Changing/encrypting the DNS
Why changing the DNS server?
Your ISP (Internet Service Provider) may not offer high-quality threat blocking, at least not without a charge. Everyday, many network attackers try to snoop on or even hijack your DNS queries to steal your financial and personal information. Using a different DNS service can be a good protection.
Changing the DNS server
Changing the DNS server is easy. First, check if systemd-resolved is running:
If it is inactive, do:
Then edit the following file: /etc/systemd/resolved.conf
For example, to use Google’s DNS server, copy these lines:
If you want further security/privacy, you can use Quad9’s DNS server with:
Quad9 has an exceptionally large list of known malicious domains and block them to help prevent users’ computers and smart devices from connecting to malware-ridden and phishing websites. In addition, Quad9 does not collect or sell user data. More info see this Quad9 article
DNS Encryption
DNS over TLS (DoT) is a system-wide DNS encryption technique. It is an efficient protection against network attackers. Government surveillance also involves collecting and analyzing DNS queries. A VPN subscription is probably the best protection but it is not free. In this case, DoT can be a good and free alternative. The DNS provided by your ISP may not support DoT, so Quad9 DNS is a good choice.
To use DoT, add this line in /etc/systemd/resolved.conf :