Difference between revisions of "Systemd-resolved"

From ArchWiki
Jump to: navigation, search
(LLMNR: instructions on how to disable LLMNR)
(add openresolv to related articles)
 
(66 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Lowercase title}}
 
{{Lowercase title}}
[[:Category:Domain Name System]]
+
[[Category:Domain Name System]]
[[:Category:Multicast DNS]]
+
[[Category:Multicast DNS]]
 
{{Related articles start}}
 
{{Related articles start}}
 
{{Related|systemd}}
 
{{Related|systemd}}
 
{{Related|resolv.conf}}
 
{{Related|resolv.conf}}
 
{{Related|Avahi}}
 
{{Related|Avahi}}
 +
{{Related|Stubby}}
 +
{{Related|openresolv}}
 
{{Related articles end}}
 
{{Related articles end}}
{{man|8|systemd-resolved}} is a [[systemd]] service that provides network name resolution to local applications via a [[D-Bus]] interface, the {{ic|resolve}} NSS service ({{man|8|nss-resolve}}), and a local DNS stub listener on {{ic|127.0.0.53}}.  
+
[https://www.freedesktop.org/wiki/Software/systemd/resolved/ systemd-resolved] is a [[systemd]] service that provides network name resolution to local applications via a [[D-Bus]] interface, the {{ic|resolve}} [[NSS]] service ({{man|8|nss-resolve}}), and a local DNS stub listener on {{ic|127.0.0.53}}. See {{man|8|systemd-resolved}} for the usage.
  
 
== Installation ==
 
== Installation ==
  
''systemd-resolved'' is a part of the {{Pkg|systemd}} package that is installed by default.
+
''systemd-resolved'' is a part of the {{Pkg|systemd}} package that is [[installed]] by default.
  
== Resolver services ==
+
== Configuration ==
  
''systemd-resolved'' provides resolver services for [[Wikipedia:Domain Name System|Domain Name System (DNS)]], [[Wikipedia:Multicast DNS|Multicast DNS (mDNS)]] and [[Wikipedia:Link-Local Multicast Name Resolution|Link-Local Multicast Name Resolution (LLMNR)]].
+
''systemd-resolved'' provides resolver services for [[Wikipedia:Domain Name System|Domain Name System (DNS)]] (including [[Wikipedia:Domain Name System Security Extensions|DNSSEC]] and [[Wikipedia:DNS over TLS|DNS over TLS]]), [[Wikipedia:Multicast DNS|Multicast DNS (mDNS)]] and [[Wikipedia:Link-Local Multicast Name Resolution|Link-Local Multicast Name Resolution (LLMNR)]].
 +
 
 +
The resolver can be configured by editing {{ic|/etc/systemd/resolved.conf}} and/or drop-in ''.conf'' files in {{ic|/etc/systemd/resolved.conf.d/}}. See {{man|5|resolved.conf}}.
 +
 
 +
To use ''systemd-resolved'' [[start]] and [[enable]] {{ic|systemd-resolved.service}}.
 +
 
 +
{{Tip|To understand the context around the choices and switches, one can turn on detailed debug information for ''systemd-resolved'' as described in [[systemd#Diagnosing a service]].}}
  
 
=== DNS ===
 
=== DNS ===
Line 21: Line 29:
 
''systemd-resolved'' has four different modes for handling the [[resolv.conf]] (described in {{man|8|systemd-resolved|/ETC/RESOLV.CONF}}). We will focus here on the two most relevant modes.
 
''systemd-resolved'' has four different modes for handling the [[resolv.conf]] (described in {{man|8|systemd-resolved|/ETC/RESOLV.CONF}}). We will focus here on the two most relevant modes.
  
 +
# The ''systemd-resolved'''s '''recommended''' mode of operation: the DNS stub file {{ic|/run/systemd/resolve/stub-resolv.conf}} contains both the local stub {{ic|127.0.0.53}} as the only DNS servers and a list of search domains.
 
