Difference between revisions of "Systemd-resolved"

From ArchWiki
Jump to: navigation, search
(remove unneeded subheadings)
(Resolver services: rename section to "Configuration", more common section name)
Line 14: Line 14:
 
''systemd-resolved'' is a part of the {{Pkg|systemd}} package that is installed by default.
 
''systemd-resolved'' is a part of the {{Pkg|systemd}} package that is installed by default.
  
== Resolver services ==
+
== Configuration ==
  
 
''systemd-resolved'' provides resolver services for [[Wikipedia:Domain Name System|Domain Name System (DNS)]], [[Wikipedia:Multicast DNS|Multicast DNS (mDNS)]] and [[Wikipedia:Link-Local Multicast Name Resolution|Link-Local Multicast Name Resolution (LLMNR)]].
 
''systemd-resolved'' provides resolver services for [[Wikipedia:Domain Name System|Domain Name System (DNS)]], [[Wikipedia:Multicast DNS|Multicast DNS (mDNS)]] and [[Wikipedia:Link-Local Multicast Name Resolution|Link-Local Multicast Name Resolution (LLMNR)]].

Revision as of 06:50, 16 July 2018

Category:Domain Name System Category:Multicast DNS

Tango-go-next.pngThis article or section is a candidate for moving to systemd-resolved.Tango-go-next.png

Notes: systemd-resolved could use its own article. (Discuss in Talk:Systemd-resolved#)

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing /etc/systemd/resolved.conf and/or drop-in .conf files in /etc/systemd/resolved.conf.d/. See resolved.conf(5).

Warning: LLMNR resolution is enabled by default, see #LLMNR for instructions on how to disable it.

To use systemd-resolved start and enable systemd-resolved.service.

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in Systemd#Diagnosing a service.

DNS

systemd-resolved has four different modes for handling the resolv.conf (described in systemd-resolved(8)). We will focus here on the two most relevant modes.

  1. The mode in which systemd-resolved is a client of the /etc/resolv.conf. This mode preserves /etc/resolv.conf and is compatible with the procedures described in this page.
  2. The systemd-resolved's recommended mode of operation: the DNS stub file /run/systemd/resolve/stub-resolv.conf contains both the local stub 127.0.0.53 as the only DNS servers and a list of search domains.

The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

In this mode, the DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=91.239.100.100 89.233.43.71

In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status
Tip: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

DNSSEC

DNSSEC support can be enabled by setting DNSSEC=true:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

Test DNSSEC validation by querying a domain with a invalid signature:

$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid

Now test a domain with valid signature:

$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139

-- Information acquired via protocol DNS in 266.3ms.
-- Data is authenticated: yes

DNS over TLS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Instructions needed. (Discuss in Talk:Systemd-resolved#)

mDNS

systemd-resolvedis capable of working as a multicast DNS listener and responder. Neither are enabled by default.

To enable multicast DNS, set the set MulticastDNS= option in the [Resolve] section in resolved.conf(5):

  • To only resolve mDNS names, enable the multicast DNS listener: MulticastDNS=resolve.
  • To enable full multicast DNS responder set MulticastDNS=true.

For example:

/etc/systemd/resolved.conf.d/enable_mdns.conf
[Resolve]
MulticastDNS=resolve

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

systemd-resolved enables LLMNR resolution by default. To disable it set LLMNR=false in the [Resolve] section in resolved.conf(5). E.g.:

/etc/systemd/resolved.conf.d/disable_llmnr.conf
[Resolve]
LLMNR=false