michele-tn/IONOS VPS DNS Hardening Script v3.md

## IONOS VPS DNS Hardening Script v3.md

      
    Raw
  

              IONOS VPS DNS Hardening Script v3.md
            
          
    IONOS VPS DNS Hardening Script v3

This project provides a hardened Bash script to enforce persistent, secure DNS configuration
on Ubuntu VPS systems hosted on IONOS.
Key improvement vs v2: DHCP is still used for IP/gateway, but DHCP-provided DNS (IONOS 212.227.x.x) is ignored  — see technical discussion.

Features


Disables cloud-init network management (network config)
Disables netplan configuration generated by cloud-init
Enables systemd-networkd
Keeps DHCP for IP on ens6 but rejects DHCP DNS
Forces Cloudflare DNS on interface ens6
Enables DNS-over-TLS using systemd-resolved
Adds Quad9 as fallback DNS provider
Makes DNS configuration persistent across reboots


DNS Providers Used

Primary

1.1.1.1
1.0.0.1

Fallback

9.9.9.9
149.112.112.112

All DNS queries are encrypted using DNS-over-TLS.

Why IONOS DNS still appeared before (and how v3 fixes it)

IONOS typically injects DNS via DHCP. Even if you set DNS= in [Network], systemd-networkd may still
accept and expose the DHCP DNS unless you explicitly disable it.
v3 adds:
[DHCPv4]
UseDNS=no

[DHCPv6]
UseDNS=no
This keeps DHCP for addressing but prevents the resolver stack from learning/using the IONOS DNS servers.

Requirements


Ubuntu 20.04 / 22.04 / 24.04
VPS network interface name: ens6
Root privileges


Installation

Download and run:
chmod +x setup-dns-ionos-v3.sh
sudo ./setup-dns-ionos-v3.sh
sudo reboot

Verification

After reboot:
resolvectl status ens6
resolvectl status
Expected:

On link ens6: DNS Servers show 1.1.1.1 1.0.0.1
DNSOverTLS: yes
IONOS 212.227.x.x must not appear as active DNS servers


Note: depending on Ubuntu/systemd version, DHCP DNS might still be visible under “DHCP Server” info,
but it must not be selected as “DNS Servers” for the link nor as the “Current DNS Server”.


Files Created


/etc/systemd/network/10-ens6.network
/etc/systemd/resolved.conf.d/dns-hardened.conf
/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg


Rollback

sudo rm /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
sudo rm /etc/systemd/network/10-ens6.network
sudo rm /etc/systemd/resolved.conf.d/dns-hardened.conf
sudo mv /etc/netplan/50-cloud-init.yaml.bak /etc/netplan/50-cloud-init.yaml
sudo reboot
If /etc/resolv.conf was replaced and you want the previous one back, restore the backup created by the script:
/etc/resolv.conf.bak.<timestamp>.

Download


Scarica setup-dns-ionos.sh.xz
Checksum SHA-256

Sources (technical references)


systemd-networkd docs

https://www.freedesktop.org/software/systemd/man/systemd.network.html

https://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html


systemd-resolved docs

https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html

https://www.freedesktop.org/software/systemd/man/resolved.conf.html


Ubuntu networking / netplan

https://ubuntu.com/server/docs/network-configuration

https://netplan.io/reference/


cloud-init networking

https://cloudinit.readthedocs.io/en/latest/topics/network-config.html


Cloudflare DNS

https://developers.cloudflare.com/1.1.1.1/setup/linux/


Quad9 DNS

https://www.quad9.net/service/service-addresses-and-features


DNS-over-TLS RFCs

RFC 7858 (DNS over TLS)

RFC 8310 (DNS Privacy Profiles)


Ubuntu stub resolver model

https://wiki.ubuntu.com/SystemdResolved
No results found