Learn Linux with Alice

Demystifying systemd-resolved: A Comprehensive Guide to Local DNS Resolution

Posted on by Robert Johnson

Demystifying systemd-resolved: A Comprehensive Guide to Local DNS Resolution

Hey there, fellow Linux enthusiasts! Alice here, ready to dive deep into another fascinating corner of the Linux world. Today, we’re tackling systemd-resolved, a system service that provides local DNS resolution. If you’ve ever wrestled with DNS configuration, especially in complex network environments, this guide is for you.

Before we begin, a quick shoutout to our sponsor, Racknerd! Need a reliable VPS for your experiments or production workloads? Racknerd offers fantastic deals, with VPS plans starting as low as $15 per year. Seriously, check them out – you won’t regret it!

What is systemd-resolved?

systemd-resolved is a system service that manages network name resolution. It provides local DNS caching, DNSSEC validation, and Multicast DNS (mDNS) resolution. It’s part of the systemd suite, which is the init system and system manager for many modern Linux distributions.

In simpler terms, systemd-resolved helps your computer translate domain names (like google.com) into IP addresses (like 142.250.184.78). It does this efficiently by caching DNS records locally, so your computer doesn’t have to query external DNS servers every time you visit a website.

Why use systemd-resolved?

You might be wondering, “Why should I bother with systemd-resolved? My current DNS setup works fine.” Well, here are a few compelling reasons:

  • Improved Performance: Local DNS caching speeds up website loading and reduces network traffic.
  • DNSSEC Validation: systemd-resolved can validate DNS responses using DNSSEC, which helps protect against DNS spoofing and other attacks.
  • mDNS Support: systemd-resolved supports mDNS, which allows you to resolve hostnames on your local network without a dedicated DNS server. This is especially useful for home networks and small offices.
  • Integration with systemd: If you’re already using systemd, systemd-resolved integrates seamlessly with your system.
  • Split DNS Support: systemd-resolved allows you to configure different DNS servers for different domains. For example, you can use your company’s internal DNS server for internal domains and a public DNS server for everything else. This is also known as split horizon DNS.

Installing systemd-resolved

On most modern Linux distributions, systemd-resolved is installed and enabled by default. However, if it’s not, you can install it using your distribution’s package manager. For example, on Ubuntu or Debian, you can use the following command:

sudo apt update
sudo apt install systemd-resolved

On Fedora or CentOS, you can use the following command:

sudo dnf install systemd-resolved

After installing systemd-resolved, make sure it’s enabled and running:

sudo systemctl enable systemd-resolved
sudo systemctl start systemd-resolved
sudo systemctl status systemd-resolved

Configuring systemd-resolved

The main configuration file for systemd-resolved is /etc/systemd/resolved.conf. However, it’s generally recommended to create drop-in configuration files in the /etc/systemd/resolved.conf.d/ directory. This makes it easier to manage your configuration and avoid conflicts with package updates.

Let’s create a drop-in configuration file to set the DNS servers:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo nano /etc/systemd/resolved.conf.d/dns_servers.conf

Add the following lines to the file, replacing the IP addresses with your preferred DNS servers:


[Resolve]
DNS=1.1.1.1 8.8.8.8
FallbackDNS=1.0.0.1 8.8.4.4

In this example, we’re using Cloudflare’s DNS servers (1.1.1.1 and 1.0.0.1) and Google’s Public DNS servers (8.8.8.8 and 8.8.4.4). The FallbackDNS option specifies DNS servers to use if the primary DNS servers are unavailable.

Save the file and restart systemd-resolved to apply the changes:

sudo systemctl restart systemd-resolved

Configuring Network Interfaces

To use systemd-resolved, you need to configure your network interfaces to use it as the DNS resolver. There are several ways to do this:

Using systemd-networkd

If you’re using systemd-networkd to manage your network interfaces, you can configure DNS settings in the interface configuration file. For example, if your interface is named eth0, you would edit the /etc/systemd/network/eth0.network file:

sudo nano /etc/systemd/network/eth0.network

Add the following lines to the [Network] section:


[Network]
DNS=1.1.1.1 8.8.8.8
Domains=example.com

The DNS option specifies the DNS servers to use for this interface. The Domains option specifies the DNS search domains. In this example, we’re using Cloudflare’s DNS servers and setting the search domain to example.com. This means that if you try to access `intranet.example.com`, your computer will automatically append `.example.com` to the hostname.

Save the file and restart systemd-networkd to apply the changes:

sudo systemctl restart systemd-networkd

Using NetworkManager

If you’re using NetworkManager to manage your network interfaces, you can configure DNS settings in the NetworkManager connection settings. This can be done using the NetworkManager GUI or the nmcli command-line tool.

To use the GUI, open the NetworkManager settings, select your connection, and go to the “IPv4 Settings” or “IPv6 Settings” tab. Change the “DNS” setting to “Automatic (DHCP) addresses only” and enter the DNS servers in the “DNS servers” field.

To use the nmcli command-line tool, you can use the following command, replacing connection_name with the name of your connection:

nmcli connection modify connection_name ipv4.dns "1.1.1.1,8.8.8.8"
nmcli connection modify connection_name ipv4.dns-search "example.com"
nmcli connection up connection_name

The ipv4.dns option specifies the DNS servers to use for this connection. The ipv4.dns-search option specifies the DNS search domains.

Using resolv.conf (Not Recommended)

Traditionally, DNS settings on Linux systems were configured in the /etc/resolv.conf file. However, systemd-resolved manages this file, and any manual changes you make to it will be overwritten. Therefore, it’s generally not recommended to edit /etc/resolv.conf directly.

