🔒 Leak-Free DNS on Linux Mint 22.2 Cinnamon (SmartDNS + systemd-resolved + NextDNS)

By default, Linux Mint 22.2 Cinnamon uses NetworkManager and your router’s or ISP’s DNS, which may leak queries in plaintext.
This guide shows how to route all DNS requests through SmartDNS, with NextDNS (DoH3 / DoH2) as the encrypted upstream — while keeping systemd-resolved for caching and stub resolution.

🧩 Architecture

Applications → 127.0.0.53:53 (systemd-resolved)
               → 127.0.0.1:65353 (SmartDNS)
               → NextDNS (DoH3 / DoH2, encrypted)

• systemd-resolved — local stub resolver (127.0.0.53)
• SmartDNS — local cache and resolver (127.0.0.1:65353)
• NextDNS — encrypted upstream resolver
• NetworkManager — DNS disabled and unmanaged

⚙️ Configuration

1️⃣ Disable NetworkManager DNS control

Create:

1sudo mkdir -p /etc/NetworkManager/conf.d
2sudo nano /etc/NetworkManager/conf.d/dns.conf

Paste:

1[main]
2dns=none
3rc-manager=unmanaged
4systemd-resolved=false

Restart NetworkManager:

1sudo systemctl restart NetworkManager

💡 Explanation

Together, these settings disable NetworkManager’s internal DNS management and hand full DNS control to systemd-resolved and SmartDNS.
This ensures no unwanted DNS overrides or leaks from DHCP and provides a stable, predictable DNS setup even when switching networks.

📝 Note:
The directive dns=none already implies rc-manager=unmanaged, meaning NetworkManager will not modify /etc/resolv.conf.
It’s included here explicitly for clarity and to ensure consistent behavior across distributions like Linux Mint.

2️⃣ Point systemd-resolved to SmartDNS

Create a drop-in:

1sudo mkdir -p /etc/systemd/resolved.conf.d
2sudo nano /etc/systemd/resolved.conf.d/smartdns.conf

Contents:

1[Resolve]
2DNS=127.0.0.1:65353
3FallbackDNS=
4DNSStubListener=yes

💡 Explanation

This configuration ensures all DNS queries are handled exclusively by SmartDNS, with no fallback to default or ISP resolvers, creating a fully leak-proof chain.

Apply:

1sudo systemctl restart systemd-resolved
2sudo resolvectl flush-caches

Verify:

1resolvectl status

Expected:

Current DNS Server: 127.0.0.1:65353
DNS Servers: 127.0.0.1:65353

3️⃣ Configure SmartDNS

Edit:

1sudo nano /etc/smartdns/smartdns.conf

Minimal configuration:

 1bind 127.0.0.1:65353
 2bind-tcp 127.0.0.1:65353
 3
 4server-tls 1.1.1.1:853 -bootstrap-dns -host-name cloudflare-dns.com
 5server-tls 8.8.8.8:853 -bootstrap-dns -host-name dns.google
 6
 7server-h3 h3://dns.nextdns.io/<YOUR_NEXTDNS_ID> -host-name dns.nextdns.io -tls-host-verify dns.nextdns.io
 8server-https https://dns.nextdns.io/<YOUR_NEXTDNS_ID> -host-name dns.nextdns.io -tls-host-verify dns.nextdns.io
 9
10ca-file /etc/ssl/certs/ca-certificates.crt
11ca-path /etc/ssl/certs

Replace <YOUR_NEXTDNS_ID> with your unique ID from
🔗 https://my.nextdns.io/setup

Restart SmartDNS:

1sudo systemctl restart smartdns

🧪 Verification

Check the resolver chain

1resolvectl status

✅ DNS = 127.0.0.1:65353

Confirm NextDNS

1dig @127.0.0.1 -p 65353 whoami.nextdns.io TXT +short

Expected:

"Your NextDNS ID"

Verify no leaks

1sudo tcpdump -ni any port 53

✅ No outbound DNS traffic to your router or ISP.

✅ Result

✔ SmartDNS listens only on 127.0.0.1:65353
✔ systemd-resolved forwards all DNS → SmartDNS
✔ NextDNS encrypts and filters DNS traffic
✔ No DHCP or ISP DNS overwrites
✔ Works flawlessly on Linux Mint 22.2 Cinnamon

🧾 Summary

Enjoy your private, encrypted, and leak-free DNS setup on Linux Mint 22.2 Cinnamon.