You are not logged in.

#1 2019-08-02 11:46:08

vikaig
Member
Registered: 2019-05-19
Posts: 7

systemd-resolved: How to set DNS servers?

systemd-resolved uses 192.168.0.1 instead of the server I have chosen, why? and how to make it use 1.1.1.1, 8.8.8.8?

$ cat /etc/systemd/resolved.conf
[Resolve]
DNSOverTLS=opportunistic
DNS=1.1.1.1 8.8.8.8
LLMNR=no
MulticastDNS=no
FallbackDNS=

$ resolvectl status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1
                      8.8.8.8
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 3 (wlp0s20f0u5)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes
  Current DNS Server: 192.168.0.1
         DNS Servers: 192.168.0.1
          DNS Domain: ~.

Link 2 (enp2s0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes

$ cat /etc/NetworkManager/NetworkManager.conf
[main]
dns=none

$ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0

$ sudo ss -plunt
Netid State   Recv-Q  Send-Q               Local Address:Port   Peer Address:Port                                             
udp   UNCONN  0       0                    127.0.0.53%lo:53          0.0.0.0:*     users:(("systemd-resolve",pid=5897,fd=12)) 
udp   UNCONN  0       0        192.168.0.103%wlp0s20f0u5:68          0.0.0.0:*     users:(("NetworkManager",pid=494,fd=18))   
tcp   LISTEN  0       128                  127.0.0.53%lo:53          0.0.0.0:*     users:(("systemd-resolve",pid=5897,fd=13))

I do not use systemd-networkd, only NetworkManager

Offline

#2 2019-08-02 12:15:13

Omar007
Member
Registered: 2015-04-09
Posts: 368

Re: systemd-resolved: How to set DNS servers?

Tbf, it actually looks like it is configured correctly/the recommended way; the stub-resolv.conf you have it linked to right now (from what I can tell by the contents (EDIT: confirmed in the next post)) is the local systemd-resolved dns listener that forwards on to whatever you configured as upstream DNS for systemd-resolvd.
So if you're fine with going through the local listener instead of directly to the upstream DNS, you should be able to leave it as is.

Otherwise:
https://wiki.archlinux.org/index.php/Ne … d-resolved
So either make sure /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or set systemd-networkd as the dns=value in the NetworkManager config.

Last edited by Omar007 (2019-08-02 12:27:18)

Offline

#3 2019-08-02 12:21:27

vikaig
Member
Registered: 2019-05-19
Posts: 7

Re: systemd-resolved: How to set DNS servers?

ls -lh /etc/resolv.conf
lrwxrwxrwx 1 root root 37 авг  2 14:22 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

Offline

#4 2019-08-02 12:23:38

Omar007
Member
Registered: 2015-04-09
Posts: 368

Re: systemd-resolved: How to set DNS servers?

Read up on the modes of operation here and decide if you are fine with the local listener or not.
https://jlk.fjfi.cvut.cz/arch/manpages/ … OLV_&.CONF

EDIT: Actually, reading up on the config file you're using to set the upstream DNS, this only works in stub-resolv.conf setups.
So you should not make any changes to systemd-resolved!
systemd-resolved is already running as it should. Instead, remove the NetworkManager DNS override or set it to systemd-resolved.

Last edited by Omar007 (2019-08-02 12:33:33)

Offline

#5 2019-08-02 12:44:44

vikaig
Member
Registered: 2019-05-19
Posts: 7

Re: systemd-resolved: How to set DNS servers?

It seems "dns = none" does not completely remove the DNS management, I set "Automatic (DHCP) addresses only" in the settings for all connections and now everything works as I intended:

$ resolvectl dns
Global: 1.1.1.1 8.8.8.8
Link 3 (wlp0s20f0u5):
Link 2 (enp2s0):

Offline

#6 2019-08-02 15:17:25

Omar007
Member
Registered: 2015-04-09
Posts: 368

Re: systemd-resolved: How to set DNS servers?

I guess that is also a way, though I'm not sure what other things that impacts. Afaik that is basically just telling NetworkManager to only accept addresses from the DHCP server and not the other DHCP options (DNS is not the only other option DHCP can send so I don't know what is and isn't included when you set this).

