You are not logged in.
systemd-resolved uses 192.168.0.1 instead of the server I have chosen, why? and how to make it use 1.1.1.1, 8.8.8.8?
$ cat /etc/systemd/resolved.conf
[Resolve]
DNSOverTLS=opportunistic
DNS=1.1.1.1 8.8.8.8
LLMNR=no
MulticastDNS=no
FallbackDNS=
$ resolvectl status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
8.8.8.8
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 3 (wlp0s20f0u5)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
DNS Domain: ~.
Link 2 (enp2s0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
$ cat /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
$ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0
$ sudo ss -plunt
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=5897,fd=12))
udp UNCONN 0 0 192.168.0.103%wlp0s20f0u5:68 0.0.0.0:* users:(("NetworkManager",pid=494,fd=18))
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=5897,fd=13))
I do not use systemd-networkd, only NetworkManager
Offline
Tbf, it actually looks like it is configured correctly/the recommended way; the stub-resolv.conf you have it linked to right now (from what I can tell by the contents (EDIT: confirmed in the next post)) is the local systemd-resolved dns listener that forwards on to whatever you configured as upstream DNS for systemd-resolvd.
So if you're fine with going through the local listener instead of directly to the upstream DNS, you should be able to leave it as is.
Otherwise:
https://wiki.archlinux.org/index.php/Ne … d-resolved
So either make sure /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or set systemd-networkd as the dns=value in the NetworkManager config.
Last edited by Omar007 (2019-08-02 12:27:18)
Offline
ls -lh /etc/resolv.conf
lrwxrwxrwx 1 root root 37 авг 2 14:22 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
Offline
Read up on the modes of operation here and decide if you are fine with the local listener or not.
https://jlk.fjfi.cvut.cz/arch/manpages/ … OLV_&.CONF
EDIT: Actually, reading up on the config file you're using to set the upstream DNS, this only works in stub-resolv.conf setups.
So you should not make any changes to systemd-resolved!
systemd-resolved is already running as it should. Instead, remove the NetworkManager DNS override or set it to systemd-resolved.
Last edited by Omar007 (2019-08-02 12:33:33)
Offline
It seems "dns = none" does not completely remove the DNS management, I set "Automatic (DHCP) addresses only" in the settings for all connections and now everything works as I intended:
$ resolvectl dns
Global: 1.1.1.1 8.8.8.8
Link 3 (wlp0s20f0u5):
Link 2 (enp2s0):
Offline
I guess that is also a way, though I'm not sure what other things that impacts. Afaik that is basically just telling NetworkManager to only accept addresses from the DHCP server and not the other DHCP options (DNS is not the only other option DHCP can send so I don't know what is and isn't included when you set this).
The thing is, you shouldn't want to 'disable' DNS in NetworkManager. You want it to use the correct type. There is 2 ways to let that happen;
1) Do not set dns=none (or any other value) and let it auto-detect. In your case it will detect systemd-resolved due to the /etc/resolv.conf symlink
2) If you really want to explicitly set it, set it to the proper value. In your case, dns=systemd-resolved
Last edited by Omar007 (2019-08-02 15:18:35)
Offline
If you let networkmanager set DNS servers via DHCP, then systemd-resolved will use those instead of the global configuration which is not good if you want to use DNS over TLS.
Edit: Still, I suggest not using systemd-resolved if you want DoT. It will silently fall back to unencrypted DNS if it fails to establish an encrypted connection. You can use stubby for DoT or dnscrypt-proxy for DoH and dnscrypt instead.
Last edited by progandy (2019-08-02 16:10:42)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
AFAIK even with main.dns=none, NetworkManager will send DNS configuration to systemd-resolved due to the main.systemd-resolved=true setting. Try disabling it (see example .conf in https://wiki.archlinux.org/index.php/Ne … _not_found ).
Offline
That setting just ensures systemd-resolved is aware of what NetworkManager received from e.g. DHCP. It's still up to your settings and configuration inside systemd-resolved which determine what DNS is eventually used for real.
Furthermore, he's currently blocking the DHCP DNS option and set dns=none so he's not receiving any and NetworkManager has nothing to be passed on to systemd-resolved atm in the first place.
Both of those are still avoiding the main issue; he wants to use systemd-resolved and right now every setting set is trying to make NetworkManager avoid doing anything with systemd-resolved instead of configuring it properly for systemd-resolved ¯\_(ツ)_/¯
Last edited by Omar007 (2019-08-03 10:20:17)
Offline
Omar007, you are not understanding the issue here. vikaig wants to use their own manually configured servers, but as soon as systemd-resolved receives DNS servers from networkmanager, it will use those as well. It is impossible to disable this functionality in systemd-resolved, therefore you have to stop networkmanager from sending server information to systemd-resolved. (Edit: Or set custom dns servers for each connection is networkmanager or replace resolved with something else)
https://jlk.fjfi.cvut.cz/arch/manpages/ … en#OPTIONS
DNS=
A space-separated list of IPv4 and IPv6 addresses to use as system
DNS servers. DNS requests are sent to one of the listed DNS servers
in parallel to suitable per-link DNS servers acquired from systemd-
networkd.service(8) or set at runtime by external applications.
Last edited by progandy (2019-08-03 11:06:53)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
If you don't want to use the systemd-resolved functionality then why would you even use systemd-resolved in the first place?
In that case, just get rid of it and set those 2 values hard-coded in /etc/resolv.conf and be done with it.
Offline
Omar007, because systemd-resolved supports DNS over TLS
Offline
As I said, at the moment it is better to use something else to guarantee an encrypted DNS connection. resolved is vulnerable to downgrade (fixed in v243) and MITM attacks (not completely fixed yet I think). With systemd v243 I guess the security might be good enough.
Edit: Still, I suggest not using systemd-resolved if you want DoT. It will silently fall back to unencrypted DNS if it fails to establish an encrypted connection. You can use stubby for DoT or dnscrypt-proxy for DoH and dnscrypt instead.
Last edited by progandy (2019-08-03 14:28:54)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
I do not have serious security requirements, this behavior is quite suitable for me
Offline