Introduction to systemd-resolved
I’ve seen this go wrong when people upgrade to a modern Linux distribution and suddenly find that their DNS settings aren’t working as expected. This is because systemd-resolved has taken over DNS resolution, and managing it can be a bit different from the old way of editing /etc/resolv.conf directly. In this article, we’ll explore how to work with systemd-resolved and manage DNS settings effectively.
Understanding systemd-resolved
systemd-resolved is a part of the systemd suite, and it’s designed to provide a robust and flexible way to manage DNS resolution on Linux systems. The real trick is that it acts as a stub resolver, which means it doesn’t perform the actual DNS lookups itself but instead forwards requests to a real DNS resolver. This approach allows for better integration with the system’s networking stack and provides features like DNSSEC validation and caching.
Configuring DNS with systemd-resolved
To configure DNS settings with systemd-resolved, you can modify the /etc/systemd/resolved.conf file. For example, to set a custom DNS server, you can add the following lines:
[Resolve]
DNS=1.1.1.1 8.8.8.8
Don’t bother with editing /etc/resolv.conf directly, as systemd-resolved will overwrite any changes. After making changes to resolved.conf, you need to restart the systemd-resolved service to apply them:
sudo systemctl restart systemd-resolved
You can also use the resolvectl command to manage DNS settings. For instance, to set a custom DNS server for a specific interface, you can use:
resolvectl dns enp0s3 1.1.1.1 8.8.8.8
Just replace enp0s3 with the actual name of your network interface.
Managing /etc/resolv.conf
This is where people usually get burned - trying to edit /etc/resolv.conf directly. When systemd-resolved is enabled, the /etc/resolv.conf file is managed by the system, so it’s best to create a drop-in configuration file in /etc/systemd/resolved.conf.d/ to override the default settings. I usually start with creating a file called custom.conf with the following contents:
[Resolve]
DNS=1.1.1.1 8.8.8.8
This will override the default DNS settings without modifying the main resolved.conf file.
Security Considerations
In practice, securing your DNS settings is crucial. You can enable DNSSEC validation by adding the following line to your resolved.conf file:
[Resolve]
DNSSEC=yes
This will help protect against DNS spoofing attacks. For more information on systemd-resolved and its configuration options, you can refer to the systemd documentation.
See also
- Troubleshooting Permission Issues with Default Umask and ACLs in Shared Directories
- Taming systemd's Journal Size with Log Rotation and Persistent Journal Storage
- Hardening the Weakest Link: Why You Should Run Your Linux Workstation with a Non-Root User by Default
- Hardening SSH with Linux Kernel's Built-in Features and a Few Surprising sysctl Tweaks
- Hardening Your Linux Desktop with Mandatory Access Control and a Little Bit of Common Sense