Many people thinks that when they install Linux, their internet is already safe, but this is not true because the default settings for time and DNS does not use any encryption. If your computer ask for the time from normal NTP server, anyone on the same network can change the time on your computer, and this is very bad because if your clock is wrong, all the SSL certificates for websites will fail and you cannot open any page. Also, when your computer wants to know the IP address of a website, it sends the query in plain text with normal DNS, which means your internet provider or some hacker at the coffee shop can see every single website you are visiting. In this guide, I will showing you how to fix this two big security problems on your Linux machine by setting up Network Time Security (NTS) for your clock and DNS-over-TLS (DoT) for your web queries so your network hygiene becomes much more better.
First, we must talking about the time security because it is the base of everything. The default system tool for managing time on Fedora and many other Linux distribution is called chronyd. This tool ships with a configuration that uses the standard Fedora NTP pool, but this pool does not have any authentication. If a bad guy sits in the middle of your connection, they can easily drift your system clock backward or forward, which is a big disaster for security systems that need correct time to verify cryptographic signatures. To stop this, we can use Network Time Security, which is also called NTS. This technology wraps the normal NTP packets inside a TLS-style encryption so your computer can verify that the time server is real and no one has modified the time data. Big companies like Cloudflare, Netnod, and NIST are running public NTS servers that anyone can use for free, and we should use them to replace the unsafe defaults.
Now we start the step by step tutorial for securing your system clock with NTS. You need to open your terminal and follow this instructions carefully.
Step 1: You must disable the default NTP pools in your chrony configuration file. We can do this very fast by using the sed command to add a comment symbol in front of the pool line. Run this command in your terminal:
sudo sed -i 's|^pool .*|# &|' /etc/chrony.confThis command searches for any line starting with pool inside the file /etc/chrony.conf and adds a # character at the start, which makes chronyd ignore those unsafe servers.
Step 2: Now we must add the new secure NTS servers to the end of the same configuration file. We will use the tee command to append the configuration safely. Copy and paste this code into your terminal:
sudo tee -a /etc/chrony.conf > /dev/null <<'EOF'
#NTS-secured time sources
server time.cloudflare.com iburst nts
server nts.netnod.se iburst nts
server time.nist.gov iburst nts
EOFIn this configuration, we are adding three different time servers from Cloudflare, Netnod, and NIST. The iburst parameter is very good because it tells the system to send a burst of packets when it first starts, which makes the time sync much more faster. The nts parameter is the most important part because it tells the chronyd daemon that it must use the secure NTS protocol to talk to these servers, and if the security handshake fails, it will not trust the time.
Step 3: After we changed the configuration file, the chronyd service does not know about the changes yet. We must restart the service so it reads the new settings. Run this command:
sudo systemctl restart chronydStep 4: Now we must verify if the NTS handshake was successful and if our system is actually using the secure time. We can use the chronyc tool to show the authentication data. Type this command:
chronyc -N authdataWhen you run this, you will see a list of the servers we configured. You must looking at the column called Mode. If the handshake worked, it should display NTS for each of the servers. If you see NTS, it means your clock is now protected against middleman attacks and your time is secure.
Now that our time is safe, we must fixing the second big problem, which is our DNS queries. Every time you open a website, your system must ask a DNS server for the IP address. By default, this is done with no security, meaning anyone can spy on your traffic or even redirect you to a phishing website. To fix this, we can configure our system resolver to use DNS-over-TLS, which is also known as DoT. This will encrypt all our DNS queries so that nobody can see what we are doing on the internet. We will use systemd-resolved for this, which is the default network name resolver on many modern Linux systems.
Here is the step by step tutorial to configure DNS-over-TLS on your system.
Step 1: We need to create a special configuration directory for systemd-resolved so we do not mess up the main configuration file. This is better for system hygiene. Run this command to make the directory:
sudo mkdir -p /etc/systemd/resolved.conf.dStep 2: Now we must create a new configuration file inside that directory and write our secure DNS settings into it. We will use the servers from Cloudflare and Quad9 because they support DNS-over-TLS and DNSSEC. Run this command in your terminal:
sudo tee /etc/systemd/resolved.conf.d/cfg-dot.conf > /dev/null <<'EOF'
[Resolve]
DNS=1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one 9.9.9.9#dns.quad9.net
DNSOverTLS=yes
DNSSEC=allow-downgrade
FallbackDNS=
Cache=yes
DNSStubListener=yes
EOFLet me explain what this configuration options mean because it is important to understand. The DNS line contains the IP addresses of Cloudflare and Quad9. The text after the # symbol is the hostname of the server, which is very important because systemd-resolved needs this to check the TLS certificate of the server to make sure we are talking to the real DNS provider. The line DNSOverTLS=yes forces the system to encrypt all queries. If the server does not support encryption, the query will fail instead of sending it in plain text. The DNSSEC=allow-downgrade option turned on DNSSEC, which checks if the DNS records are signed and not modified by hackers, but it allows downgrade if the domain does not support DNSSEC. The FallbackDNS is left empty so the system does not try to use any unsafe default servers if our secure servers are down. The Cache=yes option makes your browsing faster because it saves the DNS answers on your computer so you do not need to ask the server again for the same website.
Step 3: To apply this new settings, we must restart the systemd-resolved service. Run this command:
sudo systemctl restart systemd-resolvedStep 4: Now we must check if our DNS settings are applied and if DNS-over-TLS is active. We can use the resolvectl tool and filter the output to see the status. Type this command:
resolvectl status | grep -E "DNS Server|DNSOverTLS|DNSSEC"When you run this command, you should see the IP addresses of Cloudflare and Quad9 in the output, and you must see +DNSOverTLS and +DNSSEC in the list. The plus sign means that this security features are active on your network interface.
Step 5: Finally, we should test a real DNS query to make sure everything is working fine and our computer can still find websites on the internet. Run this query:
resolvectl query skillversitas.comIf the command returns the correct IP addresses for the website without any errors, it means your DNS-over-TLS configuration is working fine.
Sometimes, when you combine secure time and secure DNS, you can run into a chicken and egg problem because for connecting to secure NTS time servers, your system needs to resolve their domain names like time.cloudflare.com using DNS. But if your system clock is completely wrong at boot, systemd-resolved might fail to verify the TLS certificates of the secure DNS servers because it thinks the certificates are expired or not valid yet. This is why we configuration DNS with IP addresses first, and we use allow-downgrade for DNSSEC, so the system can boot up and synchronize the time first before locking down all the connections.
In conclusion, having a good network hygiene is very important for keeping your Linux system safe from modern internet threats. By spending just a few minutes to configure NTS inside chrony and enabling DNS-over-TLS inside systemd-resolved, you protect your system clock from being manipulated and you stop your internet provider or local snoopers from monitoring your web browsing habits. These changes are simple to do but they make a very big difference for your personal privacy and system security.