# The mode in which ''systemd-resolved'' is a client of the {{ic|/etc/resolv.conf}}. This mode preserves {{ic|/etc/resolv.conf}} and is '''compatible''' with the procedures described in this page.
 
# The mode in which ''systemd-resolved'' is a client of the {{ic|/etc/resolv.conf}}. This mode preserves {{ic|/etc/resolv.conf}} and is '''compatible''' with the procedures described in this page.
# The ''systemd-resolved'''s '''recommended''' mode of operation: the DNS stub file {{ic|/run/systemd/resolve/stub-resolv.conf}} contains both the local stub {{ic|127.0.0.53}} as the only DNS servers and a list of search domains.
 
  
 
The service users are advised to redirect the {{ic|/etc/resolv.conf}} file to the local stub DNS resolver file {{ic|/run/systemd/resolve/stub-resolv.conf}} managed by ''systemd-resolved''. This propagates the systemd managed configuration to all the clients. This can be done by replacing {{ic|/etc/resolv.conf}} with a symbolic link to the systemd stub:
 
The service users are advised to redirect the {{ic|/etc/resolv.conf}} file to the local stub DNS resolver file {{ic|/run/systemd/resolve/stub-resolv.conf}} managed by ''systemd-resolved''. This propagates the systemd managed configuration to all the clients. This can be done by replacing {{ic|/etc/resolv.conf}} with a symbolic link to the systemd stub:
Line 28: Line 36:
 
  # ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 
  # ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  
In this mode, the DNS servers are provided in the {{man|5|resolved.conf}} file:
+
{{Tip|The mode of operation of ''systemd-resolved'' is detected automatically, depending on whether {{ic|/etc/resolv.conf}} is a symlink to the local stub DNS resolver file or contains server names.}}
 +
 
 +
==== Setting DNS servers ====
 +
 
 +
In order to check the DNS actually used by ''systemd-resolved'', the command to use is:
 +
 
 +
$ resolvectl status
 +
 
 +
===== Automatically =====
 +
 
 +
''systemd-resolved'' can get name servers and search domains in two ways:
 +
 
 +
# If the used [[network manager]] supports ''systemd-resolved''; currently those are [[systemd-networkd]] and [[NetworkManager]].
 +
# If the used [[DHCP]] and [[VPN]] clients support using ''resolvconf'' to set name servers and search domains. See [[openresolv#Users]] for a list of software that use ''resolvconf''.
 +
 
 +
For the first case no configuration is required since ''systemd-resolved'' will be detected by folowing the {{ic|/etc/resolv.conf}} symlink.
 +
 
 +
For the second case you need to [[install]] {{Pkg|systemd-resolvconf}}, it will provide the {{ic|/usr/bin/resolvconf}} symlink.
 +
 
 +
{{Note|
 +
* ''systemd-resolved'''s ''resolvconf'' interface is limited and may not work with all software that use it. See {{man|1|resolvectl}} for more information.
 +
* The ''resolvconf'' interface in systemd 290 does not set nameservers. See {{Bug|59459}} and [https://github.com/systemd/systemd/issues/9423 systemd issue 9423].
 +
}}
 +
 
 +
===== Manually =====
 +
 
 +
In local DNS stub mode, alternative DNS servers are provided in the {{man|5|resolved.conf}} file:
  
 
{{hc|/etc/systemd/resolved.conf.d/dns_servers.conf|2=
 
{{hc|/etc/systemd/resolved.conf.d/dns_servers.conf|2=
 
[Resolve]
 
[Resolve]
'''DNS=91.239.100.100 89.233.43.71'''
+
DNS=91.239.100.100 89.233.43.71
 
}}
 
}}
  
In order to check the DNS actually used by ''systemd-resolved'', the command to use is:
+
{{Note|[[Network manager]]s have their own DNS settings that override ''systemd-resolved'''s default.}}
 +
 
 +
===== Fallback =====
 +
 
 +
If ''systemd-resolved'' does not receive DNS server addresses from the [[network manager]] and no DNS servers are configured [[#Manually|manually]] then ''systemd-resolved'' falls back to the fallback DNS addresses to ensure that DNS resolution always works.
 +
 
