Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

KlikyBit · Yesterday 19:13:41

The DNS I am using has problems loading YouTube for whatever reason, so I'd like to set YouTube (and any other domains that happen to have an issue) to use a different DNS while still using my current DNS for everything else.

systemd-resolved seems like it may not support this based on what I've read here along with other linked issues and various other forum threads. I tried setting up the dummy link as they described but couldn't get it to work. YouTube still wouldn't load properly and the dummy link didn't see to do anything. However, I also don't really know what I'm doing when it comes to networking and such. The workaround might just not work anymore at all.

It is mentioned that dnsmasq support this kind of per-domain routing, but I'd rather stick with systemd-resolved because according to the wiki, dnsmasq does not support DNS over TLS which I'd like to use. I'd also prefer to not have to port over all my existing config and learn how to use a different tool.

I'm using iwd (no NetworkManager) and systemd-resolved.

My current output from "resolvectl status" is:

Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server: 194.242.2.4#base.dns.mullvad.net
         DNS Servers: 194.242.2.4#base.dns.mullvad.net
Fallback DNS Servers: [...]
          DNS Domain: ~.

Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: [...]
       DNS Servers: [...]
        DNS Domain: [...]

Any help to achieve domain based DNS routing would be much appreciated. Thanks!

-thc · Today 05:53:55

The changes to systemd-resolved that allow this are very recent (9/11/2024). You can define delegate scopes via "/etc/systemd/dns-delegate/*.conf" drop in files. These contain DNS= and Domains= lines resolving those domains via those DNS servers. I don't know if these changes are published yet.

The Mullvad DNS server is not public. It cannot be reached outside the Mullvad VPN:

[thc@box ~]$ drill dns.google @194.242.2.4
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 8310
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; dns.google.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 256 msec
;; SERVER: 194.242.2.4
;; WHEN: Wed Oct 16 07:24:46 2024
;; MSG SIZE  rcvd: 28

This means you may drop DNS over TLS - it's main reason is you don't trust your internet provider and/or the authorities eavesdropping on your DNS queries. Since you have to trust Mullvad completely it's a non-issue inside the Mullvad VPN.

Arch Linux

#1 Yesterday 19:13:41

Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

#2 Today 05:53:55

Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

Board footer