Difference between revisions of "Systemd-resolved"
m (→Manually: remove emphasis)
|Line 71:||Line 71:|
==== DNSSEC ====
==== DNSSEC ====
Revision as of 07:57, 17 July 2018
systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the
resolve NSS service ( ), and a local DNS stub listener on
127.0.0.53. See for the usage.
systemd-resolved is a part of thepackage that is installed by default.
The resolver can be configured by editing
/etc/systemd/resolved.conf and/or drop-in .conf files in
/etc/systemd/resolved.conf.d/. See .
systemd-resolved has four different modes for handling the resolv.conf (described in ). We will focus here on the two most relevant modes.
- The systemd-resolved's recommended mode of operation: the DNS stub file
/run/systemd/resolve/stub-resolv.confcontains both the local stub
127.0.0.53as the only DNS servers and a list of search domains.
- The mode in which systemd-resolved is a client of the
/etc/resolv.conf. This mode preserves
/etc/resolv.confand is compatible with the procedures described in this page.
The service users are advised to redirect the
/etc/resolv.conf file to the local stub DNS resolver file
/run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing
/etc/resolv.conf with a symbolic link to the systemd stub:
# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
/etc/resolv.confis a symlink to the local stub DNS resolver file or contains server names.
Setting DNS servers
In order to check the DNS actually used by systemd-resolved, the command to use is:
$ resolvectl status
systemd-resolved can get the upstream DNS servers in two ways:
- If the used network manager supports systemd-resolved, currently those are systemd-networkd and NetworkManager.
- If the used network manager uses resolvconf to set DNS information. See openresolv#Users for a list of software that use resolvconf.
For the first case no configuration is required since systemd-resolved will be detected by folowing the
For the second case you need to install . I will provide
/usr/bin/resolvconf for tools that set DNS using resolvconf interface.
In local DNS stub mode, alternative DNS servers are provided in thefile:
[Resolve] DNS=184.108.40.206 220.127.116.11
DNSSEC support can be enabled by setting
Test DNSSEC validation by querying a domain with a invalid signature:
$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid
Now test a domain with valid signature:
$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 18.104.22.168 -- Information acquired via protocol DNS in 266.3ms. -- Data is authenticated: yes
DNS over TLS
- Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
- DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.
DNS over TLS is disabled by default. To enable it change the
DNSOverTLS= setting in the
[Resolve] section in .
systemd-resolved is capable of working as a multicast DNS listener and responder.
By default full mDNS responder is enabled, this can be changed by setting the
MulticastDNS= option in the
[Resolve] section in .
If you plan to use mDNS and use a firewall, make sure to open UDP port
Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.
systemd-resolved enables LLMNR resolution by default. To disable it set
LLMNR=false in the
[Resolve] section in . E.g.:
If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports
To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.
For example, to query a DNS record:
$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1 22.214.171.124 -- Information acquired via protocol DNS in 48.4ms. -- Data is authenticated: no