Taming systemd-resolved: Tips for a Saner DNS Setup on Linux

Introduction to systemd-resolved

I’ve been working with Linux systems for years, and one thing that’s become increasingly important is DNS resolution. systemd-resolved is a DNS resolver component of the systemd suite, designed to provide a flexible and secure way to resolve domain names on Linux systems. As of 2026, it’s become a crucial part of many Linux distributions, including Ubuntu, Debian, and Fedora. However, its default configuration may not be suitable for all users, especially those who require more control over their DNS setup.

Understanding systemd-resolved Configuration

The real trick is to understand how to configure systemd-resolved to meet your needs. The configuration is stored in the /etc/systemd/resolved.conf file, which contains various options that can be used to customize the behavior of the resolver. For example, you can specify the DNS servers to use, the DNSSEC validation mode, and the cache size. To edit the configuration file, I usually start with a text editor like nano or vim:

sudo nano /etc/systemd/resolved.conf

One important option is the DNS parameter, which specifies the DNS servers to use. By default, systemd-resolved uses the DNS servers provided by the DHCP server or the ones specified in the /etc/resolv.conf file. However, you can override this behavior by specifying a list of DNS servers in the DNS parameter. For instance:

[Resolve]
DNS=1.1.1.1 8.8.8.8

This configuration tells systemd-resolved to use Cloudflare’s DNS server (1.1.1.1) and Google’s DNS server (8.8.8.8) instead of the default ones.

DNSSEC Validation

In practice, DNSSEC (Domain Name System Security Extensions) is a set of extensions to the DNS protocol that provide authentication and integrity of DNS data. systemd-resolved supports DNSSEC validation, which can be enabled by setting the DNSSEC parameter to yes:

[Resolve]
DNSSEC=yes

However, this is where people usually get burned - DNSSEC validation can break some DNS servers that do not support DNSSEC. If you experience issues with DNS resolution after enabling DNSSEC validation, you may need to disable it or use a different DNS server.

Cache Size and TTL

Don’t bother with the default cache size and TTL (time to live) settings if you’re looking for optimal performance. The cache size determines how many DNS records are stored in the cache, while the TTL determines how long each record is stored in the cache. You can adjust these parameters by setting the CacheSize and TTL parameters:

[Resolve]
CacheSize=1000
TTL=300

This configuration sets the cache size to 1000 records and the TTL to 300 seconds (5 minutes).

Troubleshooting systemd-resolved

If you experience issues with systemd-resolved, the systemd-resolve command is your friend. You can use the --status option to display the current status of the resolver:

systemd-resolve --status

This command displays information about the current DNS servers, cache size, and DNSSEC validation mode. You can also use the --query option to perform a DNS query:

systemd-resolve --query example.com

This command performs a DNS query for the example.com domain and displays the result.

Security Considerations

From a security perspective, it’s essential to ensure that your DNS setup is secure and private. One way to achieve this is by using a DNS server that supports DNS over TLS (DoT) or DNS over HTTPS (DoH). systemd-resolved supports both DoT and DoH, which can be enabled by setting the DNSOverTLS or DNSOverHTTPS parameters:

[Resolve]
DNSOverTLS=yes

This configuration enables DoT for the resolver. You can also specify a custom DoT or DoH server by setting the DNS parameter:

[Resolve]
DNS=1.1.1.1#853

This configuration tells systemd-resolved to use Cloudflare’s DoT server (1.1.1.1#853) instead of the default DNS server.

For more information on systemd-resolved, you can visit the systemd.io website or the freedesktop.org wiki page.