systemd-resolved

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Related articles

Installation

systemd-resolved is a part of the systemd package that is installed by default.

Configuration

systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR).

The resolver can be configured by editing and/or drop-in .conf files in . See .

To use systemd-resolved start and enable .

Tip: To understand the context around the choices and switches, one can turn on detailed debug information for systemd-resolved as described in systemd#Diagnosing a service.

DNS

Software that relies on glibc's getaddrinfo(3) (or similar) will work out of the box, since, by default, is configured to use nss-resolve(8) if it is available.

To provide domain name resolution for software that reads directly, such as web browsers and GnuPG, systemd-resolved has four different modes for handling the fileā€”stub, static, uplink and foreign. They are described in . We will focus here only on the recommended mode, i.e. the stub mode which uses .

contains the local stub 127.0.0.53 as the only DNS server and a list of search domains. This is the recommended mode of operation that propagates the systemd-resolved managed configuration to all clients. To use it, replace  with a symbolic link to it:
# ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Note:
  • Failure to properly configure /etc/resolv.conf will result in broken DNS resolution.
  • Creating the /etc/resolv.conf symlink will not be possible while inside arch-chroot, since the file is bind-mounted from the outside system. Instead, create the symlink from outside the chroot. E.g. 
    # ln -sf /run/systemd/resolve/stub-resolv.conf ''/mnt''/etc/resolv.conf
Automatically

systemd-resolved will work out of the box with a network manager using . No particular configuration is required since systemd-resolved will be detected by following the symlink. This is going to be the case with systemd-networkd, NetworkManager, and iwd.

However, if the DHCP and VPN clients use the resolvconf program to set name servers and search domains (see openresolv#Users for a list of software that use resolvconf), the additional package is needed to provide the symlink.

Manually

In stub and static modes, custom DNS server(s) can be set in the file:

/etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=192.168.35.1 fd7b:d0bd:7a6e::1
Domains=~.
Fallback

If systemd-resolved does not receive DNS server addresses from the network manager and no DNS servers are configured manually then systemd-resolved falls back to the fallback DNS addresses to ensure that DNS resolution always works.

The addresses can be changed by setting in . E.g.:

To disable the fallback DNS functionality set the option without specifying any addresses:

DNSSEC

DNSSEC validation can be enabled by changing setting in .

  • Set to validate DNSSEC only if the upstream DNS server supports it.
  • Set to always validate DNSSEC, thus breaking DNS resolution with name servers that do not support it. For example:
/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true
Note:
  • If your DNS server does not support DNSSEC and you experience problems with the default allow-downgrade mode (e.g. systemd issue 10579), you can explicitly disable systemd-resolved's DNSSEC support by setting DNSSEC=false.
  • systemd-resolved may disable DNSSEC after a few unsuccessful validations. If the DNSSEC option is set to true, then DNS resolution will stop working entirely. See systemd issue 9867.

Test DNSSEC validation by querying a domain with a invalid signature:

Now test a domain with valid signature:

DNS over TLS

DNS over TLS is disabled by default. To enable it change the setting in the section in . To enable validation of your DNS provider's server certificate, include their hostname in the setting in the format . For example:

can be used to test if DNS over TLS is working since DNS over TLS always uses port 853 and never port 53. The command ngrep port 53 should produce no output when a hostname is resolved with DNS over TLS and  should produce encrypted output.

Wireshark can be used for more detailed packet inspection of DNS over TLS queries.

mDNS

systemd-resolved is capable of working as a multicast DNS resolver and responder.

The resolver provides hostname resolution using a "hostname.local" naming scheme.

mDNS will only be activated for a connection if both systemd-resolved's mDNS support has been enabled, and if the configuration for the currently active network manager enables mDNS for the connection.

systemd-resolved's mDNS support can be enabled by its MulticastDNS setting (see ).

Enabling per-connection mDNS support depends on the network manager:

  • For systemd-networkd, set the MulticastDNS setting in the section of a per-connection settings file. You may also have to set in the section. See .
  • Otherwise, for NetworkManager, set in the section of the connection's settings file. Running nmcli connection modify interface_name connection.mdns {yes|no|resolve} will do that for you. See .

LLMNR

Link-Local Multicast Name Resolution is a hostname resolution protocol created by Microsoft.

LLMNR will only be activated for the connection if both the systemd-resolved's global setting (LLMNR in ) and the network manager's per-connection setting is enabled. By default systemd-resolved enables LLMNR responder; systemd-networkd and NetworkManager enable it for connections.

If you plan to use LLMNR and use a firewall, make sure to open UDP and TCP ports .

Lookup

To query DNS records, mDNS or LLMNR hosts you can use the resolvectl utility.

For example, to query a DNS record:

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199

-- Information acquired via protocol DNS in 48.4ms.
-- Data is authenticated: no

Troubleshooting

systemd-resolved not searching the local domain

systemd-resolved may not search the local domain when given just the hostname, even when or is present in the appropriate systemd-networkd's .network file, and that file produces the expected in . You can run networkctl status or to check if the search domains are actually being picked up.

Possible workarounds:

  • Disable LLMNR to let systemd-resolved immediately continue with appending the DNS suffixes
  • Trim 's database (e.g., by removing option after resolve service)
  • Switch to using fully-qualified domain names
  • Use to resolve hostnames
  • Fall back to using glibc's instead of using systemd's resolve

systemd-resolved does not resolve hostnames without suffix

To make systemd-resolved resolve hostnames that are not fully qualified domain names, add ResolveUnicastSingleLabel=yes to .

This only seems to work with LLMNR disabled ().

If you are using systemd-networkd, you might want the domain supplied by the DHCP server or IPv6 Router Advertisement to be used as a search domain. This is disabled by default, to enable it add to the interface's .network file:

You can check what systemd-resolved has for each interface with:

$ resolvectl domain

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.