systemd – resolved Setup

systemd can provide a service named resolved to handle DNS resolution. This service can handle DNS over TLS, DNSSEC validation, DNS caching, Multicast DNS resolution and more.

Depending on the Linux distribution, resolved may be used by default. On these systems there should be a symlink from /etc/resolv.conf to a stub resolv configuration file (usually /run/systemd/resolve/stub-resolv.conf).

Enabling resolved

For distributions not using resolved by default, the following steps can be used to start using it:

  1. Make sure there is no existing DNS resolver listening on port 53 (eg. dnsmasq).
  2. Enable the resolved service so it will start on boot: sudo systemctl enable systemd-resolved.service
  3. Start the resolved service: sudo systemctl start systemd-resolved.service
  4. Create the symlink to the stub resolver file: sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

resolved Configuration

The default configuration file for resolved is /etc/systemd/resolved.conf. Changes to this file should not be made directly; instead any configuration should be made in “drop in” configuration files which are included by default.

The default drop in directory is here (note this may not exist, if it doesn’t it can be created):

/etc/systemd/resolved.conf.d

Configuration is handled using ini style configuration files.

Settings can be configured globally or per link. The most specific configuration is used.

After making changes the service should be restarted:

sudo systemctl restart systemd-resolved.service

DNS Resolvers

DNS resolvers may be configured with the DNS option. Note

To set a list of global DNS servers to use, create a drop in file /etc/systemd/resolved.conf.d/dns.conf and add the following content:

[Resolve]

## Use the following list of DNS resolvers
## Google public resolvers
#DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
## Cloudflare public resolvers
#DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
## Quad9 public resolvers
#DNS=9.9.9.9 2620:fe::fe
## Combination of Google, Cloudflare and Quad9
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 2620:fe::fe

DNSSEC

To enable or disable DNSSEC validation, create the drop in file /etc/systemd/resolved.conf.d/dnssec.conf and add the following content:

[Resolve]

## Configure DNSSEC validation
## Always validate
#DNSSEC=yes
## Only validate if DNS resolvers being used support it
DNSSEC=allow-downgrade
## Disable DNSSEC validation
#DNSSEC=no

To validate DNSSEC validation works:

  • resolvectl query sigfail.verteiltesysteme.net
  • resolvectl query sigok.verteiltesysteme.net

DNS over TLS

DNS over TLS must be supported by the resolver.

To enable DoT create the drop in file /etc/systemd/resolved.conf.d/dot.conf with the following content:

[Resolve]

## Enable DNS over TLS
#DNSOverTLS=yes
## Disable DNS over TLS
DNSOverTLS=no

resolved Status

To view the status of the service (eg. show the list of DNS servers being used):

resolvectl status

To resolve a name manually (quering for A/AAAA records):

resolvectl query gbe0.com

To resolve a specific record type, eg. TXT:

resolvectl query --type=txt gbe0.com

Show resolver statistics (cache, DNSSEC statistics):

resolvectl statistics

Further Reading

Leave a Reply

Your email address will not be published.