systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the
resolve NSS service ( ), and a local DNS stub listener on
127.0.0.53. See for the usage.
systemd-resolved is a part of the installed by default.package that is
The resolver can be configured by editing
/etc/systemd/resolved.conf and/or drop-in .conf files in
/etc/systemd/resolved.conf.d/. See .
systemd-resolved has four different modes for handling the resolv.conf (described in ). We will focus here on the two most relevant modes.
- The systemd-resolved's recommended mode of operation: the DNS stub file
/run/systemd/resolve/stub-resolv.confcontains both the local stub
127.0.0.53as the only DNS servers and a list of search domains.
- The mode in which systemd-resolved is a client of the
/etc/resolv.conf. This mode preserves
/etc/resolv.confand is compatible with the procedures described in this page.
The service users are advised to redirect the
/etc/resolv.conf file to the local stub DNS resolver file
/run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing
/etc/resolv.conf with a symbolic link to the systemd stub:
# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
/etc/resolv.confis a symlink to the local stub DNS resolver file or contains server names.
Setting DNS servers
In order to check the DNS actually used by systemd-resolved, the command to use is:
$ resolvectl status
systemd-resolved can get name servers and search domains in two ways:
- If the used network manager supports systemd-resolved; currently those are systemd-networkd and NetworkManager.
- If the used DHCP and VPN clients support using resolvconf to set name servers and search domains. See openresolv#Users for a list of software that use resolvconf.
For the first case no configuration is required since systemd-resolved will be detected by folowing the
For the second case you need to install , it will provide the
In local DNS stub mode, alternative DNS servers are provided in thefile:
[Resolve] DNS=18.104.22.168 22.214.171.124
If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.
The addresses can be changed by setting
FallbackDNS= in . E.g.:
[Resolve] FallbackDNS=127.0.0.1 ::1
To disable the fallback DNS funtionality set the
FallbackDNS option without specifying any addresses:
Test DNSSEC validation by querying a domain with a invalid signature:
$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid
Now test a domain with valid signature:
$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 126.96.36.199 -- Information acquired via protocol DNS in 266.3ms. -- Data is authenticated: yes
DNS over TLS
- Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
- DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.
DNS over TLS is disabled by default. To enable it change the
DNSOverTLS= setting in the
[Resolve] section in .
systemd-resolved is capable of working as a multicast DNS resolver and responder.
The resolver provides hostname resolution using a "hostname.local" naming scheme.
mDNS will only be activated for the connection if both the systemd-resolved's global setting (
MulticastDNS= in ) and the network manager's per-connection setting is enabled. By default systemd-resolved enables mDNS responder, but both systemd-networkd and NetworkManager do not enable it for connections.
- For systemd-networkd the setting is
[Network]section. See .
- For NetworkManager the setting is
[connection]section, see . The values are
1- resolver only,
2- resolver and responder. 
[connection]section. For example the following will enable mDNS resolver for all connections:
If you plan to use mDNS and use a firewall, make sure to open UDP port
LLMNR will only be activated for the connection if both the systemd-resolved's global setting (
LLMNR= in ) and the network manager's per-connection setting is enabled. By default systemd-resolved enables LLMNR responder, systemd-networkd enables it by default and NetworkManager does not have a setting to control it.
For systemd-networkd the setting is
LLMNR= in the
[Network] section. See .
If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports
To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.
For example, to query a DNS record:
$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1 188.8.131.52 -- Information acquired via protocol DNS in 48.4ms. -- Data is authenticated: no