Arch Linux

Artyom

Member

Registered: 2017-03-27

Posts: 70

Questions about DNS resolving with systemd-resolved

Hi!

I want to make my DNS resolution as secure and private as possible.
So I installed systemd-resolved and configure it on quad9 servers with DNSSEC and DNS over HTTPS activated.

But I can still see my native newtork operator DNS on my wifi adapter:

❯ resolvectl status
Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server: 9.9.9.9#dns.quad9.net
         DNS Servers: 9.9.9.9#dns.quad9.net
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
                      2001:4860:4860::8888#dns.google

Link 2 (enp9s0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported

Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.168.1.254
       DNS Servers: 192.168.1.254 fd0f:ee:b0::1

How can I be sure they are not beeing used in favor of the quad9 one?

Also when doing querys, here is what I can see:

❯ resolvectl query www.quad9.net
www.quad9.net: 216.21.3.77                     -- link: wlan0
               2620:0:871:9000::77             -- link: wlan0

-- Information acquired via protocol DNS in 2.2969s.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network
❯ resolvectl query www.google.fr
www.google.fr: 216.58.213.67                   -- link: wlan0
               2a00:1450:4007:806::2003        -- link: wlan0

-- Information acquired via protocol DNS in 82.9ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network

From what I understand, the result say that DNS over https is working but data seems not to be authenticated by DNSSEC. Or maybe I understand it wrongly?

Thank in advance for any help on this subject!

Brocellous

Member

Registered: 2017-11-27

Posts: 161

Re: Questions about DNS resolving with systemd-resolved

So I installed systemd-resolved and configure it on quad9 servers with DNSSEC and DNS over HTTPS activated.

resolved is part of systemd. It's already installed. Also, resolved uses different dns settings per network link, so when you say you "configured it" you should really post what you _actually_ did.

Anyway 192.168.* is presumably your own router. If you don't want to use it as a dns server, either disable dns advertisement in your dhcp server or disable dns in your dhcp client. You may need to disable ipv6ra dns in the server or client as well.

From what I understand, the result say that DNS over https is working but data seems not to be authenticated by DNSSEC. Or maybe I understand it wrongly?

No dnssec signature and the query used DNS-over-TLS transport. Resolved doesn't support DoH, only DoT.

Last edited by Brocellous (2023-03-03 04:18:27)

6_5_11_9_18

Member

Registered: 2019-06-14

Posts: 4

Re: Questions about DNS resolving with systemd-resolved

Do you use systemd-networkd or NetworkManager (or something else)?

If you do not want to use the DNS Server advertised locally over DHCP you have to disable the functionality to set the per-link DNS Server.
If you use networkd add `UseDNS=false` to the `[DHCP]` section of your networkd config, if you use NetworkManager add the options `dns=none` and `systemd-resolved=false` to the `[main]` section in your NetworkManager config.
Does that fix your Problem?

Artyom

Member

Registered: 2017-03-27

Posts: 70

Re: Questions about DNS resolving with systemd-resolved

So I installed systemd-resolved and configure it on quad9 servers with DNSSEC and DNS over HTTPS activated.

resolved is part of systemd. It's already installed. Also, resolved uses different dns settings per network link, so when you say you "configured it" you should really post what you _actually_ did.

Anyway 192.168.* is presumably your own router. If you don't want to use it as a dns server, either disable dns advertisement in your dhcp server or disable dns in your dhcp client. You may need to disable ipv6ra dns in the server or client as well.

From what I understand, the result say that DNS over https is working but data seems not to be authenticated by DNSSEC. Or maybe I understand it wrongly?

No dnssec signature and the query used DNS-over-TLS transport. Resolved doesn't support DoH, only DoT.

Ok so, to disable local network DNS and only use thos I set up, I must disable it in my dhcp client settings?

So no DoH with resolved, noted. Why does DNSSEC not working since it's advertized as support on Quad9 website?

Do you know any way to make DoH work system wide? DoH seems to be more adequat to my usage.

Here is my systemd-resolved conf file just in case:

❯ cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=9.9.9.9#dns.quad9.net
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

Last edited by Artyom (2023-03-07 08:15:43)

Artyom

Member

Registered: 2017-03-27

Posts: 70

Re: Questions about DNS resolving with systemd-resolved

Do you use systemd-networkd or NetworkManager (or something else)?

