Systemd-resolved: Difference between revisions
m (→mDNS: avahi daemon service was renamed to avahi-daemon.service) |
(→Automatically: link to man page section) |
||
Line 49: | Line 49: | ||
{{Note| | {{Note| | ||
* ''systemd-resolved'' has a limited ''resolvconf'' interface and may not work with all the clients, see {{man|1|resolvectl}} for more information. | * ''systemd-resolved'' has a limited ''resolvconf'' interface and may not work with all the clients, see {{man|1|resolvectl|COMPATIBILITY WITH RESOLVCONF(8)}} for more information. | ||
* The ''resolvconf'' interface in systemd 239 does not set nameservers. See {{Bug|59459}} and [https://github.com/systemd/systemd/issues/9423 systemd issue 9423]. | * The ''resolvconf'' interface in systemd 239 does not set nameservers. See {{Bug|59459}} and [https://github.com/systemd/systemd/issues/9423 systemd issue 9423]. | ||
}} | }} |
Revision as of 12:31, 11 November 2018
systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve
NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53
. See systemd-resolved(8) for the usage.
Installation
systemd-resolved is a part of the systemd package that is installed by default.
Configuration
systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).
The resolver can be configured by editing /etc/systemd/resolved.conf
and/or drop-in .conf files in /etc/systemd/resolved.conf.d/
. See resolved.conf(5).
To use systemd-resolved start and enable systemd-resolved.service
.
DNS
systemd-resolved has four different modes for handling the Domain name resolution (the four modes are described in systemd-resolved(8) § /ETC/RESOLV.CONF). We will focus here on the two most relevant modes.
- Using the systemd DNS stub file - the systemd DNS stub file
/run/systemd/resolve/stub-resolv.conf
contains the local stub127.0.0.53
as the only DNS server and a list of search domains. This is the recommended mode of operation. The service users are advised to redirect the/etc/resolv.conf
file to the local stub DNS resolver file/run/systemd/resolve/stub-resolv.conf
managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing/etc/resolv.conf
with a symbolic link to the systemd stub:# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
- Preserving resolv.conf - this mode preserves
/etc/resolv.conf
and systemd-resolved is simply a client of this file. This mode is less disruptive as/etc/resolv.conf
can continue to be managed by other packages.
/etc/resolv.conf
is a symlink to the local stub DNS resolver file or contains server names.Setting DNS servers
$ resolvectl status
Automatically
systemd-resolved will work out of the box with a network manager using /etc/resolv.conf
. No particular configuration is required since systemd-resolved will be detected by following the /etc/resolv.conf
symlink. This is going to be the case with systemd-networkd or NetworkManager.
However, if the DHCP and VPN clients use the resolvconf program to set name servers and search domains (see openresolv#Users for a list of software that use resolvconf), the additional package systemd-resolvconf is needed to provide the /usr/bin/resolvconf
symlink.
- systemd-resolved has a limited resolvconf interface and may not work with all the clients, see resolvectl(1) § COMPATIBILITY WITH RESOLVCONF(8) for more information.
- The resolvconf interface in systemd 239 does not set nameservers. See FS#59459 and systemd issue 9423.
Manually
In local DNS stub mode, alternative DNS servers are provided in the resolved.conf(5) file:
/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve] DNS=91.239.100.100 89.233.43.71
Fallback
If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.
The addresses can be changed by setting FallbackDNS=
in resolved.conf(5). E.g.:
/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve] FallbackDNS=127.0.0.1 ::1
To disable the fallback DNS funtionality set the FallbackDNS
option without specifying any addresses:
/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve] FallbackDNS=
DNSSEC
By default DNSSEC validation will only be enabled if the upstream DNS server supports it. If you want to always validate DNSSEC, thus breaking DNS resolution with name servers that do not support it, set DNSSEC=true
:
/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve] DNSSEC=true
Test DNSSEC validation by querying a domain with a invalid signature:
$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid
Now test a domain with valid signature:
$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139 -- Information acquired via protocol DNS in 266.3ms. -- Data is authenticated: yes
DNS over TLS
- Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
- DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.
DNS over TLS is disabled by default. To enable it change the DNSOverTLS=
setting in the [Resolve]
section in resolved.conf(5).
/etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve] DNSOverTLS=opportunistic
mDNS
systemd-resolved is capable of working as a multicast DNS resolver and responder.
The resolver provides hostname resolution using a "hostname.local" naming scheme.
mDNS will only be activated for the connection if both the systemd-resolved's global setting (MulticastDNS=
in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables mDNS responder, but both systemd-networkd and NetworkManager do not enable it for connections:
- For systemd-networkd the setting is
MulticastDNS=
in the[Network]
section. See systemd.network(5). - For NetworkManager the setting is
mdns=
in the[connection]
section, see nm-settings(5). The values are0
- disabled,1
- resolver only,2
- resolver and responder. [1]
avahi-daemon.service
and avahi-daemon.socket
to prevent conflicts with systemd-resolved./etc/NetworkManager/conf.d/
and setting connection.mdns=
in the [connection]
section. For example the following will enable mDNS resolver for all connections:
/etc/NetworkManager/conf.d/mdns.conf
[connection] connection.mdns=1
If you plan to use mDNS and use a firewall, make sure to open UDP port 5353
.
LLMNR
Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.
LLMNR will only be activated for the connection if both the systemd-resolved's global setting (LLMNR=
in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables LLMNR responder; systemd-networkd and NetworkManager enable it for connections.
- For systemd-networkd the setting is
LLMNR=
in the[Network]
section. See systemd.network(5). - For NetworkManager the setting is
llmnr=
in the[connection]
section, see nm-settings(5). The values are0
- disabled,1
- resolver only,2
- resolver and responder.
/etc/NetworkManager/conf.d/
and setting connection.llmnr=
in the [connection]
section. For example the following will disable LLMNR for all connections:
/etc/NetworkManager/conf.d/llmnr.conf
[connection] connection.llmnr=0
If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports 5355
.
Lookup
To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.
For example, to query a DNS record:
$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1 138.201.81.199 -- Information acquired via protocol DNS in 48.4ms. -- Data is authenticated: no
See resolvectl(1) § EXAMPLES for more examples.