The thing is, you shouldn't want to 'disable' DNS in NetworkManager. You want it to use the correct type. There is 2 ways to let that happen;
1) Do not set dns=none (or any other value) and let it auto-detect. In your case it will detect systemd-resolved due to the /etc/resolv.conf symlink
2) If you really want to explicitly set it, set it to the proper value. In your case, dns=systemd-resolved

Last edited by Omar007 (2019-08-02 15:18:35)

Offline

#7 2019-08-02 16:04:23

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: systemd-resolved: How to set DNS servers?

If you let networkmanager set DNS servers via DHCP, then systemd-resolved will use those instead of the global configuration which is not good if you want to use DNS over TLS.

Edit: Still, I suggest not using systemd-resolved if you want DoT. It will silently fall back to unencrypted DNS if it fails to establish an encrypted connection. You can use stubby for DoT or dnscrypt-proxy for DoH and dnscrypt instead.

Last edited by progandy (2019-08-02 16:10:42)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2019-08-02 19:24:31

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 592

Re: systemd-resolved: How to set DNS servers?

AFAIK even with main.dns=none, NetworkManager will send DNS configuration to systemd-resolved due to the main.systemd-resolved=true setting. Try disabling it (see example .conf in https://wiki.archlinux.org/index.php/Ne … _not_found ).

Offline

#9 2019-08-03 10:10:16

Omar007
Member
Registered: 2015-04-09
Posts: 368

Re: systemd-resolved: How to set DNS servers?

That setting just ensures systemd-resolved is aware of what NetworkManager received from e.g. DHCP. It's still up to your settings and configuration inside systemd-resolved which determine what DNS is eventually used for real.
Furthermore, he's currently blocking the DHCP DNS option and set dns=none so he's not receiving any and NetworkManager has nothing to be passed on to systemd-resolved atm in the first place.

Both of those are still avoiding the main issue; he wants to use systemd-resolved and right now every setting set is trying to make NetworkManager avoid doing anything with systemd-resolved instead of configuring it properly for systemd-resolved ¯\_(ツ)_/¯

Last edited by Omar007 (2019-08-03 10:20:17)

Offline

#10 2019-08-03 10:55:46

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: systemd-resolved: How to set DNS servers?

Omar007, you are not understanding the issue here. vikaig wants to use their own manually configured servers, but as soon as systemd-resolved receives DNS servers from networkmanager, it will use those as well. It is impossible to disable this functionality in systemd-resolved, therefore you have to stop networkmanager from sending server information to systemd-resolved. (Edit: Or set custom dns servers for each connection is networkmanager or replace resolved with something else)

https://jlk.fjfi.cvut.cz/arch/manpages/ … en#OPTIONS

       DNS=
           A space-separated list of IPv4 and IPv6 addresses to use as system
           DNS servers. DNS requests are sent to one of the listed DNS servers
           in parallel to suitable per-link DNS servers acquired from systemd-
           networkd.service(8) or set at runtime by external applications.

Last edited by progandy (2019-08-03 11:06:53)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#11 2019-08-03 11:29:22

Omar007
Member
Registered: 2015-04-09
Posts: 368

Re: systemd-resolved: How to set DNS servers?

If you don't want to use the systemd-resolved functionality then why would you even use systemd-resolved in the first place?
In that case, just get rid of it and set those 2 values hard-coded in /etc/resolv.conf and be done with it.

Offline

#12 2019-08-03 14:09:01

vikaig
Member
Registered: 2019-05-19
Posts: 7

Re: systemd-resolved: How to set DNS servers?

Omar007, because systemd-resolved supports DNS over TLS

Offline

#13 2019-08-03 14:21:02

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: systemd-resolved: How to set DNS servers?

As I said, at the moment it is better to use something else to guarantee an encrypted DNS connection. resolved is vulnerable to downgrade (fixed in v243) and MITM attacks (not completely fixed yet I think). With systemd v243 I guess the security might be good enough.

progandy wrote:

Edit: Still, I suggest not using systemd-resolved if you want DoT. It will silently fall back to unencrypted DNS if it fails to establish an encrypted connection. You can use stubby for DoT or dnscrypt-proxy for DoH and dnscrypt instead.

Last edited by progandy (2019-08-03 14:28:54)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#14 2019-08-03 14:28:09

vikaig
Member
Registered: 2019-05-19
Posts: 7

Re: systemd-resolved: How to set DNS servers?

I do not have serious security requirements, this behavior is quite suitable for me

Offline

Board footer

Powered by FluxBB