DNS over TLS: clients <-> ipfire


I just saw in the connection details of Windows 11 that the DNS server (ipfire) is not secure. How do I configure Ipfire and/or Windows to use DNS over TLS and therefore “a secured connection” between client and ipfire?

Thanks in advance.


To get IPFire using DNS over TLS to the DNS servers you have selected then first change the protocol drop down box from UDP or TCP to TLS. This is on the Domain Name System menu page under Network.

Then you will need to edit each of your selected DNS servers and ensure that you have the correct TLS Hostname entered. This entry is not required for UDP or TCP and so is often left blank by people but it is required for TLS to work properly.
If any of them are blank then find the correct hostname from the wiki page

in the DNS-over-TLS service section.

After editing all servers, if you press thge Check DNS Servers button then all the servers should show up with a green OK status.

This now ensures that IPFire is using DNS over TLS for all DNS communication from IPFire to DNS servers in the internet.

To ensure that clients on your lan behind IPFire are using DNS over TLS then this needs configuration on each client.
On Linux clients then you need to turn on the DNSOverTLS line in the config file of whatever resolver is being used such as systemd-resolved or stubby etc.
I don’t know how to do this for Windows, as I don’t use it, but it should be searchable for. Maybe search for “windows 11 DNS over TLS” or something similar.


As a followup I had a bit of a search around and I found that for windows most of the searches came up with DNS over HTTPS (DoH) only and virtually nothing with DNS over TLS (DoT).

It seems that if you want to have DoT on Windows you have to use something like Stubby which is an Open Source project which also has a windows version. I was not able to find anything about using DoT natively with Windows.

If you were to turn on the DoH on Windows then all your browser DNS queries would bypass IPFire because they would be issued as HTTPS requests on port 443 and would go the the small pool of DOH servers who would then forward it to a DNS server on the internet.

If you just have a home network setup then you could also leave the DNS requests as normal on your LAN. They would then go to IPFire and would then be encrypted before going out to the internet.

If anyone external could intercept your DNS communications on your local LAN then there is a different type of problem. It depends very much on who is using clients on your local LAN.

1 Like

Yep it’s not DoT but DoH. However I’ve never heared of DoH before I found this option in the Firfox manuall Proxy settings. But looks like DoH works with ipfire. I’ve tried it by setting up this option manually and DNS still worked fine. However I’m looking for a way to get up any client automatically to use DoH, DoT or any secure/encrypted way for DNS by DHCP.

I’m not sure if that’s even possible because the DHCP protocoll may not support this option.