeolv.conf directly without worry of it being overwritten.

While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.

I read many replies to your post as “DNS software shouldn’t be allowed to change DNS settings” for the most part, and that doesn’t quite make sense to me. If it’s a problem, remove said software. Browsers are definitely annoying in the DNS front, I won’t disagree with that. Fortunately, they allow you to turn that off though.

Just between yesterday and today I was struggling with this, to get DoH or DoT working, but Network Manager would override /etc/resolv.conf. At least I figured out how to stop NM from modifying the DNS.

I tried my putting my dns settings in /etc/systemd/resolv.conf, as suggested by Nextdns setup page, but that didn’t seem to work, at least on Tumbleweed. On my Debian laptop running as a headless server, the /etc/systemd/resolv.conf does work.

I’m currently with Stubby, and it’s working at least, but I would’ve liked to figure out the systemd-resolved way on Tumbleweed.

I just edit resolv.conf directly, and then do chattr +i /etc/resolv.conf to make it persistent

Slightly off topic, but as long as we’re ranting about DNS…

Proxmox handles DNS for each container as a setting in the hypervisor. It’s not a bad way of simplifying things, but if, hypothetically, you didn’t know about that, then you could find yourself in a situation where you spend an entire afternoon trying every single one of the million different ways to edit DNS in Linux and getting increasingly frustrated because the IP gets overwritten every time you restart the container no matter what you do, until eventually you figure out that the solution is just like three clicks and a text entry box in the Proxmox GUI!

…Hypothetically, of course.

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

Because it’s systemd. You take it or you take it. Brought to you by the same people who brought PulseAudio and GNOME 3.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots)

True, but at least by this point it is documented everywhere (at least on Arch and Debian) and if you want to play around with resolv.conf their go-to interface is to install resolvconf and edit only the base or head files.

How do you think it should be fixed?

IMO people should just install and learn to use dnsmasq / bind9. They’re there precisely to cover most cases (including forwarding local DNS queries to DoH, or having your own intranet, etc).

No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.

Modern browsers use their buit-in DNS settings which adds to the confusion.

There’s no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there’s a toggle to turn it off, I’m okay with that.

How do you think it should be fixed?

The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.

Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (~home.arpa for virtual machines and ~lan for machines in my home network).

There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I’ll have to enable DNSDefaultRoute= in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It’s a lot of steps but I can automate most of them with a script for now.

Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.

Edit: link to some blog post

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

Nor should there be. That’s what the configuration files are for, and the utility to edit them is the editor of your choice.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

No. The average user would use NetworkManager GUI integrated into DE.

Well, I’m not using systemd and Portmaster (safing.io free open source without the VPN tunnels) has a DNS control over any request your Linux do… I don’t think I have any issues here… hehe