 +
{{Note|Currently ''systemd-resolved'' uses [[Alternative DNS services#Google|Google DNS]] as the fallback DNS.}}
 +
 
 +
The addresses can be changed by setting {{ic|1=FallbackDNS=}} in {{man|5|resolved.conf}}. E.g.:
 +
 
 +
{{hc|/etc/systemd/resolved.conf.d/fallback_dns.conf|2=
 +
[Resolve]
 +
FallbackDNS=127.0.0.1 ::1
 +
}}
 +
 
 +
To disable the fallback DNS funtionality set the {{ic|1=FallbackDNS}} option without specifying any addresses:
 +
 
 +
{{hc|/etc/systemd/resolved.conf.d/fallback_dns.conf|2=
 +
[Resolve]
 +
FallbackDNS=
 +
}}
 +
 
 +
==== DNSSEC ====
 +
 
 +
[[DNSSEC]] validation in disabled in the {{Pkg|systemd}} package ({{Bug|59391}}). It can be enabled by setting {{ic|1=DNSSEC=true}}:
 +
 
 +
{{hc|/etc/systemd/resolved.conf.d/dnssec.conf|2=
 +
[Resolve]
 +
DNSSEC=true
 +
}}
 +
 
 +
Test DNSSEC validation by querying a domain with a invalid signature:
 +
 
 +
{{hc|$ resolvectl query sigfail.verteiltesysteme.net|
 +
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid
 +
}}
 +
 
 +
Now test a domain with valid signature:
 +
 
 +
{{hc|$ resolvectl query sigok.verteiltesysteme.net|
 +
sigok.verteiltesysteme.net: 134.91.78.139
 +
 
 +
-- Information acquired via protocol DNS in 266.3ms.
 +
-- Data is authenticated: yes
 +
}}
 +
 
 +
==== DNS over TLS ====
 +
 
 +
{{Expansion|How to test if DNS over TLS is used?}}
 +
 
 +
{{Warning|As of version 239:
 +
* Only opportunistic mode is supported making ''systemd-resolved'' vulnerable to downgrade attacks.
 +
* DNS server certificates are not checked making ''systemd-resolved'' vulnerable to man-in-the-middle attacks. See [https://github.com/systemd/systemd/issues/9397 systemd issue 9397].
 +
}}
  
$ resolvectl status
+
DNS over TLS is disabled by default. To enable it change the {{ic|1=DNSOverTLS=}} setting in the {{ic|[Resolve]}} section in {{man|5|resolved.conf}}.
  
{{Tip|
+
{{hc|/etc/systemd/resolved.conf.d/dns_over_tls.conf|2=
* To understand the context around the DNS choices and switches, one can turn on detailed debug information for ''systemd-resolved'' as described in [[Systemd#Diagnosing a service]].
+
[Resolve]
* The mode of operation of ''systemd-resolved'' is detected automatically, depending on whether {{ic|/etc/resolv.conf}} is a symlink to the local stub DNS resolver file or contains server names.
+
DNSOverTLS=opportunistic
 
}}
 
}}
 +
 +
{{Note|The used DNS server must support DNS over TLS otherwise ''systemd-resolved'' will disable DNS over TLS for the connection.}}
  
 
=== mDNS ===
 
=== mDNS ===
  
''systemd-resolved''is capable of working as a multicast DNS listener and responder. Neither are enabled by default.
+
''systemd-resolved'' is capable of working as a [[Wikipedia:Multicast DNS|multicast DNS]] resolver and responder.
 +
 
 +
The resolver provides [[hostname]] resolution using a "''hostname''.local" naming scheme.
 +
 
 +
mDNS will only be activated for the connection if both the systemd-resolved's global setting ({{ic|1=MulticastDNS=}} in {{man|5|resolved.conf}}) and the [[Network manager|network manager's]] per-connection setting is enabled. By default ''systemd-resolved'' enables mDNS responder, but both [[systemd-networkd]] and [[NetworkManager]] do not enable it for connections.
 +
 
