xel-serv logo
Xeltor's Ad-blocking DNS

Jump to

systemd-resolved (most desktops)

  1. Open a terminal and check the service status: 
    systemctl status systemd-resolved --no-pager
    If it is inactive, run sudo systemctl enable --now systemd-resolved first.
  2. Create a drop-in directory and configuration file pointing at Xeltor: 
    sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/xeltor.conf <<'CFG'
[Resolve]
DNS=63.250.54.8 86.90.92.105
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
CFG
    You can edit this file later with any text editor.
  3. Make sure /etc/resolv.conf points to the systemd stub resolver so apps follow the encrypted path: 
    sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  4. Restart the service and confirm the encrypted upstreams are active: 
    sudo systemctl restart systemd-resolved
resolvectl status | grep -A2 'DNS Servers'
    The output should list dot.xel-serv.com with DNS over TLS: yes.
If you use VPN software that also adjusts systemd-resolved, place its settings in a separate drop-in (for example 10-vpn.conf) so split DNS continues to work. Removing /etc/systemd/resolved.conf.d/xeltor.conf and restoring your old resolv.conf returns you to the DNS supplied by your network until you reapply the secure profile.

NetworkManager CLI

  1. List saved connections and note the one you use (for example “Wired connection 1” or your Wi-Fi SSID): 
    nmcli connection show
  2. Set the IPv4 DNS hostname and ignore DHCP-provided DNS servers: 
    sudo nmcli connection modify "$CONNECTION" ipv4.dns "dot.xel-serv.com"
sudo nmcli connection modify "$CONNECTION" ipv4.ignore-auto-dns yes
  3. If you also use IPv6, repeat the commands with ipv6.dns and ipv6.ignore-auto-dns.
  4. Bring the connection down and up so the new settings apply: 
    sudo nmcli connection down "$CONNECTION"
sudo nmcli connection up "$CONNECTION"
  5. Confirm the resolver: 
    nmcli connection show "$CONNECTION" | grep dns
    You should see dot.xel-serv.com; resolvectl status should also list it with DNS over TLS: yes.
To undo the change, run sudo nmcli connection modify "$CONNECTION" ipv4.ignore-auto-dns no ipv4.dns "" (and the IPv6 equivalent). That switches back to whatever DNS DHCP provides, which is usually unencrypted.

Stubby

  1. Install Stubby with your package manager (sudo apt install stubby, sudo dnf install stubby, or sudo pacman -S stubby).
  2. Back up the default configuration and edit the upstream servers: 
    sudo cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.backup
sudo nano /etc/stubby/stubby.yml
    Replace the upstream_recursive_servers block with: 
    upstream_recursive_servers:
  - address_data: 63.250.54.8
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  - address_data: 86.90.92.105
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
    (any editor is fine).
  3. Enable and restart Stubby so it listens on 127.0.0.1: 
    sudo systemctl enable --now stubby
  4. Point your system resolver at Stubby (if not already done by systemd-resolved): 
    sudo ln -sf /run/stubby/stubby.resolv.conf /etc/resolv.conf
    (if the file is missing, restart Stubby and check ls /run/stubby) and verify with resolvectl status.
Rolling back the Stubby changes (sudo mv /etc/stubby/stubby.yml.backup /etc/stubby/stubby.yml plus sudo systemctl disable --now stubby) and restoring /etc/resolv.conf makes the host use the network’s default resolver again.

dnscrypt-proxy

  1. Install dnscrypt-proxy from your distribution and copy the default config for reference: 
    sudo apt install dnscrypt-proxy   # or dnf / pacman equivalent
sudo cp /etc/dnscrypt-proxy/dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml.backup
  2. Add Xeltor as a static DoT server: 
    sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
    Append this block to the [static] section: 
    [static.'xeltor-dot']
stamp = 'sdns://AgcAAAAAAAAAAA82My4yNTAuNTQuODo4NTMAZG90LnhlbC1zZXJ2LmNvbQ'
  3. Replace server_names with the new entry and restart the service: 
    sudo sed -i "s/^server_names.*/server_names = ['xeltor-dot']/" /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sudo systemctl enable --now dnscrypt-proxy
  4. Check the logs for a successful TLS handshake: 
    journalctl -u dnscrypt-proxy -n 20
Restoring the backup config and removing static.'xeltor-dot' (or disabling dnscrypt-proxy) turns off the encrypted tunnel and returns you to the upstream DNS supplied by your network.

Verification

  1. resolvectl status should list dot.xel-serv.com with DNS over TLS: yes.
  2. dig ads.facebook.com should return NXDOMAIN.

