systemd can provide a service named
resolved to handle DNS resolution. This service can handle DNS over TLS, DNSSEC validation, DNS caching, Multicast DNS resolution and more.
Depending on the Linux distribution, resolved may be used by default. On these systems there should be a symlink from
/etc/resolv.conf to a stub resolv configuration file (usually
For distributions not using resolved by default, the following steps can be used to start using it:
- Make sure there is no existing DNS resolver listening on port 53 (eg. dnsmasq).
- Enable the resolved service so it will start on boot:
sudo systemctl enable systemd-resolved.service
- Start the resolved service:
sudo systemctl start systemd-resolved.service
- Create the symlink to the stub resolver file:
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
The default configuration file for resolved is
/etc/systemd/resolved.conf. Changes to this file should not be made directly; instead any configuration should be made in “drop in” configuration files which are included by default.
The default drop in directory is here (note this may not exist, if it doesn’t it can be created):
Configuration is handled using ini style configuration files.
Settings can be configured globally or per link. The most specific configuration is used.
After making changes the service should be restarted:
sudo systemctl restart systemd-resolved.service
DNS resolvers may be configured with the DNS option. Note
To set a list of global DNS servers to use, create a drop in file
/etc/systemd/resolved.conf.d/dns.conf and add the following content:
[Resolve] ## Use the following list of DNS resolvers ## Google public resolvers #DNS=184.108.40.206 220.127.116.11 2001:4860:4860::8888 2001:4860:4860::8844 ## Cloudflare public resolvers #DNS=18.104.22.168 22.214.171.124 2606:4700:4700::1111 2606:4700:4700::1001 ## Quad9 public resolvers #DNS=126.96.36.199 2620:fe::fe ## Combination of Google, Cloudflare and Quad9 DNS=188.8.131.52 184.108.40.206 2606:4700:4700::1111 2606:4700:4700::1001 220.127.116.11 18.104.22.168 2001:4860:4860::8888 2001:4860:4860::8844 22.214.171.124 2620:fe::fe
To enable or disable DNSSEC validation, create the drop in file
/etc/systemd/resolved.conf.d/dnssec.conf and add the following content:
[Resolve] ## Configure DNSSEC validation ## Always validate #DNSSEC=yes ## Only validate if DNS resolvers being used support it DNSSEC=allow-downgrade ## Disable DNSSEC validation #DNSSEC=no
To validate DNSSEC validation works:
resolvectl query sigfail.verteiltesysteme.net
resolvectl query sigok.verteiltesysteme.net
DNS over TLS
DNS over TLS must be supported by the resolver.
To enable DoT create the drop in file /etc/systemd/resolved.conf.d/dot.
conf with the following content:
[Resolve] ## Enable DNS over TLS #DNSOverTLS=yes ## Disable DNS over TLS DNSOverTLS=no
To view the status of the service (eg. show the list of DNS servers being used):
To resolve a name manually (quering for A/AAAA records):
resolvectl query gbe0.com
To resolve a specific record type, eg. TXT:
resolvectl query --type=txt gbe0.com
Show resolver statistics (cache, DNSSEC statistics):