Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

KlikyBit · Yesterday 19:13:41

The DNS I am using has problems loading YouTube for whatever reason, so I'd like to set YouTube (and any other domains that happen to have an issue) to use a different DNS while still using my current DNS for everything else.

systemd-resolved seems like it may not support this based on what I've read here along with other linked issues and various other forum threads. I tried setting up the dummy link as they described but couldn't get it to work. YouTube still wouldn't load properly and the dummy link didn't see to do anything. However, I also don't really know what I'm doing when it comes to networking and such. The workaround might just not work anymore at all.

It is mentioned that dnsmasq support this kind of per-domain routing, but I'd rather stick with systemd-resolved because according to the wiki, dnsmasq does not support DNS over TLS which I'd like to use. I'd also prefer to not have to port over all my existing config and learn how to use a different tool.

I'm using iwd (no NetworkManager) and systemd-resolved.

My current output from "resolvectl status" is:

Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server: 194.242.2.4#base.dns.mullvad.net
         DNS Servers: 194.242.2.4#base.dns.mullvad.net
Fallback DNS Servers: [...]
          DNS Domain: ~.

Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: [...]
       DNS Servers: [...]
        DNS Domain: [...]

Any help to achieve domain based DNS routing would be much appreciated. Thanks!

-thc · Today 05:53:55

The changes to systemd-resolved that allow this are very recent (9/11/2024). You can define delegate scopes via "/etc/systemd/dns-delegate/*.conf" drop in files. These contain DNS= and Domains= lines resolving those domains via those DNS servers. I don't know if these changes are published yet.

The Mullvad DNS server is not public. It cannot be reached outside the Mullvad VPN:

[thc@box ~]$ drill dns.google @194.242.2.4
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 8310
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; dns.google.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 256 msec
;; SERVER: 194.242.2.4
;; WHEN: Wed Oct 16 07:24:46 2024
;; MSG SIZE  rcvd: 28

This means you may drop DNS over TLS - it's main reason is you don't trust your internet provider and/or the authorities eavesdropping on your DNS queries. Since you have to trust Mullvad completely it's a non-issue inside the Mullvad VPN.

KlikyBit · Today 09:27:03

Oh, that's great if it's actually supported now; I'll give it a try. I saw this merge request but it's still marked as "open" so I assumed it wasn't implemented yet. Would the file simply look like:

DNS=1.1.1.1
Domains=~youtube.com

Or does it require a section header like [Network]? Can I also add control for DoT with another line with "DNSOverTLS=false"? The changes aren't published means there's no documentation yet or that it hasn't been pushed/released?

Weird that you couldn't resolve google with that DNS; it's Mullvad's public DNS. I can access google search and google maps no problem. It's tracker/ad/malware blocking, so I think that's why I can't fully load YouTube. To be more specific, the YouTube page loads, but it says I'm not connected to the internet. The problem goes away with another DNS.

I'll give it a try to see if I can get it working. Thanks for the help!

Arch Linux

#1 Yesterday 19:13:41

Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

#2 Today 05:53:55

Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

#3 Today 09:27:03

Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved

Board footer