 +
* For [[systemd-networkd]] the setting is {{ic|1=MulticastDNS=}} in the {{ic|[Network]}} section. See {{man|5|systemd.network}}.
 +
* For [[NetworkManager]] the setting is {{ic|1=mdns=}} in the {{ic|[connection]}} section, see {{man|5|nm-settings}}. The values are {{ic|0}} - disabled, {{ic|1}} - resolver only, {{ic|2}} - resolver and responder. [https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/libnm-core/nm-setting-connection.h#n102]
 +
 
 +
{{Tip|The default for all [[NetworkManager]] connections can be set by creating a configuration file in {{ic|/etc/NetworkManager/conf.d/}} and setting {{ic|1=connection.mdns=}} in the {{ic|[connection]}} section. For example the following will enable mDNS resolver for all connections:
 +
 
 +
{{hc|/etc/NetworkManager/conf.d/mdns.conf|2=
 +
[connection]
 +
connection.mdns=1
 +
}}
 +
 
 +
See {{man|5|NetworkManager.conf}}.
 +
}}
 +
 
 +
If you plan to use mDNS and use a [[firewall]], make sure to open UDP port {{ic|5353}}.
  
 
=== LLMNR ===
 
=== LLMNR ===
  
Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.
+
[[Wikipedia:Link-Local Multicast Name Resolution|Link-Local Multicast Name Resolution]] is a [[hostname]] resolution protocol created by Microsoft.
 +
 
 +
LLMNR will only be activated for the connection if both the systemd-resolved's global setting ({{ic|1=LLMNR=}} in {{man|5|resolved.conf}}) and the [[Network manager|network manager's]] per-connection setting is enabled. By default ''systemd-resolved'' enables LLMNR responder, [[systemd-networkd]] enables it by default and [[NetworkManager]] does not have a setting to control it.
  
==== Disable LLMNR ====
+
For [[systemd-networkd]] the setting is {{ic|1=LLMNR=}} in the {{ic|[Network]}} section. See {{man|5|systemd.network}}.
  
''systemd-resolved'' enables LLMNR resolution by default. To disable it set {{ic|1=LLMNR=false}} in the {{ic|[Resolve]}} section in {{man|5|resolved.conf}}. E.g.:
+
{{Warning|Since [[NetworkManager]] lacks control over per-connection LLMNR setting, if do not plan to use LLMNR the only option is to disable it globally in {{man|5|resolved.conf}}. E.g.:
  
 
{{hc|/etc/systemd/resolved.conf.d/disable_llmnr.conf|2=
 
{{hc|/etc/systemd/resolved.conf.d/disable_llmnr.conf|2=
 
[Resolve]
 
[Resolve]
 
LLMNR=false
 
LLMNR=false
 +
}}
 +
 +
}}
 +
 +
If you plan to use LLMNR and use a [[firewall]], make sure to open UDP and TCP ports {{ic|5355}}.
 +
 +
== Lookup ==
 +
 +
To query DNS records, mDNS or LLMNR hosts you can use the ''resolvectl'' utility.
 +
 +
For example, to query a DNS record:
 +
 +
{{hc|$ resolvectl query archlinux.org|
 +
archlinux.org: 2a01:4f8:172:1d86::1
 +
              138.201.81.199
 +
 +
-- Information acquired via protocol DNS in 48.4ms.
 +
-- Data is authenticated: no
 
}}
 
}}

Latest revision as of 04:39, 14 August 2018

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing /etc/systemd/resolved.conf and/or drop-in .conf files in /etc/systemd/resolved.conf.d/. See resolved.conf(5).

To use systemd-resolved start and enable systemd-resolved.service.

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in systemd#Diagnosing a service.

DNS

systemd-resolved has four different modes for handling the resolv.conf (described in systemd-resolved(8)). We will focus here on the two most relevant modes.

