Resolving the systemd-resolved Conundrum: When Split DNS and Local Hostnames Collide

Introduction to systemd-resolved

I’ve seen systemd-resolved cause its fair share of issues with split DNS and local hostnames, but it’s actually a powerful tool for managing DNS resolution on Linux systems. As part of the systemd ecosystem, it aims to improve the DNS resolution process and provide better integration with other systemd services.

Understanding Split DNS

Split DNS, or split-horizon DNS, is a technique used to provide different DNS responses based on the client’s location. This is commonly used in environments where internal and external DNS zones need to be separated - think of a company with an internal DNS zone for its internal network and a separate external DNS zone for its public-facing services. Don’t bother with split DNS if you don’t need it, but if you do, systemd-resolved can be configured to handle it.

Local Hostnames and systemd-resolved

By default, systemd-resolved uses a single DNS resolver for all DNS queries. This is where people usually get burned, as the resolver may not be able to distinguish between internal and external DNS zones. Additionally, local hostnames may not be resolved correctly, as systemd-resolved may not be configured to use the correct DNS server for local hostnames. I usually start with the /etc/systemd/resolved.conf file to configure systemd-resolved for my specific use case.

Configuring systemd-resolved for Split DNS

To configure systemd-resolved for split DNS, you can use the DNS and Domains settings in the /etc/systemd/resolved.conf file. For example:

[Resolve]
DNS=192.168.1.1 8.8.8.8
Domains=example.com example.net

In this example, the DNS setting specifies the DNS servers to use for all DNS queries, and the Domains setting specifies the domains for which the DNS servers should be used. The real trick is to make sure you’re using the correct DNS servers for your internal and external DNS zones.

Using the `~.` notation

Another way to configure systemd-resolved for split DNS is to use the ~. notation in the /etc/hosts file. For example:

192.168.1.100 ~.example.com

This tells systemd-resolved to use the IP address 192.168.1.100 for all hostnames ending with .example.com. I’ve found this notation to be really useful for specifying local hostnames.

Troubleshooting

If you encounter issues with systemd-resolved and split DNS, you can use the resolvectl command to troubleshoot the problem. For example:

resolvectl status

This command displays the current status of the systemd-resolved service, including the DNS servers and domains being used. In practice, this command can be a lifesaver when trying to figure out why your DNS configuration isn’t working as expected.

Security Considerations

When configuring systemd-resolved for split DNS, it’s essential to consider the security implications. For example, if you’re using a split DNS setup to separate internal and external DNS zones, you should ensure that the internal DNS zone is not accessible from the external network. You can use tools like dnssec to secure your DNS zones. I’ve seen this go wrong when people don’t properly secure their DNS zones, so make sure you’re taking the necessary precautions.

Best Practices

To get the most out of systemd-resolved and split DNS, follow these best practices:

Use a consistent naming convention for your DNS zones and hostnames.
Use the DNS and Domains settings in the /etc/systemd/resolved.conf file to configure systemd-resolved for split DNS.
Use the ~. notation in the /etc/hosts file to specify the IP addresses for local hostnames.
Regularly review and update your DNS configuration to ensure it remains secure and accurate.

For more information on systemd-resolved and split DNS, you can refer to the systemd documentation and the freedesktop.org website.