If you need to configure DNS settings manually, you should use one of the methods described above (systemd-networkd or NetworkManager).

Split Horizon DNS with systemd-resolved

One of the most powerful features of systemd-resolved is its support for split horizon DNS. This allows you to configure different DNS servers for different domains. For example, you can use your company’s internal DNS server for internal domains and a public DNS server for everything else.

To configure split horizon DNS, you need to create a separate configuration file for each domain. For example, to use the DNS server 192.168.1.10 for the domain example.com, you would create the file /etc/systemd/resolved.conf.d/example.com.conf:

sudo nano /etc/systemd/resolved.conf.d/example.com.conf

Add the following lines to the file:


[Resolve]
DNS=192.168.1.10
Domains=example.com

Save the file and restart systemd-resolved to apply the changes:

sudo systemctl restart systemd-resolved

Now, when you try to resolve a hostname in the example.com domain, systemd-resolved will use the DNS server 192.168.1.10. For all other domains, it will use the DNS servers configured in /etc/systemd/resolved.conf.d/dns_servers.conf.

Troubleshooting systemd-resolved

If you’re having trouble with systemd-resolved, here are a few things you can try:

  • Check the status of the service: 
    sudo systemctl status systemd-resolved

    Make sure the service is running and that there are no errors in the logs. If the service is failing to start, check the journal logs for more detailed error messages. You can use the command journalctl -u systemd-resolved to view the logs. Look for any error messages that indicate configuration issues or conflicts with other services.

  • Check the DNS settings: 
    resolvectl status

    This command shows the current DNS settings, including the DNS servers and search domains. Pay close attention to the “Current DNS Server” and “DNS Servers” lines. If these are not what you expect, double-check your configuration files. Also, verify that the interfaces listed are the ones you intend to be using `systemd-resolved`.

  • Flush the DNS cache: 
    sudo systemd-resolve --flush-caches

    This clears the local DNS cache, which can help resolve issues caused by stale DNS records. After flushing the cache, try resolving a known domain name to see if the issue is resolved.

  • Use dig or nslookup to query DNS servers directly: 
    dig example.com @1.1.1.1
    nslookup example.com 8.8.8.8

    This can help you determine if the issue is with systemd-resolved or with the DNS servers themselves. If you can successfully query the DNS servers directly, the issue is likely with `systemd-resolved`’s configuration.

  • Check for conflicts with other DNS resolvers: Sometimes, other DNS resolvers like `dnsmasq` or `bind9` might be running on the same system and conflicting with `systemd-resolved`. If you suspect a conflict, try disabling the other DNS resolver and restarting `systemd-resolved`.
  • Verify the symlink for /etc/resolv.conf: `systemd-resolved` typically manages the `/etc/resolv.conf` file by creating a symbolic link to a file it controls. Ensure that `/etc/resolv.conf` is indeed a symlink and points to `/run/systemd/resolve/stub-resolv.conf` or a similar file. If it’s a regular file, you might need to recreate the symlink.

Security Considerations

While systemd-resolved offers several benefits, it’s important to be aware of potential security considerations:

  • DNS Spoofing: Although systemd-resolved supports DNSSEC, it’s crucial to ensure that DNSSEC validation is enabled and working correctly. Otherwise, your system might be vulnerable to DNS spoofing attacks, where attackers can redirect you to malicious websites.
  • Cache Poisoning: DNS cache poisoning is another potential attack where attackers inject false DNS records into the cache. While systemd-resolved‘s caching mechanism is generally secure, it’s still important to be aware of this risk. Regularly flushing the DNS cache can help mitigate the impact of cache poisoning attacks.
  • Privacy Concerns: When using public DNS servers, your DNS queries might be logged by the DNS server provider. If you’re concerned about privacy, consider using a privacy-focused DNS server like Cloudflare’s 1.1.1.1 with DNS over HTTPS (DoH) or DNS over TLS (DoT). You can configure DoH/DoT with `systemd-resolved` by using stubby or cloudflared.
  • mDNS Vulnerabilities: Multicast DNS (mDNS) can be vulnerable to certain attacks, especially in untrusted networks. If you’re not using mDNS, consider disabling it to reduce the attack surface.
  • Configuration Errors: Incorrectly configuring systemd-resolved can lead to DNS resolution issues and potential security vulnerabilities. Always double-check your configuration files and ensure that you understand the implications of each setting.

To further enhance security, consider implementing the following measures:

  • Enable DNSSEC Validation: Ensure that DNSSEC validation is enabled in systemd-resolved‘s configuration.
  • Use a Privacy-Focused DNS Server: Consider using a DNS server that prioritizes privacy and doesn’t log your DNS queries.
  • Regularly Update systemd: Keep your systemd package up to date to patch any security vulnerabilities.
  • Monitor DNS Traffic: Monitor your DNS traffic for any suspicious activity.

By being aware of these security considerations and implementing appropriate security measures, you can use systemd-resolved safely and effectively.

Conclusion

systemd-resolved is a powerful and flexible system service that provides local DNS resolution. It offers improved performance, DNSSEC validation, mDNS support, and split horizon DNS capabilities. By understanding how to configure, troubleshoot, and secure systemd-resolved, you can take control of your DNS settings and optimize your network performance.

And that’s a wrap! I hope this guide has been helpful. Remember to check out Racknerd for all your VPS needs. They have amazing deals and top-notch service. They have VPS plans starting as low as $15/year up to like 6gb for 50usd/year even. Until next time, happy hacking!

Was this tutorial helpful? Let me know in the comments below!