Classic Setup
To set up a DNS proxy on your computer, open /etc/resolv.conf and put the proxy address on the nameserver line:
$ cat /etc/resolv.conf
nameserver 127.1.1.1
Then, you need to make this setting permanent. This varies from distro to distro, and if something goes wrong, you will be left with a broken system.
Alternative Setup
Here is a novel concept: run the proxy in tandem with your existing DNS setup, and use Firejail to direct the browser traffic to the proxy. You don’t change the original DNS setup, you just bypass it.
Open a terminal and type:
$ sudo fdns
Current zone: Americas
Testing server cira
Tags: Canada, Americas
SSL/TLS connection: 435.25 ms
DoH query average: 53.99 ms
DoH/Do53 bandwidth ratio: 1.51
Keepalive: 7 seconds
Testing server adguard-unfiltered2-dot
Tags: anycast, Americas, AsiaPacific, Europe
SSL/TLS connection: 429.72 ms
DoT query average: 79.20 ms
DoT/Do53 bandwidth ratio: 1.32
Keepalive: 25 seconds
Testing fallback server: nextdns (45.90.28.141) - 77.92 ms
17:20:42 fdns starting
17:20:42 connecting to cira server
17:20:42 listening on 127.1.1.1
cleaning 137876
Current zone: Americas
Current zone: Americas
34 filter entries added from /etc/fdns/list.tld-blacklist
36406 filter entries added from /etc/fdns/list.fp-trackers
6636 filter entries added from /etc/fdns/list.trackers
239364 filter entries added from /etc/fdns/list.adblocker
4319 filter entries added from /etc/fdns/list.coinblocker
152101 filter entries added from /etc/fdns/list.phishing
27378 filter entries added from /etc/fdns/hosts
The following TLDs have been disabled: degree, makeup, fyi, zone, haus, gq, hair, beauty, market, ga, cf, ml, cn, bid, cricket, date, download, faith, loan, men, party, racing, review, science, stream, trade, webcam, win, bazar, coin, buzz, top, club, cfd, phish_id, live, link, accounts, icu, cyou, xyz,
17:20:46 (1) SSL connection opened to 149.112.121.10
17:20:46 (0) SSL connection opened to 149.112.121.10
17:20:46 (1) h2 transport up
17:20:46 (0) h2 transport up
The proxy begins by testing two random DoH/DoT servers from our extensive list, and chooses the fastest one. There are currently over 200 non-logging and non-censoring servers, and the list keeps growing. The only thing left to do is start the browser, bittorrent client, streaming app, whatever:
$ firejail –dns=127.1.1.1 firefox
It’s easy! The browser will use your proxy server instead of system DNS. Other programs, like NTP, the package manager, git, and some weather trinkets you have on your desktop, still use system DNS. To put it simply, you only encrypt the important traffic. The irrelevant stuff can stay in clear forever, who cares! And as you didn’t change your DNS settings, nothing could go wrong.
Boot-time Config
In order to make this setting permanent, we provide a systemd service unit in /etc/fdns/fdns.service. On a Debian system, copy this file in /etc/systemd/system directory and enable it:
$ sudo cp /etc/fdns/fdns.service /etc/systemd/system/.
$ sudo systemctl daemon-reload
$ sudo systemctl enable --now fdns.service
--now switch in the command above also starts the service.
If you run a non-systemd distro, the command to start FDNS in the background is sudo fdns –daemonize. To stop the process run sudo pkill fdns.
To automatically redirect DNS queries to the encrypted proxy, create a text file in ~/.config/firejail directory with the following content:
$ cat ~/.config/firejail/firefox.profile
include /etc/firejail/firefox.profile
dns 127.1.1.1
Monitoring the Proxy
Type fdns --monitor as a regular user. The monitor provides live DNS queries and stats.
For more information, run man fdns, or check out our documentation on github.com. Have fun!
fdns 