Article Summary: Describe how to enable system-wide encrypted DNS (DNS over TLS) on Fedora 42 and rawhide not only for a runtime but also during boot time and system installation.
Article Description: A Red Hat working group has worked to deliver support of system-wide encrypted DNS to fulfil the requirements for Zero Trust Networks, this means that encrypted DNS has to be enabled not only during system runtime but also during the boot process for network boots, or even during system installation itself, including support for custom CA certificates.
The latest bits have landed in Fedora 42 (except installation, which is available in F43/rawhide), this article should advertise this to users and provide a guide to enable it.
While runtime DoT have been possible via systemd-resolved for some time now, it was not possible to enable it during installation or boot time. Additionally, systemd-resolved remains to be controversial topic, there is not much development going on and many advanced users just disable it right away for various reasons. Therefore after discussion with systemd developers, we decided to use different DNS resolver - unbound and integrate it into system using NetworkManager and dnsconfd service. The final solution allows you to configure DNS over TLS server via NetworkManager, enable it for boot time using dracut modules and also enable it immediately for installation using kernel arguments.
Hi, the article is ready for review: https://fedoramagazine.org/?p=42037&preview=true&preview_id=42037
The code blocks looks wrong though, perhaps there is a way to set different formatting?
The article is coauthored with https://accounts.fedoraproject.org/user/ftrivino/
Metadata Update from @rlengland: - Custom field preview-link adjusted to https://fedoramagazine.org/?p=42037&preview=true
@pbrezina in order to add @ftrivino as an author on this article they must log into the Fedora Magazine WordPress instance. They don't need to take any further action, just log in using their FAS account.
Once that is done the editors can add them as a co-author.
Metadata Update from @rlengland: - Custom field editor adjusted to rlengland
@pbrezina I have changed the code blocks from "code" to "preformated". This is the standard used for the Magazine.
I've edited the article and made some changes to improve the flow (reduced sentence length and repositioned one paragraph to the front of the article as an introduction).
This would be a good time for you and @ftrivino to review it once again for any modifications you would like to make.
Also, if you have suggestions for a featured image to accompany your article let us know. Otherwise the editors will "exercise our creativity".
Thanks for all your effort
Hi @rlengland , I just did the login. Thanks.
@pbrezina @ftrivino Suggestion for featured image applied. Let us know what you think.
Thank you, the image and text looks good to me. Thanks for the edits.
I extended the "installation" section with guide to provide custom CA certificate.
Metadata Update from @rlengland: - Issue untagged with: needs-image
@pbrezina @ftrivino Your article is scheduled for Friday 25 April at 0800 UTC.
Thank you for contributing to the Fedora Magazine.
Looks like we managed to submit a typo:
@rlengland Can you please replace ipa-server-dns with ipa-dns-install in the last code snippet? I no longer have edit rights.
ipa-server-dns
ipa-dns-install
And maybe also However, note that this will regenerate initram only for the current kernel. to However, note that this will regenerate initram only for the latest kernel. (current -> latest) to be more precise. But this is not that important.
However, note that this will regenerate initram only for the current kernel.
However, note that this will regenerate initram only for the latest kernel.
Looks like we managed to submit a typo: @rlengland Can you please replace ipa-server-dns with ipa-dns-install in the last code snippet? I no longer have edit rights.
@pbrezina I've changed the two occurences of ipa-server-dns in the last section to ipa-dns-install.
Done.
Hi, can we do two more small, but significant updates?
First, to the "Install Required Packages" section, we would like to mention then systemd-resolved needs to be disabled.
Only the dnsconfd package needs to be installed as NetworkManager is already installed in Fedora by default. This package will also pull in dependencies such as unbound. Make sure to disable systemd-resolved before starting the dnsconfd service to avoid any potential conflict. $ sudo dnf install dnsconfd $ sudo systemctl disable --now systemd-resolved && sudo systemctl mask systemd-resolved $ sudo systemctl enable --now dnsconfd
And in "Enable DoT for system installation" we want to say that Live installation is not supported.
It is possible to enable encrypted DNS during system installation in the current Fedora Rawhide (43). Please make sure that you use the network installation ISO as Live installation media is not yet supported. ...
It's no problem. Done and done. Just let us know if you would like any further revisions.
Thanks. The second change is on wrong place. Maybe, I should have been more clear, I wanted to update the first paragraph of the mentioned section. That is:
Enable DoT for system installation
It is possible to enable encrypted DNS during system installation in the current Fedora Rawhide (43). Please make sure that you use the network installation ISO as Live installation media is not yet supported. The only thing that is required is to pass additional kernel arguments to the installer. The installer will take care of everything and encrypted DNS will be configured for the system installation. The configuration will also be installed on the system so it will be automatically set up for the installed system as well as for the boot process. The arguments are the same as described in “Enable DoT during system boot time”, that is:
Sorry about that. Hopefully I got it right this time. Just let me know if not.
Issue status updated to: Closed (was: Open) Issue close_status updated to: published
Issue status updated to: Open (was: Closed)
Log in to comment on this ticket.