Spring naar

systemd-resolved (meest gebruikte)

  1. Open een terminal en controleer de status: 
    systemctl status systemd-resolved --no-pager
    Is de service uit? Activeer hem met sudo systemctl enable --now systemd-resolved.
  2. Maak een drop-inmap en configuratie met de Xeltor-servers: 
    sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/xeltor.conf <<'CFG'
[Resolve]
DNS=63.250.54.8 86.90.92.105
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
CFG
  3. Koppel /etc/resolv.conf aan de systemd-stub zodat alle apps de versleutelde resolver gebruiken: 
    sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  4. Herstart de dienst en controleer de output: 
    sudo systemctl restart systemd-resolved
resolvectl status | grep -A2 'DNS Servers'
    Je zou dot.xel-serv.com met DNS over TLS: yes moeten zien.
Gebruik je VPN-software die ook systemd-resolved aanpast? Zet de VPN-instellingen in een apart drop-in (bijv. 10-vpn.conf) zodat split-DNS blijft werken. Verwijder je /etc/systemd/resolved.conf.d/xeltor.conf en herstel je resolv.conf, dan val je terug op de DNS van je netwerk tot je het profiel opnieuw toepast.

NetworkManager CLI

  1. Bekijk je verbindingen en noteer welke je gebruikt (bijvoorbeeld “Wired connection 1” of je Wi-Fi-SSID): 
    nmcli connection show
  2. Stel de IPv4-DNS-hostnaam in en negeer DNS van DHCP: 
    sudo nmcli connection modify "$CONNECTION" ipv4.dns "dot.xel-serv.com"
sudo nmcli connection modify "$CONNECTION" ipv4.ignore-auto-dns yes
  3. Gebruik je IPv6, herhaal dan met ipv6.dns en ipv6.ignore-auto-dns.
  4. Zet de verbinding even uit en weer aan zodat de wijzigingen actief worden: 
    sudo nmcli connection down "$CONNECTION"
sudo nmcli connection up "$CONNECTION"
  5. Controleer de resolver: 
    nmcli connection show "$CONNECTION" | grep dns
    Hier moet dot.xel-serv.com staan; resolvectl status hoort hetzelfde te tonen met DNS over TLS: yes.
Terugdraaien? Met sudo nmcli connection modify "$CONNECTION" ipv4.ignore-auto-dns no ipv4.dns "" (en IPv6 idem) gebruik je opnieuw de door DHCP geleverde DNS, meestal onversleuteld.

Stubby

  1. Installeer Stubby met je pakketbeheerder (sudo apt install stubby, sudo dnf install stubby of sudo pacman -S stubby).
  2. Maak een back-up van de standaardconfiguratie en pas de upstreams aan: 
    sudo cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.backup
sudo nano /etc/stubby/stubby.yml
    Vervang het upstream_recursive_servers-blok door: 
    upstream_recursive_servers:
  - address_data: 63.250.54.8
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
  - address_data: 86.90.92.105
    tls_auth_name: dot.xel-serv.com
    tls_port: 853
    (gebruik gerust een andere editor).
  3. Activeer Stubby zodat hij direct meedraait: 
    sudo systemctl enable --now stubby
  4. Laat je systeem naar Stubby wijzen (als dat nog niet gebeurde door systemd-resolved): 
    sudo ln -sf /run/stubby/stubby.resolv.conf /etc/resolv.conf
    (bestaat dit bestand nog niet, herstart Stubby en kijk met ls /run/stubby) en controleer met resolvectl status.
Zet je de back-up terug (sudo mv /etc/stubby/stubby.yml.backup /etc/stubby/stubby.yml), schakel je Stubby uit met sudo systemctl disable --now stubby en herstel je /etc/resolv.conf, dan gebruikt het systeem weer de standaard (vaak onversleutelde) DNS van je netwerk.

dnscrypt-proxy

  1. Installeer dnscrypt-proxy en maak een back-up van de standaardconfig: 
    sudo apt install dnscrypt-proxy
sudo cp /etc/dnscrypt-proxy/dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml.backup
  2. Voeg Xeltor toe als statische DoT-server: 
    sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
    Voeg onder [static] het volgende blok toe: 
    [static.'xeltor-dot']
stamp = 'sdns://AgcAAAAAAAAAAA82My4yNTAuNTQuODo4NTMAZG90LnhlbC1zZXJ2LmNvbQ'
  3. Pas server_names aan en start de service opnieuw: 
    sudo sed -i "s/^server_names.*/server_names = ['xeltor-dot']/" /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sudo systemctl enable --now dnscrypt-proxy
  4. Controleer het logboek op een geslaagde TLS-handshake: 
    journalctl -u dnscrypt-proxy -n 20
Zet je de back-up terug, verwijder je static.'xeltor-dot' en herstart of schakel je dnscrypt-proxy uit, dan gebruik je weer de (doorgaans onversleutelde) DNS van je netwerk.

Controleren

  1. resolvectl status moet dot.xel-serv.com tonen met DNS over TLS: yes.
  2. dig ads.facebook.com hoort NXDOMAIN terug te geven.