systemd-resolved

From ArchWiki
Jump to: navigation, search

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing /etc/systemd/resolved.conf and/or drop-in .conf files in /etc/systemd/resolved.conf.d/. See resolved.conf(5).

To use systemd-resolved start and enable systemd-resolved.service.

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in systemd#Diagnosing a service.

DNS

systemd-resolved has four different modes for handling the resolv.conf (described in systemd-resolved(8)). We will focus here on the two most relevant modes.

  1. The systemd-resolved's recommended mode of operation: the DNS stub file /run/systemd/resolve/stub-resolv.conf contains both the local stub 127.0.0.53 as the only DNS servers and a list of search domains.
  2. The mode in which systemd-resolved is a client of the /etc/resolv.conf. This mode preserves /etc/resolv.conf and is compatible with the procedures described in this page.

The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Tip: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

Setting DNS servers

In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status
Automatically

systemd-resolved can get name servers and search domains in two ways:

  1. If the used network manager supports systemd-resolved; currently those are systemd-networkd and NetworkManager.
  2. If the used DHCP and VPN clients support using resolvconf to set name servers and search domains. See openresolv#Users for a list of software that use resolvconf.

For the first case no configuration is required since systemd-resolved will be detected by folowing the /etc/resolv.conf symlink.

For the second case you need to install systemd-resolvconf, it will provide the /usr/bin/resolvconf symlink.

Note:
  • systemd-resolved's resolvconf interface is limited and may not work with all software that use it. See resolvectl(1) for more information.
  • The resolvconf interface in systemd 290 does not set nameservers. See FS#59459 and systemd issue 9423.
Manually

In local DNS stub mode, alternative DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=91.239.100.100 89.233.43.71
Note: Network managers have their own DNS settings that override systemd-resolved's default.
Fallback

If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.

Note: Currently systemd-resolved uses Google DNS as the fallback DNS.

The addresses can be changed by setting FallbackDNS= in resolved.conf(5). E.g.:

/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve]
FallbackDNS=127.0.0.1 ::1

To disable the fallback DNS funtionality set the FallbackDNS option without specifying any addresses:

/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve]
FallbackDNS=

DNSSEC

DNSSEC validation in disabled in the systemd package (FS#59391). It can be enabled by setting DNSSEC=true:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

Test DNSSEC validation by querying a domain with a invalid signature:

$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid

Now test a domain with valid signature:

$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139

-- Information acquired via protocol DNS in 266.3ms.
-- Data is authenticated: yes

DNS over TLS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: How to test if DNS over TLS is used? (Discuss in Talk:Systemd-resolved#)
Warning: As of version 239:
  • Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
  • DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.

DNS over TLS is disabled by default. To enable it change the DNSOverTLS= setting in the [Resolve] section in resolved.conf(5).

/etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve]
DNSOverTLS=opportunistic
Note: The used DNS server must support DNS over TLS otherwise systemd-resolved will disable DNS over TLS for the connection.

mDNS

systemd-resolved is capable of working as a multicast DNS resolver and responder.

The resolver provides hostname resolution using a "hostname.local" naming scheme.

mDNS will only be activated for the connection if both the systemd-resolved's global setting (MulticastDNS= in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables mDNS responder, but both systemd-networkd and NetworkManager do not enable it for connections.

Tip: The default for all NetworkManager connections can be set by creating a configuration file in /etc/NetworkManager/conf.d/ and setting connection.mdns= in the [connection] section. For example the following will enable mDNS resolver for all connections:
/etc/NetworkManager/conf.d/mdns.conf
[connection]
connection.mdns=1

See NetworkManager.conf(5).

If you plan to use mDNS and use a firewall, make sure to open UDP port 5353.

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

LLMNR will only be activated for the connection if both the systemd-resolved's global setting (LLMNR= in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables LLMNR responder, systemd-networkd enables it by default and NetworkManager does not have a setting to control it.

For systemd-networkd the setting is LLMNR= in the [Network] section. See systemd.network(5).

Warning: Since NetworkManager lacks control over per-connection LLMNR setting, if do not plan to use LLMNR the only option is to disable it globally in resolved.conf(5). E.g.:
/etc/systemd/resolved.conf.d/disable_llmnr.conf
[Resolve]
LLMNR=false

If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports 5355.

Lookup

To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.

For example, to query a DNS record:

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199

-- Information acquired via protocol DNS in 48.4ms.
-- Data is authenticated: no