If you do not want to use the DNS Server advertised locally over DHCP you have to disable the functionality to set the per-link DNS Server.
If you use networkd add `UseDNS=false` to the `[DHCP]` section of your networkd config, if you use NetworkManager add the options `dns=none` and `systemd-resolved=false` to the `[main]` section in your NetworkManager config.
Does that fix your Problem?

I use NetworkManager.
I will try the settings ASAP and report to you.
But systemd-resolved to false, doesn't this actually disable the use of systemd-resolved as DNS resolution provider?

Brocellous

Member

Registered: 2017-11-27

Posts: 161

Re: Questions about DNS resolving with systemd-resolved

Ok so, to disable local network DNS and only use thos I set up, I must disable it in my dhcp client settings?

Yes and possibly ipv6ra depending on how your router is set up.

So no DoH with resolved, noted. Do you know any way to make DoH work system wide? DoH seems to be more adequat to my usage.

DoT is just as good really. There's not much reason to obscure the port for dns traffic since any carrier can see the ip addr anyway (not a lot of other services hosted at 9.9.9.9 are there?). There's probably some other local recursive resolver you could run to proxy DoH but I don't know which.

Why does DNSSEC not working since it's advertized as support on Quad9 website?

DNSSEC is a fictional technology. You may have read about it in a textbook or a blogpost or even an rfc but that doesn't mean real world nameservers are out there signing their records. This list https://en.wikipedia.org/wiki/List_of_m … d_websites of the top 50 most visited websites is 1/50 on DNSSEC, and that's 1 more than the last time I checked. Unsurprisingly, www.google.fr is unsigned.

Lone_Wolf

Administrator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 15,147

Re: Questions about DNS resolving with systemd-resolved

https://www.routersecurity.org/testdns.php has interesting info.

DNSSEC is a fictional technology. You may have read about it in a textbook or a blogpost or even an rfc but that doesn't mean real world nameservers are out there signing their records.

I disagree, how many of those most visited sites are nameservers ?

These are the results of my DoT setup on https://dnscheck.tools/#results .

Hi! Your public IP addresses are:
Unknown

    45.137.91.147 ptr: connected.by.freedominter.net Amsterdam, North Holland, NL2a10:3781:9ad:1:2110:7379:61bc:b793 ptr: 2a10-3781-09ad.connected.by.freedominter.net Amsterdam, North Holland, NL

Your DNS resolvers are:
Unknown

    185.93.175.24 ptr: dmzrtr0.px01.fi001.nl.freedomnet.nl Amsterdam, North Holland, NL2a10:3780:2:52:185:93:175:24 ns: authdns1.freedomnet.nl Amsterdam, North Holland, NL

Great! Your DNS responses are authenticated:
DNSSEC using ECDSA P-256 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using ECDSA P-384 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

DNSSEC using Ed25519 (PASS)

    Correct signature: connected
    Invalid signature: not connected
    Expired signature: not connected
    Missing signature: not connected

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Brocellous

Member

Registered: 2017-11-27

Posts: 161

Re: Questions about DNS resolving with systemd-resolved

Honestly not sure what you're trying to say, so I'll just reiterate. The overwhelming majority of RR in the global DNS system are not signed, especially "big" websites. There is no way to get DNSSEC validated responses for those domains no matter your resolver because their operator has not provided signatures. In the real world properly signed domains are not just uncommon, they are an anomaly. If you somehow think that all your dns queries are end-to-end DNSSEC validated, you are sorely mistaken. The www.google.fr domain tested by OP falls into this category.

Artyom

Member

Registered: 2017-03-27

Posts: 70

Re: Questions about DNS resolving with systemd-resolved

So, now DoT is set system wide with system-resolved and is used by default even with DHCP DNS server not disabled (used ngrep port 53 and ngrep port 853 for the check).
Just in case, how can I configure NetworkManager to always default new wired and wifi connection to dhcp adress only?

Also, I want to use a VPN using the OpenVPN part of NetworkManager, I succeed in getting DNS from VPN provider and set them as default when VPN connection is active with dns-priority.
But DNS from VPN are not DoT, DoT is enforced system wide by systemd-resolved so name resolution don't work from here, even setting dns-over-tls to no in per link configuration doesn't disable it on the VPN link.
What can I do?