Systemd-resolved

From LinuxReviews
Jump to navigationJump to search

systemd-resolved is a all-in-one name resolution manager which is somewhat tied to NetworkManager. It can act as a service for applications and resolve regular DNS, multi-cast DNS. It can resolve DNS queries over DNSSEC if you point it at an upstream provider who supports it. Systemd-resolved can interfere other DNS servers and local multicast DNS daemons so you will want to make sure it is disabled if you plan on using more versatile alternatives such as avahi and/or unbound.

Configuration

systemd-resolved is configured in the file /etc/systemd/resolved.conf where the basic options are DNS=, FallbackDNS=, MulticastDNS= and DNSStubListener=

A basic example would be:

File: /etc/systemd/resolved.conf
[Resolve]
# Resolve using Cloudflare DNS
DNS=1.1.1.1 1.0.0.1
# Fallback to Google if Cloudflare is unavailable
FallbackDNS=8.8.8.8
# Listen for multicast DNS
MulticastDNS=yes
# respond to DNS requests on 127.0.0.53
DNSStubListener=yes

The systemd-resolved manual has more details if the above isn't obvious enough for you.

Do note that there isn't much it can do in terms of multicast beyond resolving .local hostnames. You need to disable systemd-resolved's multicast DNS feature and use avahi-daemon for advanced uses like announcing services.

Enabling Secure DNS

systemd-resolved can be used to do secure DNS name lookups. You will have point it at a provider who supports DNSSEC. The anycast nameservers offered by Google and Cloudflare have that support. The basic configuration file example above can be adapted to use DNSSEC by adding two lines:

DNSOverTLS = yes
DNSSEC = yes

Thus, a secure systemd-resolved configuration file can be as simple as:

File: /etc/systemd/resolved.conf
[Resolve]
# Resolve using Cloudflare DNS
DNS=1.1.1.1 1.0.0.1
# Fallback to Google if Cloudflare is unavailable
FallbackDNS=8.8.8.8
# Use DNSSEC
DNSOverTLS = yes
DNSSEC = yes
# Listen for multicast DNS
MulticastDNS=yes
# respond to DNS requests on 127.0.0.53
DNSStubListener=yes

HOWTO Permanently Enable The Systemd-resolved Service

There is one additional step to take once you have a /etc/systemd/resolved.conf file you are happy with: You need to tell NetworkManager, assuming you use NetworkManager to manage your network (most distributions do) that you want to use systemd-resolved. This is done by adding a simple line to the [main] section of /etc/NetworkManager/NetworkManager.conf

File: /etc/NetworkManager/NetworkManager.conf
[main]
dns = systemd-resolved

Make sure you re-start NetworkManager and start and permanently enable systemd-resolved once you have made that change:

sudo systemctl start systemd-resolved
sudo systemctl enable systemd-resolved
sudo systemctl restart NetworkManager

The NetworkManager setting dns = systemd-resolved should be enough to make it overwrite the /etc/resolv.conf file that controls what DNS service is used system-wide with the 127.0.0.53 (note: not 127.0.0.1 listening address offered by systemd-resolved. You can manually

echo 'nameserver 127.0.0.53' > /etc/resolv.conf

if NetworkManager does not take care of it for some reason.

HOWTO Permanently Disable Systemd-resolved

If you have setup your own DNS server using Unbound or something else and you do NOT want to use systemd-resolved then this configuration is desired and required even if you do not want to use it:

File: /etc/systemd/resolved.conf
[Resolve]
[Resolve]
DNS=127.0.0.1
FallbackDNS=1.0.0.1
MulticastDNS=no
DNSStubListener=no

You need to make sure systemd-resolved is not set to listen on 127.0.0.1 with DNSStubListener=no or mDNS with MulticastDNS=no even if you have disabled it with:

sudo systemctl disable systemd-resolved.service

It will get started when certain applications make API requests to systemd even if it is disabled and even when you have masked it with:

sudosystemctl mask systemd-resolved.service

You just mask it anyway, it doesn't hurt if you are not planning on using it. Disabling it in the configuration file is the only thing short of removing the binary which works if you want it to be totally disabled.

You will also have to make sure NetworkManager does not start systemd-resolved. This is important. Take a look at your /etc/NetworkManager/NetworkManager.conf and remove any line that says dns = systemd-resolved and replace it with:

File: /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
systemd-resolved=false

You should re-start NetworkManager and make sure you stop systemd-resolved when you have made that change:

sudo systemctl stop systemd-resolved.service

sudo systemctl restart NetworkManager

Make sure you add working nameserver, or 127.0.01 if you run your own using Unbound or similar, to /etc/resolv.conf once systemd-resolved is disabled.

See also

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.