Difference between revisions of "Systemd-resolved"

From ArchWiki
Jump to: navigation, search
m (mDNS: missing whitespace)
(DNS: flag with Template:Expansion, needs info about systemd-resolvconf)
Line 27: Line 27:
  
 
=== DNS ===
 
=== DNS ===
 +
 +
{{Expansion|Add information about {{Pkg|systemd-resolvconf}}.}}
  
 
''systemd-resolved'' has four different modes for handling the [[resolv.conf]] (described in {{man|8|systemd-resolved|/ETC/RESOLV.CONF}}). We will focus here on the two most relevant modes.
 
''systemd-resolved'' has four different modes for handling the [[resolv.conf]] (described in {{man|8|systemd-resolved|/ETC/RESOLV.CONF}}). We will focus here on the two most relevant modes.

Revision as of 08:37, 16 July 2018

Category:Domain Name System Category:Multicast DNS

Tango-go-next.pngThis article or section is a candidate for moving to systemd-resolved.Tango-go-next.png

Notes: systemd-resolved could use its own article. (Discuss in Talk:Systemd-resolved#)

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing /etc/systemd/resolved.conf and/or drop-in .conf files in /etc/systemd/resolved.conf.d/. See resolved.conf(5).

Warning: LLMNR resolution is enabled by default, see #LLMNR for instructions on how to disable it.

To use systemd-resolved start and enable systemd-resolved.service.

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in Systemd#Diagnosing a service.

DNS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add information about systemd-resolvconf. (Discuss in Talk:Systemd-resolved#)

systemd-resolved has four different modes for handling the resolv.conf (described in systemd-resolved(8)). We will focus here on the two most relevant modes.

  1. The mode in which systemd-resolved is a client of the /etc/resolv.conf. This mode preserves /etc/resolv.conf and is compatible with the procedures described in this page.
  2. The systemd-resolved's recommended mode of operation: the DNS stub file /run/systemd/resolve/stub-resolv.conf contains both the local stub 127.0.0.53 as the only DNS servers and a list of search domains.

The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

In this mode, the DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=91.239.100.100 89.233.43.71

In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status
Tip: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

DNSSEC

DNSSEC support can be enabled by setting DNSSEC=true:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

Test DNSSEC validation by querying a domain with a invalid signature:

$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid

Now test a domain with valid signature:

$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139

-- Information acquired via protocol DNS in 266.3ms.
-- Data is authenticated: yes

DNS over TLS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Instructions needed. (Discuss in Talk:Systemd-resolved#)

mDNS

systemd-resolved is capable of working as a multicast DNS listener and responder. Neither are enabled by default.

By default full mDNS responder is enabled, this can be changed by setting the MulticastDNS= option in the [Resolve] section in resolved.conf(5).

Note:

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

systemd-resolved enables LLMNR resolution by default. To disable it set LLMNR=false in the [Resolve] section in resolved.conf(5). E.g.:

/etc/systemd/resolved.conf.d/disable_llmnr.conf
[Resolve]
LLMNR=false

Lookup

To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.

For example, to query a DNS record:

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199

-- Information acquired via protocol DNS in 48.4ms.
-- Data is authenticated: no