Systemd/resolved: Difference between revisions

(16 intermediate revisions by 8 users not shown)

Line 1:

systemd-resolved is a [[systemd]] service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

[https://www.freedesktop.org/software/systemd/man/systemd-resolved.html systemd-resolved] is a [[systemd]] service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.

== Configuration ==

= Secure DNS and Captive Portal =

Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.

In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.

Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".

= Configuration Example: Enforce secure DNS =

@@ Line 1: / Line 1: @@
-systemd-resolved is a [[systemd]] service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.
+{{Systemd/breadcrumb}}
+{{DISPLAYTITLE:systemd-resolved}}
+[https://www.freedesktop.org/software/systemd/man/systemd-resolved.html systemd-resolved] is a [[systemd]] service that provides network name resolution to local applications via a D-Bus interface, the resolve NSS service (nss-resolve(8)), and a local DNS stub listener on 127.0.0.53. See systemd-resolved(8) for the usage.
-== Configuration ==
+= Secure DNS and Captive Portal =
+Secure DNS will break most captive portals like those of public or hotel wifi access points, resulting in inability to gain internet access through such access points.
+In that case, use <code>networkctl status ${wlan interface}</code> to show the default DNS provided by the network, and temporarily change nameserver inside <code>/etc/resolv.conf</code> from <code>127.0.0.53</code> to the provided one.
+Alternatively, if you have Chromium installed, you can use the <code>programs.captive-browser.enable</code> Chromium wrapper, which is "Dedicated Chrome instance to log into captive portals without messing with DNS settings".
+= Configuration Example: Enforce secure DNS =
+See also [[Encrypted DNS]].
 The following configuration configures resolved daemon to use the public DNS resolver provided by [https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/ Cloudflare]. DNSSEC and DNS-over-TLS is enabled for authenticity and encryption.
-<syntaxHighlight lang="nix">
-networking.nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+<syntaxhighlight lang="nix">
+networking.nameservers = [
+  "1.1.1.1"
+  "1.0.0.1"
+];
 services.resolved = {
@@ Line 12: / Line 28: @@
    dnssec = "true";
    domains = [ "~." ];
-   fallbackDns = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+   fallbackDns = [
-   extraConfig = ''
+    "1.1.1.1"
-    DNSOverTLS=yes
+    "1.0.0.1"
-  '';
+  ];
+   dnsovertls = "true";
 };
-</syntaxHighlight>
+</syntaxhighlight>
+[[Category:systemd]]
 [[Category:Networking]]
+[[Category:DNS]]