Every time your system needs to know the IP address of a domain, it uses DNS. When contacting your DNS server, it sends the domain that you’re trying to access in plain text, for anyone in the middle to see. It also means responses can easily be spoofed, so there are clear risks involved.
Your Linux distro may have a way of tightening up these security holes, but are you using it? By default, you’re probably blissfully unaware of the problem, so you should at least investigate further. Or you could let one of these distros take on the heavy lifting for you.
Tails OS
Extreme levels of privacy and security
Tails (The Amnesic Incognito Live System) is a Gentoo-derived distro that forgets everything you’ve done when you shut it down. While there is some provision for persistence, its default behavior is to run in RAM, avoid writing to hard disk, and route all traffic through the Tor network for complete anonymity.
Tails was designed to operate as a live distribution, meaning you can run it entirely from a USB stick. Plug it into any computer, go about your work, then unplug it, safe in the knowledge that what you did was anonymous, including any DNS lookups.
Because of its unique design, Tails can be slower than alternatives. The Tor network is inherently slow because of the additional rerouting and encryption it performs. Running the OS in memory is great for performance, provided you have enough RAM; it’s definitely not one for older hardware.
Linux Kodachi
Not for the faint-hearted, but a robust offering
Linux Kodachi is a distro based on Debian Linux, with a focus on computer security and anonymity. It uses the DNSCrypt protocol to secure your DNS queries with several complementary methods:
- First and foremost, DNSCrypt encrypts your DNS lookups using its own cryptographic protocol. This does not rely on Certificate Authorities or the TLS protocol.
- DNSCrypt also pads queries and responses, an extra security measure that shields useful information from the eyes of hackers.
- Finally, DNSCrypt also routes your queries through additional resolvers, adding another layer of privacy.
Kodachi also uses the Tor network to route queries through yet another layer of privacy. The distro is quite an unusual one, but it has sensible defaults and is an excellent choice for a system that deals with this one very specific requirement. But you’ll need to be comfortable using a niche distro with a unique approach.
Red Hat Enterprise Linux
For business-focused peace of mind
Red Hat Enterprise Linux (RHEL) is a long-running commercial distro that targets businesses and professionals. As such, it has a focus on stability, security, and long-term support.
As part of its security commitment, RHEL bakes in DNS over TLS (DoT), and it does so from the installation process onwards, meaning you’re always protected. Red Hat opts for DoT rather than the competing DNS over HTTPS (DoH) because of its better support for forwarding queries.
RHEL also uses Unbound, a DNS caching resolver, to act as a local DNS proxy. This translates local non-encrypted DNS requests to encrypted DNS requests before sending them to remote DNS servers.
NixOS
Full control at your fingertips
NixOS is another distro with an unusual approach; this time, it comes down to package management and configuration. When you’re setting NixOS up, you declare exactly how you want your OS set up. Then, by rebuilding NixOS, you’ll get everything you need installed, with any conflicts handled automatically, guaranteeing a stable system.
You can even roll back to a previous version of the OS if you ever do find yourself in an undesirable state. And configuration via a text file gives you a system that’s very easy to reproduce, should you upgrade your computer or need to replicate your setup on a second one.
NixOS also supports encrypted DNS, but it’s off by default. However, the easy and reproducible configuration means that when you’ve dealt with setting it up once, you should be good to go. The process can be as simple as editing /etc/nixos/configuration.nix and enabling DoT:
networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
services.resolved = {
enable = true;
dnsovertls = "true";
};
Ubuntu
Not perfect, but possible
You may be looking for some reassurance that your existing distro can offer some of what the others do. Well, if your distro is Ubuntu (and it probably is), then there’s some good news in store. Although it’s not enabled by default, DNS encryption is supported by Ubuntu too; you just need to turn it on.
Ubuntu uses the systemd-resolved daemon to resolve network names. To enable DNS encryption globally, edit /etc/systemd/resolved.conf and make sure you have the following directive set:
DNSOverTLS=yes
It’s that simple to protect yourself against DNS leaks and spoofs.
Private DNS is nice to have, but it’s not as private as you think
Most Linux distros choose to leave encrypted DNS disabled by default, even though they usually include full support for it. But some go the extra mile, baking in DNS privacy as a fundamental service, and if the issue is important to you, they’re worth checking out.
However, even with encrypted DNS enabled, you should bear in mind that it’s not as private as you may think.

