Fix Hostinger VPS; DNS Filtering & Enable DNS over TLS

Problem: Hostinger's default DNS filters certain subdomains (like router.huggingface.co) used by AI inference endpoints, breaking n8n HTTP requests and other services.

Solution: Override Hostinger DNS with Cloudflare/Google DNS and enable DNS over TLS for privacy.

Prerequisites

Root or sudo access to your Hostinger VPS
Ubuntu/Debian-based Linux (systemd system)
Terminal/SSH access

Step-by-Step Installation

Step 1: Create systemd-resolved Configuration Directory

sudo mkdir -p /etc/systemd/resolved.conf.d

Step 2: Create Custom DNS Configuration File

sudo nano /etc/systemd/resolved.conf.d/dns.conf

Step 3: Add DNS Configuration with DoT (DNS over TLS)

Copy and paste the following configuration exactly:

[Resolve]
DNS=1.1.1.1 8.8.8.8
FallbackDNS=1.0.0.1 8.8.4.4
DNSSEC=no
Cache=yes
DNSOverTLS=yes

Configuration explanation:

DNS=1.1.1.1 8.8.8.8 - Primary DNS servers (Cloudflare + Google)
FallbackDNS=1.0.0.1 8.8.4.4 - Fallback DNS if primary fails (Cloudflare + Google)
DNSSEC=no - Disable DNSSEC validation (prevents failures on incomplete DNSSEC networks)
Cache=yes - Enable DNS answer caching for performance
DNSOverTLS=yes - Enable DNS over TLS encryption (privacy + anti-filtering)

Step 4: Save Configuration

Press Ctrl + X
Press Y to confirm save
Press Enter to confirm filename

Step 5: Create Symlink to systemd-resolved Stub Resolver

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Why stub-resolv.conf? This enables DNS caching and proper container networking. Do NOT use /run/systemd/resolve/resolv.conf.

Step 6: Restart systemd-resolved Service

sudo systemctl restart systemd-resolved

Step 7: Verify DNS Configuration

Check that DNS servers are properly configured:

resolvectl status

Expected output:

       Protocols: +LLMNR +mDNS -mDNS6 +DNSSEC=no
resolv.conf mode: stub
       DNS Servers: 1.1.1.1 8.8.8.8
        FallbackDNS: 1.0.0.1 8.8.4.4
    DNS Domain Search:

Key verification points:

✅ DNS Servers: 1.1.1.1 8.8.8.8 (not Hostinger IP)
✅ resolv.conf mode: stub (indicates stub-resolv.conf is active)
✅ DNSOverTLS=yes appears when you run: resolvectl show-status | grep DoT

Step 8: Test DNS Resolution

Test that Hugging Face AI endpoint resolves correctly:

curl -I https://router.huggingface.co

Expected output (success):

HTTP/2 200 OK
HTTP/2 403 Forbidden
HTTP/2 404 Not Found
HTTP/2 503 Service Unavailable

Any HTTP status = SUCCESS (DNS resolved)

Failed output (problem):

curl: (6) Could not resolve host name

If you see "Could not resolve," verify Step 7 output and check /etc/systemd/resolved.conf.d/dns.conf syntax.

Step 9: Verify DNS over TLS is Active

resolvectl show-status | grep "DNSSEC\|DoT\|DNS"

Should show:

DNSSEC: no
  DNSSECNegativeTrustAnchors: (none)
       DoT (DNS-over-TLS): yes
          Current DNS Server: 1.1.1.1

Step 10: Restart n8n (if using Docker)

If n8n is running in Docker:

docker restart <n8n-container-name>

If n8n is system-installed:

sudo systemctl restart n8n

Wait 10-15 seconds for container to fully start.

Step 11: Verify n8n Container DNS (Docker Only)

docker exec <n8n-container-name> cat /etc/resolv.conf

Should show:

nameserver 127.0.0.53
options edns0 trust-ad

This confirms Docker is using the host's systemd-resolved service.

Step 12: Test in n8n Workflow

In your HTTP Request node:

Ensure you're calling the problematic endpoint (e.g., Hugging Face router subdomain)
Click Execute node or Execute workflow
Check that the request succeeds (no DNS errors)

Persistence Check (Survives Reboot)

To verify the configuration persists after reboot:

sudo reboot

After reboot, reconnect and verify:

resolvectl status

Should still show DNS Servers: 1.1.1.1 8.8.8.8 (not Hostinger DNS).

