Troubleshooting DNS Leaks on a Small Linux Server with systemd-resolved

Introduction to DNS Leaks

I’ve seen DNS leaks compromise even the most secure Linux setups - it’s a common issue that can expose your online activities. When running a small Linux server, ensuring the security and integrity of your DNS setup is crucial. A DNS leak occurs when your system sends DNS queries to an unintended DNS server, potentially revealing your browsing history. In this article, we’ll focus on troubleshooting DNS leaks on a small Linux server using systemd-resolved.

Understanding systemd-resolved

systemd-resolved is a DNS resolver component of the systemd suite. It provides a caching DNS resolver and an LLMNR (Link-Local Multicast Name Resolution) resolver. When enabled, systemd-resolved acts as a local DNS resolver, caching DNS queries and reducing the load on external DNS servers. To check if systemd-resolved is enabled on your system, you can use the following command:

systemctl status systemd-resolved

If systemd-resolved is not enabled, you can enable it using:

sudo systemctl enable --now systemd-resolved

Don’t bother with manual configuration unless you have a specific reason to do so - the defaults usually work just fine.

Configuring systemd-resolved

To configure systemd-resolved, you can edit the /etc/systemd/resolved.conf file. This file contains various options that control the behavior of systemd-resolved. For example, you can specify the DNS servers to use by adding the following lines:

[Resolve]
DNS=8.8.8.8 8.8.4.4

In this example, we are using Google’s public DNS servers. You can replace these with your preferred DNS servers. I usually start with a reputable DNS service that supports DNS over TLS (DoT) or DNS over HTTPS (DoH).

Identifying DNS Leaks

To identify DNS leaks, you can use online tools such as dnsleaktest.com or ipleak.net. These tools will perform a series of tests to detect any DNS leaks. You can also use the dig command to test your DNS setup:

dig example.com

This command will perform a DNS lookup for the specified domain and display the results. The real trick is to test your DNS setup regularly to catch any potential issues.

Troubleshooting DNS Leaks

If you have identified a DNS leak, there are several steps you can take to troubleshoot the issue. First, check your network configuration to ensure that you are not using an unintended DNS server. You can check your network configuration using the following command:

ip addr show

This command will display your network configuration, including the DNS servers being used. In practice, this is where people usually get burned - a misconfigured network setup can lead to DNS leaks.

Next, check your systemd-resolved configuration to ensure that it is set up correctly. You can check the systemd-resolved configuration using the following command:

resolvectl status

This command will display the current systemd-resolved configuration, including the DNS servers being used. If you are using a VPN (Virtual Private Network), ensure that it is configured to use the correct DNS servers.

Using resolvectl

resolvectl is a command-line tool that allows you to control and configure systemd-resolved. You can use resolvectl to perform various tasks, such as flushing the DNS cache or setting the DNS servers. For example, you can use the following command to flush the DNS cache:

resolvectl flush-caches

You can also use resolvectl to set the DNS servers:

resolvectl dns <interface> <dns-server>

Replace <interface> with the name of your network interface (e.g., eth0) and <dns-server> with the IP address of your DNS server.

Practical Tips

To prevent DNS leaks, follow these practical tips:

• Use a reputable DNS service that supports DNS over TLS (DoT) or DNS over HTTPS (DoH).
• Configure your systemd-resolved setup to use the correct DNS servers.
• Ensure that your network configuration is set up correctly, including the DNS servers.
• Use a VPN that is configured to use the correct DNS servers.
• Regularly test your DNS setup to ensure that it is working correctly.

Additional Tools

In addition to systemd-resolved and resolvectl, there are several other tools that you can use to troubleshoot DNS leaks. For example, you can use tcpdump to capture DNS traffic and analyze it:

tcpdump -i any -n -vv -s 0 -c 100 -W 100 port 53

This command will capture the first 100 DNS packets and display them in a verbose format. You can also use Wireshark to analyze DNS traffic.

See also

• Taming Shared Directory Chaos with Setgid and Sticky Bits
• Taming Wild Directories: Mastering Setgid, Sticky Bits, and ACLs for Shared Storage
• Taming Noisy systemd Logs with Journalctl Filters and Log Rotation Tweaks
• Taming Disk-Hungry Log Files on Small Linux Servers with Log Rotation and Compression
• Taming Noisy systemd Logs with journald Configuration and Filtering