Systemd/resolved: Difference between revisions

Revision as of 21:00, 21 September 2025

systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

Configuration Example: Enforce secure DNS

The following configuration configures resolved daemon to use the public DNS resolver provided by Cloudflare. DNSSEC and DNS-over-TLS is enabled for authenticity and encryption.

Warning: This secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.

In that case, use networkctl status ${wlan interface} to show the default DNS provided by the network, and temporarily change nameserver inside /etc/resolv.conf from 127.0.0.53 to the provided one.

networking.nameservers = [
  "1.1.1.1"
  "1.0.0.1"
];

services.resolved = {
  enable = true;
  dnssec = "true";
  domains = [ "~." ];
  fallbackDns = [
    "1.1.1.1"
    "1.0.0.1"
  ];
  dnsovertls = "true";
};

@@ Line 7: / Line 7: @@
 The following configuration configures resolved daemon to use the public DNS resolver provided by [https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/ Cloudflare]. DNSSEC and DNS-over-TLS is enabled for authenticity and encryption.
-Warning: This config snippet will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
+Warning: This secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
+In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.
 <syntaxhighlight lang="nix">