Troubleshooting

DNS Still Shows Hostinger IP After Restart

Problem: DHCP overwrote your settings.

Solution:

sudo nano /etc/systemd/resolved.conf.d/dns.conf

Verify the file contains the [Resolve] section. If empty, re-paste the configuration.

Then:

sudo systemctl restart systemd-resolved
resolvectl status

DNS Over TLS Not Showing as Active

Problem: DNSOverTLS setting not registering.

Check syntax:

sudo cat /etc/systemd/resolved.conf.d/dns.conf

Verify:

No extra spaces before [Resolve]
No blank lines between settings
File ends after DNSOverTLS=yes

Restart:

sudo systemctl restart systemd-resolved
resolvectl show-status | grep DoT

curl Still Shows "Could not resolve"

Problem: systemd-resolved not fully restarted or symbolic link incorrect.

Solution:

# Check symlink target
ls -la /etc/resolv.conf

# Should show: /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

If it points elsewhere, rerun Step 5:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved

Wait 5 seconds, then test:

curl -I https://router.huggingface.co

n8n Docker Container Still Fails After DNS Fix

Problem: Container cached old DNS settings.

Solution:

# Stop all containers
docker stop <n8n-container-name>

# Remove container (not image)
docker rm <n8n-container-name>

# Restart container (this forces it to inherit fresh host DNS)
docker run -d --name <n8n-container-name> [your-original-docker-run-command]

Or if using Docker Compose:

docker-compose down
docker-compose up -d

Testing DNS over TLS (Optional Advanced)

If you want to verify that your DNS queries are actually encrypted:

Monitor DNS Traffic

sudo tcpdump -i eth0 -n "port 853 or port 53"

Should see traffic on port 853 (DNS over TLS), not port 53 (unencrypted).

Press Ctrl + C to stop.

Query Specific DNS Server

dig @1.1.1.1 router.huggingface.co +short

Should return an IP address instantly.

Configuration Reference

What Each Setting Does

Setting	Value	Purpose
`DNS`	1.1.1.1 8.8.8.8	Primary DNS servers (Cloudflare + Google)
`FallbackDNS`	1.0.0.1 8.8.4.4	Used if primary DNS unavailable
`DNSSEC`	no	Disable DNSSEC validation (prevents false failures)
`Cache`	yes	Cache DNS answers for 2-3x faster repeated lookups
`DNSOverTLS`	yes	Encrypt DNS queries (privacy + bypass filtering)

Security Notes

DNS over TLS: Encrypts your DNS queries from ISP/Hostinger monitoring
Fallback servers: Ensures DNS reliability (if Cloudflare is down, Google takes over)
DNSSEC disabled: Prevents issues on networks with broken DNSSEC support

Rollback (If Needed)

If you want to revert to Hostinger's default DNS:

# Remove custom configuration
sudo rm /etc/systemd/resolved.conf.d/dns.conf

# Restore original symlink
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

# Restart
sudo systemctl restart systemd-resolved

# Verify
resolvectl status

Summary

After completing all 12 steps:

✅ Hostinger DNS filtering is bypassed
✅ All traffic to Hugging Face, OpenAI, Claude, and similar AI endpoints works
✅ DNS queries are encrypted (DNS over TLS)
✅ n8n HTTP requests succeed without DNS errors
✅ Configuration persists across reboots
✅ Fallback DNS provides reliability

Your Hostinger VPS now has the same DNS behavior as your Proxmox infrastructure.

Quick Reference Command Checklist

# Paste this entire block to run all steps at once:

sudo mkdir -p /etc/systemd/resolved.conf.d

sudo tee /etc/systemd/resolved.conf.d/dns.conf > /dev/null << 'EOF'
[Resolve]
DNS=1.1.1.1 8.8.8.8
FallbackDNS=1.0.0.1 8.8.4.4
DNSSEC=no
Cache=yes
DNSOverTLS=yes
EOF

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

sudo systemctl restart systemd-resolved

resolvectl status

curl -I https://router.huggingface.co

docker restart <n8n-container-name>

Replace <n8n-container-name> with your actual n8n container name (e.g., n8n, my-n8n-prod, etc.)

Find your container name:

docker ps | grep n8n