  1. The systemd-resolved's recommended mode of operation: the DNS stub file /run/systemd/resolve/stub-resolv.conf contains both the local stub 127.0.0.53 as the only DNS servers and a list of search domains.
  2. The mode in which systemd-resolved is a client of the /etc/resolv.conf. This mode preserves /etc/resolv.conf and is compatible with the procedures described in this page.

The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Tip: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

Setting DNS servers

In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status
Automatically

systemd-resolved can get name servers and search domains in two ways:

  1. If the used network manager supports systemd-resolved; currently those are systemd-networkd and NetworkManager.
  2. If the used DHCP and VPN clients support using resolvconf to set name servers and search domains. See openresolv#Users for a list of software that use resolvconf.

For the first case no configuration is required since systemd-resolved will be detected by folowing the /etc/resolv.conf symlink.

For the second case you need to install systemd-resolvconf, it will provide the /usr/bin/resolvconf symlink.

Note:
  • systemd-resolved's resolvconf interface is limited and may not work with all software that use it. See resolvectl(1) for more information.
  • The resolvconf interface in systemd 290 does not set nameservers. See FS#59459 and systemd issue 9423.
Manually

In local DNS stub mode, alternative DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=91.239.100.100 89.233.43.71
Note: Network managers have their own DNS settings that override systemd-resolved's default.
Fallback

If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.

Note: Currently systemd-resolved uses Google DNS as the fallback DNS.

The addresses can be changed by setting FallbackDNS= in resolved.conf(5). E.g.:

/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve]
FallbackDNS=127.0.0.1 ::1

To disable the fallback DNS funtionality set the FallbackDNS option without specifying any addresses:

/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve]
FallbackDNS=

DNSSEC

DNSSEC validation in disabled in the systemd package (FS#59391). It can be enabled by setting DNSSEC=true:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

Test DNSSEC validation by querying a domain with a invalid signature:

$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid

Now test a domain with valid signature:

$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139

-- Information acquired via protocol DNS in 266.3ms.
-- Data is authenticated: yes

DNS over TLS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: How to test if DNS over TLS is used? (Discuss in Talk:Systemd-resolved#)
Warning: As of version 239:
  • Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
  • DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.

DNS over TLS is disabled by default. To enable it change the DNSOverTLS= setting in the [Resolve] section in resolved.conf(5).

/etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve]
DNSOverTLS=opportunistic
Note: The used DNS server must support DNS over TLS otherwise systemd-resolved will disable DNS over TLS for the connection.

mDNS

systemd-resolved is capable of working as a multicast DNS resolver and responder.

The resolver provides hostname resolution using a "hostname.local" naming scheme.

mDNS will only be activated for the connection if both the systemd-resolved's global setting (MulticastDNS= in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables mDNS responder, but both systemd-networkd and NetworkManager do not enable it for connections.

Tip: The default for all NetworkManager connections can be set by creating a configuration file in /etc/NetworkManager/conf.d/ and setting connection.mdns= in the [connection] section. For example the following will enable mDNS resolver for all connections:
/etc/NetworkManager/conf.d/mdns.conf
[connection]
connection.mdns=1

See NetworkManager.conf(5).

If you plan to use mDNS and use a firewall, make sure to open UDP port 5353.

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

LLMNR will only be activated for the connection if both the systemd-resolved's global setting (LLMNR= in resolved.conf(5)) and the network manager's per-connection setting is enabled. By default systemd-resolved enables LLMNR responder, systemd-networkd enables it by default and NetworkManager does not have a setting to control it.

For systemd-networkd the setting is LLMNR= in the [Network] section. See systemd.network(5).

Warning: Since NetworkManager lacks control over per-connection LLMNR setting, if do not plan to use LLMNR the only option is to disable it globally in resolved.conf(5). E.g.:
/etc/systemd/resolved.conf.d/disable_llmnr.conf
[Resolve]
LLMNR=false

If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports 5355.

Lookup

To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.

For example, to query a DNS record:

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199

-- Information acquired via protocol DNS in 48.4ms.
-- Data is authenticated: no