You are not logged in.
- Topics: Active | Unanswered
#1 Yesterday 19:13:41
- KlikyBit
- Member
- Registered: 2024-10-01
- Posts: 9
Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
The DNS I am using has problems loading YouTube for whatever reason, so I'd like to set YouTube (and any other domains that happen to have an issue) to use a different DNS while still using my current DNS for everything else.
systemd-resolved seems like it may not support this based on what I've read here along with other linked issues and various other forum threads. I tried setting up the dummy link as they described but couldn't get it to work. YouTube still wouldn't load properly and the dummy link didn't see to do anything. However, I also don't really know what I'm doing when it comes to networking and such. The workaround might just not work anymore at all.
It is mentioned that dnsmasq support this kind of per-domain routing, but I'd rather stick with systemd-resolved because according to the wiki, dnsmasq does not support DNS over TLS which I'd like to use. I'd also prefer to not have to port over all my existing config and learn how to use a different tool.
I'm using iwd (no NetworkManager) and systemd-resolved.
My current output from "resolvectl status" is:
Global
Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: stub
Current DNS Server: 194.242.2.4#base.dns.mullvad.net
DNS Servers: 194.242.2.4#base.dns.mullvad.net
Fallback DNS Servers: [...]
DNS Domain: ~.
Link 3 (wlan0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: [...]
DNS Servers: [...]
DNS Domain: [...]Any help to achieve domain based DNS routing would be much appreciated. Thanks!
Offline
#2 Today 05:53:55
- -thc
- Member
- Registered: 2017-03-15
- Posts: 613
Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
The changes to systemd-resolved that allow this are very recent (9/11/2024). You can define delegate scopes via "/etc/systemd/dns-delegate/*.conf" drop in files. These contain DNS= and Domains= lines resolving those domains via those DNS servers. I don't know if these changes are published yet.
The Mullvad DNS server is not public. It cannot be reached outside the Mullvad VPN:
[thc@box ~]$ drill dns.google @194.242.2.4
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 8310
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; dns.google. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 256 msec
;; SERVER: 194.242.2.4
;; WHEN: Wed Oct 16 07:24:46 2024
;; MSG SIZE rcvd: 28This means you may drop DNS over TLS - it's main reason is you don't trust your internet provider and/or the authorities eavesdropping on your DNS queries. Since you have to trust Mullvad completely it's a non-issue inside the Mullvad VPN.
Offline
#3 Today 09:27:03
- KlikyBit
- Member
- Registered: 2024-10-01
- Posts: 9
Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
Oh, that's great if it's actually supported now; I'll give it a try. I saw this merge request but it's still marked as "open" so I assumed it wasn't implemented yet. Would the file simply look like:
DNS=1.1.1.1
Domains=~youtube.comOr does it require a section header like [Network]? Can I also add control for DoT with another line with "DNSOverTLS=false"? The changes aren't published means there's no documentation yet or that it hasn't been pushed/released?
Weird that you couldn't resolve google with that DNS; it's Mullvad's public DNS. I can access google search and google maps no problem. It's tracker/ad/malware blocking, so I think that's why I can't fully load YouTube. To be more specific, the YouTube page loads, but it says I'm not connected to the internet. The problem goes away with another DNS.
I'll give it a try to see if I can get it working. Thanks for the help!
Offline
#4 Today 12:01:39
- -thc
- Member
- Registered: 2017-03-15
- Posts: 613
Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
Would the file simply look like:
DNS=1.1.1.1 Domains=~youtube.com
Yes.
Weird that you couldn't resolve google with that DNS
My bad. It only works in a secure way (DoT, DoH). Standard DNS queries are refused.
From the link you've posted:
This service is primarily meant to be used when you are disconnected from our VPN service, or on devices where it's not possible or desirable to connect to the VPN. When you are already connected to our VPN service the security benefits of using encrypted DNS is negligible and it will always be slower than using the DNS resolver on the VPN server that you are connected to.
Last edited by -thc (Today 12:04:25)
Offline
#5 Today 13:11:56
- KlikyBit
- Member
- Registered: 2024-10-01
- Posts: 9
Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
I couldn't get this to work, and I'm fairly convinced that it's not yet a feature with the current latest version of systemd. Where did you find the changes/documentation mentioned?
On the bright side, I found out my problem with YouTube is DNSSEC related. Disabling DNSSEC fixed it. Although, DNSSEC worked fine with YouTube with another DNS. Now I also need a way to disable DNSSEC for only YouTube. If Mullvad's DNS continues to have problems with other sites as well I might switch to another, but I trust Mullvad more than most DNS providers, and I like the features offered by this one.
Offline
#6 Today 14:13:36
- -thc
- Member
- Registered: 2017-03-15
- Posts: 613
Re: Per-domain DNS routing/Conditional DNS forwarding w/ systemd-resolved
Where did you find the changes/documentation mentioned?
In the merge request you linked above.
Offline