As before, let's set up DNS-over-TLS, but this time on Mobian on the PinePhone.

Mobian uses systemd-resolved by default, which makes this pretty easy. I just edited /etc/systemd/resolved.conf and changed the following:

DNS=9.9.9.9#dns.quad9.net,2620:fe::fe#dns.quad9.net
FallbackDNS=149.112.112.112#dns.quad9.net,2620:fe::9#dns.quad9.net
DNSSEC=yes
DNSOverTLS=yes

I restarted systemd-resolved and NetworkManager, and everything seems to be working fine so far!

(Note, I did enable DNSSEC, but you may not want to. That's up to you.)

You can run resolvectl to check your DNS configuration. Per the Arch Wiki's recommendation, I checked that this setup was working using ngrep. In terminal 1:

sudo ngrep port 53

In terminal 2:

sudo ngrep port 853

In terminal 3:

dig negativezero.link

Terminal 1 does not output anything in response to the dig command. Terminal 2 shows encrypted data.