Difference between revisions of "Systemd-resolved"

From ArchWiki
Jump to: navigation, search
m (Manually: remove emphasis)
(Manually: add note about network managers overriding DNS settings)
Line 71: Line 71:
 
DNS=91.239.100.100 89.233.43.71
 
DNS=91.239.100.100 89.233.43.71
 
}}
 
}}
 +
 +
{{Note|[[Network manager]]s have their own DNS settings that override ''systemd-resolved'''s default.}}
  
 
==== DNSSEC ====
 
==== DNSSEC ====

Revision as of 07:57, 17 July 2018

Category:Domain Name System Category:Multicast DNS

Tango-go-next.pngThis article or section is a candidate for moving to systemd-resolved.Tango-go-next.png

Notes: systemd-resolved could use its own article. (Discuss in Talk:Systemd-resolved#)

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing /etc/systemd/resolved.conf and/or drop-in .conf files in /etc/systemd/resolved.conf.d/. See resolved.conf(5).

Warning: LLMNR resolution is enabled by default, see #LLMNR for instructions on how to disable it.

To use systemd-resolved start and enable systemd-resolved.service.

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in systemd#Diagnosing a service.

DNS

systemd-resolved has four different modes for handling the resolv.conf (described in systemd-resolved(8)). We will focus here on the two most relevant modes.

  1. The systemd-resolved's recommended mode of operation: the DNS stub file /run/systemd/resolve/stub-resolv.conf contains both the local stub 127.0.0.53 as the only DNS servers and a list of search domains.
  2. The mode in which systemd-resolved is a client of the /etc/resolv.conf. This mode preserves /etc/resolv.conf and is compatible with the procedures described in this page.

The service users are advised to redirect the /etc/resolv.conf file to the local stub DNS resolver file /run/systemd/resolve/stub-resolv.conf managed by systemd-resolved. This propagates the systemd managed configuration to all the clients. This can be done by replacing /etc/resolv.conf with a symbolic link to the systemd stub:

# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Tip: The mode of operation of systemd-resolved is detected automatically, depending on whether /etc/resolv.conf is a symlink to the local stub DNS resolver file or contains server names.

Setting DNS servers

In order to check the DNS actually used by systemd-resolved, the command to use is:

$ resolvectl status

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add information about FallbackDNS= and Google's DNS servers. (Discuss in Talk:Systemd-resolved#)
Automatically

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: This is not limited to network managers, it should be "network managers/DHCP clients/VPN software/others". (Discuss in Talk:Systemd-resolved#)

systemd-resolved can get the upstream DNS servers in two ways:

  1. If the used network manager supports systemd-resolved, currently those are systemd-networkd and NetworkManager.
  2. If the used network manager uses resolvconf to set DNS information. See openresolv#Users for a list of software that use resolvconf.

For the first case no configuration is required since systemd-resolved will be detected by folowing the /etc/resolv.conf symlink.

For the second case you need to install systemd-resolvconf. I will provide /usr/bin/resolvconf for tools that set DNS using resolvconf interface.

Note: systemd-resolved's resolvconf interface is limited and may not work with all software that use it. See resolvectl(1) for more information.
Manually

In local DNS stub mode, alternative DNS servers are provided in the resolved.conf(5) file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=91.239.100.100 89.233.43.71
Note: Network managers have their own DNS settings that override systemd-resolved's default.

DNSSEC

DNSSEC support can be enabled by setting DNSSEC=true:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

Test DNSSEC validation by querying a domain with a invalid signature:

$ resolvectl query sigfail.verteiltesysteme.net
sigfail.verteiltesysteme.net: resolve call failed: DNSSEC validation failed: invalid

Now test a domain with valid signature:

$ resolvectl query sigok.verteiltesysteme.net
sigok.verteiltesysteme.net: 134.91.78.139

-- Information acquired via protocol DNS in 266.3ms.
-- Data is authenticated: yes

DNS over TLS

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: How to test if DNS over TLS is used? (Discuss in Talk:Systemd-resolved#)
Warning: As of version 239:
  • Only opportunistic mode is supported making systemd-resolved vulnerable to downgrade attacks.
  • DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks. See systemd issue 9397.

DNS over TLS is disabled by default. To enable it change the DNSOverTLS= setting in the [Resolve] section in resolved.conf(5).

/etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve]
DNSOverTLS=opportunistic
Note: The used DNS server must support DNS over TLS otherwise systemd-resolved will disable DNS over TLS for the connection.

mDNS

systemd-resolved is capable of working as a multicast DNS listener and responder.

By default full mDNS responder is enabled, this can be changed by setting the MulticastDNS= option in the [Resolve] section in resolved.conf(5).

Note:

If you plan to use mDNS and use a firewall, make sure to open UDP port 5353.

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

systemd-resolved enables LLMNR resolution by default. To disable it set LLMNR=false in the [Resolve] section in resolved.conf(5). E.g.:

/etc/systemd/resolved.conf.d/disable_llmnr.conf
[Resolve]
LLMNR=false
Note: NetworkManager does not have a setting to enable/disable LLMNR for connections.

If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports 5355.

Lookup

To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.

For example, to query a DNS record:

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199

-- Information acquired via protocol DNS in 48.4ms.
-- Data is authenticated: no