2022-03-28 19:43:03 +02:00
|
|
|
# systemd-resolved additional config files
|
2020-07-04 18:06:18 +02:00
|
|
|
|
2024-04-11 09:06:18 +02:00
|
|
|
<!-- editorconfig-checker-disable -->
|
|
|
|
<!-- prettier-ignore-start -->
|
|
|
|
|
|
|
|
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
|
|
|
|
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
|
|
|
|
|
|
|
|
- [Quickstart](#quickstart)
|
|
|
|
- [Files explained](#files-explained)
|
|
|
|
- [General commentary](#general-commentary)
|
|
|
|
|
|
|
|
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
|
|
|
|
|
|
|
<!-- prettier-ignore-end -->
|
|
|
|
<!-- editorconfig-checker-enable -->
|
|
|
|
|
2022-03-28 19:43:03 +02:00
|
|
|
## Quickstart
|
|
|
|
|
|
|
|
```bash
|
|
|
|
sudo systemctl enable --now systemd-resolved.service
|
|
|
|
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
|
|
|
|
# After changing configuration
|
|
|
|
sudo systemctl restart systemd-resolved
|
|
|
|
```
|
|
|
|
|
|
|
|
## Files explained
|
2020-07-04 18:06:18 +02:00
|
|
|
|
2024-04-22 14:08:03 +02:00
|
|
|
- `00-defaults.conf` - configuration that should be used everywhere.
|
2024-04-10 14:09:31 +02:00
|
|
|
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
2024-04-18 13:28:06 +02:00
|
|
|
enables opportunistic DoT, caching and local DNS servers (because they
|
|
|
|
should exist anyway as I don't trust systemd-resolved entirely. Anyway if
|
|
|
|
there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
|
2024-04-22 14:08:03 +02:00
|
|
|
- To rephrase, this is to be used together with other files, especially
|
2024-04-28 08:13:20 +02:00
|
|
|
some of those beginning with `10-dot-`.
|
2024-04-28 15:11:13 +02:00
|
|
|
- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
|
|
|
|
network and owned by them)
|
|
|
|
- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
|
|
|
|
Saunalahti still exists here as well.
|
2024-04-28 08:13:20 +02:00
|
|
|
- `10-dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
|
2024-04-22 14:08:03 +02:00
|
|
|
At least one of these should be used in addition to `00-defaults.conf`
|
2024-04-28 08:13:20 +02:00
|
|
|
- `98-local-resolver.conf` attempts to configure localhost resolver and
|
2024-04-28 15:11:13 +02:00
|
|
|
disables unnecessary features for that scenario. The number 10 takes
|
|
|
|
priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will
|
|
|
|
also apply to the former ones that are unlikely to support it. When
|
|
|
|
numbering the files, I didn't think I would be adding the plaintext DNS
|
|
|
|
servers that I am unlikely to use whenever Unbound is available (and I
|
|
|
|
currently have only one system that has systemd-resolved while not having
|
|
|
|
Unbound and it seems to prefer DoT over my router anyway).
|
2024-04-28 08:13:20 +02:00
|
|
|
- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
|
|
|
|
LAN assuming they are trusted. Note that if used together with
|
|
|
|
`98-local-resolver.conf`, DNSSEC would be disabled.
|
2023-02-21 16:54:39 +01:00
|
|
|
- `README.md` - you are reading it right now.
|
2020-07-04 18:06:18 +02:00
|
|
|
|
2022-03-28 19:43:03 +02:00
|
|
|
## General commentary
|
2020-07-04 18:06:18 +02:00
|
|
|
|
2024-04-11 09:03:53 +02:00
|
|
|
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
2023-02-21 18:33:31 +01:00
|
|
|
v243 (big improvements in v244).
|
|
|
|
- TODO: find out when SNI became supported, I have just spotted it in the
|
|
|
|
fine manual in 2020-06-??.
|
2023-02-21 16:54:39 +01:00
|
|
|
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
2023-02-21 18:33:31 +01:00
|
|
|
without which I wouldn't have got this right.
|
2023-02-21 16:54:39 +01:00
|
|
|
- DNSSEC may not work if the system is down for a long time and not updated.
|
2023-02-21 18:33:31 +01:00
|
|
|
Thus `allow-downgrade` may be better for non-tech people, even with the
|
|
|
|
potential downgrade attack. There are also captive portals, affecting
|
2024-04-11 09:03:53 +02:00
|
|
|
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
|
|
|
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
2023-10-21 10:27:07 +02:00
|
|
|
- Then again when was any system that outdated to not have working DNSSEC?
|
|
|
|
- TODO: return to this configuration should that actually happen?
|
2024-04-11 09:03:53 +02:00
|
|
|
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
|
|
|
to both with `options rotate edns0 trust-ad` which might workaround that
|
|
|
|
potential issue.
|
2024-05-15 19:23:27 +02:00
|
|
|
- DNS server priority is the one they are specified in. The first working one
|
|
|
|
will be used when it won't work anymore and then the next is used as long
|
|
|
|
as it works and then it's back to the beginning.
|
|
|
|
- https://github.com/systemd/systemd/issues/16322#issuecomment-724143641
|
2020-07-04 18:06:18 +02:00
|
|
|
|
|
|
|
Other links I have found important and my files are based on:
|
|
|
|
|
2023-02-21 16:54:39 +01:00
|
|
|
- https://wiki.archlinux.org/index.php/Systemd-resolved
|
2023-02-21 18:33:31 +01:00
|
|
|
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
2023-10-21 10:27:07 +02:00
|
|
|
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
|
2023-02-21 16:54:39 +01:00
|
|
|
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|