Introduction to Wildcard DNS Queries
I’ve worked with Linux systems for years, and I’ve seen wildcard DNS queries go from a useful tool to a potential security risk if not properly configured. With many Linux distributions now using systemd-resolved as the default DNS resolver, it’s time to take a closer look at how to manage wildcard DNS queries. In this article, I’ll share my experience with configuring systemd-resolved and resolv.conf to tame wildcard DNS queries.
Understanding Wildcard DNS Queries
Wildcard DNS queries are used to retrieve all DNS records for a given domain, which can be useful for tasks like DNS zone transfers or getting a list of all subdomains for a domain. However, I’ve seen this go wrong when attackers use wildcard DNS queries to gather information about a domain’s DNS records, making it easier to launch targeted attacks. The real trick is to use these queries carefully and with the right security measures in place.
Configuring systemd-resolved
To configure systemd-resolved for wildcard DNS queries, you’ll need to edit the /etc/systemd/resolved.conf file. For example:
[Resolve]
DNS=192.168.1.1
Domains=example.com
This tells systemd-resolved to use the DNS server at 192.168.1.1 and resolve DNS queries for the example.com domain. Don’t bother with complicated configurations - keep it simple and focused on your specific needs.
Using resolv.conf
While systemd-resolved is the recommended way to configure DNS resolution on modern Linux systems, resolv.conf is still supported for backwards compatibility. To use resolv.conf, add a line that specifies the DNS server and domain. For example:
nameserver 192.168.1.1
search example.com
This configuration tells the glibc resolver to use the DNS server at 192.168.1.1 and search for DNS records in the example.com domain. In practice, I usually start with systemd-resolved and only use resolv.conf when I need to support older systems.
Security Considerations
When using wildcard DNS queries, security is paramount. This is where people usually get burned - by not limiting which DNS servers can perform wildcard queries. To mitigate this risk, only allow trusted DNS servers to perform these queries. You can do this by configuring your DNS server to only allow queries from trusted IP addresses. For more information on DNS security, check out the systemd-resolved documentation.
Troubleshooting
If you’re having trouble with wildcard DNS queries, there are a few things to check. First, make sure your DNS server is configured to allow wildcard DNS queries. You can test the DNS server using a tool like dig. For example:
dig +short example.com
This command retrieves a list of all DNS records for the example.com domain. If it returns an error, it may indicate that the DNS server is not configured correctly.
Best Practices
To get the most out of wildcard DNS queries, follow a few best practices. First, use a secure protocol like DNS over TLS or DNS over HTTPS. You can configure your DNS server to use a secure protocol or use a tool like systemd-resolved. For more information on DNS security, see the DNS Privacy Project.
Further Reading
Wildcard DNS queries can be a powerful tool, but they require careful configuration and security considerations. By using systemd-resolved and resolv.conf, you can configure wildcard DNS queries to meet your needs. For more information, check out the systemd-resolved documentation and the DNS Privacy Project. You can also find more information on Linux networking and security on the Arch Linux wiki.
See also
- Taming Log Noise with journalctl and a Little Help from jq
- Taming the Container Chaos: Managing Persistent Volumes with Podman and systemd
- Taming systemd Restart Behavior: When Services Just Won't Stay Down
- Taming the systemd Journal: Tips for Reducing Log Noise and Finding Useful Errors with journalctl
- Troubleshooting Linux Boot Issues with systemd's Debug Shell and Kernel Parameters