systemd-resolved is a all-in-one name resolution manager which is somewhat tied to NetworkManager. It can act as a service for applications and resolve regular DNS, multi-cast DNS. It can resolve DNS queries over DNSSEC if you point it at an upstream provider who supports it. Systemd-resolved can interfere other DNS servers and local multicast DNS daemons so you will want to make sure it is disabled if you plan on using more versatile alternatives such as avahi and/or unbound.
systemd-resolved is configured in the file
/etc/systemd/resolved.conf where the basic options are
A basic example would be:
The systemd-resolved manual has more details if the above isn't obvious enough for you.
Do note that there isn't much it can do in terms of multicast beyond resolving
.local hostnames. You need to disable systemd-resolved's multicast DNS feature and use
avahi-daemon for advanced uses like announcing services.
Enabling Secure DNS
systemd-resolved can be used to do secure DNS name lookups. You will have point it at a provider who supports DNSSEC. The anycast nameservers offered by Google and Cloudflare have that support. The basic configuration file example above can be adapted to use DNSSEC by adding two lines:
DNSOverTLS = yes DNSSEC = yes
Thus, a secure systemd-resolved configuration file can be as simple as:
HOWTO Permanently Enable The Systemd-resolved Service
There is one additional step to take once you have a
/etc/systemd/resolved.conf file you are happy with: You need to tell NetworkManager, assuming you use NetworkManager to manage your network (most distributions do) that you want to use systemd-resolved. This is done by adding a simple line to the
[main] section of
Make sure you re-start NetworkManager and start and permanently enable systemd-resolved once you have made that change:
sudo systemctl start systemd-resolved sudo systemctl enable systemd-resolved sudo systemctl restart NetworkManager
The NetworkManager setting
dns = systemd-resolved should be enough to make it overwrite the
/etc/resolv.conf file that controls what DNS service is used system-wide with the
127.0.0.53 (note: not
127.0.0.1 listening address offered by systemd-resolved. You can manually
echo 'nameserver 127.0.0.53' > /etc/resolv.conf
if NetworkManager does not take care of it for some reason.
HOWTO Permanently Disable Systemd-resolved
If you have setup your own DNS server using Unbound or something else and you do NOT want to use systemd-resolved then this configuration is desired and required even if you do not want to use it:
You need to make sure systemd-resolved is not set to listen on 127.0.0.1 with
DNSStubListener=no or mDNS with
MulticastDNS=no even if you have disabled it with:
sudo systemctl disable systemd-resolved.service
It will get started when certain applications make API requests to systemd even if it is disabled and even when you have masked it with:
sudosystemctl mask systemd-resolved.service
You just mask it anyway, it doesn't hurt if you are not planning on using it. Disabling it in the configuration file is the only thing short of removing the binary which works if you want it to be totally disabled.
You will also have to make sure NetworkManager does not start systemd-resolved. This is important. Take a look at your
/etc/NetworkManager/NetworkManager.conf and remove any line that says
dns = systemd-resolved and replace it with:
You should re-start NetworkManager and make sure you stop systemd-resolved when you have made that change:
sudo systemctl stop systemd-resolved.service
sudo systemctl restart NetworkManager
Make sure you add working nameserver, or
127.0.01 if you run your own using Unbound or similar, to
/etc/resolv.conf once systemd-resolved is disabled.
- manual page: systemd-resolved.8