Skip to content

Pratyay's Second Brain

Enforce Cloudflare Family DNS on Ubuntu (End-to-End Guide)

Enforce Cloudflare Family DNS on Ubuntu (End-to-End Guide)¶

Goals¶

Configure system to use Cloudflare Family DNS (1.1.1.3 / 1.0.0.3).
Force all DNS traffic to Cloudflare Family (iptables redirect).
Make iptables rules persistent across reboots.
Make DNS config stable via systemd-resolved.
Provide steps to test, revert, and harden (remove sudo).

Quick Summary (commands)¶

# 1) Temporary fix (if required)
sudo rm -f /etc/resolv.conf
echo -e "nameserver 1.1.1.3\nnameserver 1.0.0.3" | sudo tee /etc/resolv.conf

# 2) Install persistence
sudo apt update
sudo apt install -y iptables-persistent

# 3) Configure systemd-resolved permanently
sudo bash -c 'cat >/etc/systemd/resolved.conf <<EOF
[Resolve]
DNS=1.1.1.3 1.0.0.3
DNSStubListener=no
EOF'
sudo systemctl restart systemd-resolved
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

# 4) Apply iptables rules (force DNS to 1.1.1.3)
sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 1.1.1.3
sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 1.1.1.3

# optional: reject DNS queries to other resolvers
sudo iptables -A OUTPUT -p udp --dport 53 ! -d 1.1.1.3 -j REJECT
sudo iptables -A OUTPUT -p tcp --dport 53 ! -d 1.1.1.3 -j REJECT

# 5) Save iptables permanently
sudo netfilter-persistent save

Step-by-Step Instructions¶

A. Temporary Recovery (if DNS broken)¶

sudo rm -f /etc/resolv.conf
echo -e "nameserver 1.1.1.3\nnameserver 1.0.0.3" | sudo tee /etc/resolv.conf

B. Install iptables persistence¶

sudo apt update
sudo apt install -y iptables-persistent

C. Configure `systemd-resolved`¶

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=1.1.1.3 1.0.0.3
DNSStubListener=no

Then:

sudo systemctl restart systemd-resolved
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

D. Apply iptables rules¶

sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 1.1.1.3
sudo iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 1.1.1.3

# Optional: block other resolvers
sudo iptables -A OUTPUT -p udp --dport 53 ! -d 1.1.1.3 -j REJECT
sudo iptables -A OUTPUT -p tcp --dport 53 ! -d 1.1.1.3 -j REJECT

E. Persist rules¶

sudo netfilter-persistent save

F. Test filtering¶

dig example.com
dig porn.com

Check iptables rules:

sudo iptables -t nat -L -n -v
sudo iptables -L -n -v

Reboot and confirm persistence.

Notes¶

Root can always override if you still have sudo.
For true lock-down: remove yourself from sudoers after setup or randomize root password.
To revert, flush iptables and reset /etc/systemd/resolved.conf.