1RESOLVED.CONF(5)                 resolved.conf                RESOLVED.CONF(5)
2
3
4

NAME

6       resolved.conf, resolved.conf.d - Network Name Resolution configuration
7       files
8

SYNOPSIS

10       /etc/systemd/resolved.conf
11
12       /etc/systemd/resolved.conf.d/*.conf
13
14       /run/systemd/resolved.conf.d/*.conf
15
16       /usr/lib/systemd/resolved.conf.d/*.conf
17

DESCRIPTION

19       These configuration files control local DNS and LLMNR name resolution.
20

CONFIGURATION DIRECTORIES AND PRECEDENCE

22       The default configuration is set during compilation, so configuration
23       is only needed when it is necessary to deviate from those defaults.
24       Initially, the main configuration file in /etc/systemd/ contains
25       commented out entries showing the defaults as a guide to the
26       administrator. Local overrides can be created by editing this file or
27       by creating drop-ins, as described below. Using drop-ins for local
28       configuration is recommended over modifications to the main
29       configuration file.
30
31       In addition to the "main" configuration file, drop-in configuration
32       snippets are read from /usr/lib/systemd/*.conf.d/,
33       /usr/local/lib/systemd/*.conf.d/, and /etc/systemd/*.conf.d/. Those
34       drop-ins have higher precedence and override the main configuration
35       file. Files in the *.conf.d/ configuration subdirectories are sorted by
36       their filename in lexicographic order, regardless of in which of the
37       subdirectories they reside. When multiple files specify the same
38       option, for options which accept just a single value, the entry in the
39       file sorted last takes precedence, and for options which accept a list
40       of values, entries are collected as they occur in the sorted files.
41
42       When packages need to customize the configuration, they can install
43       drop-ins under /usr/. Files in /etc/ are reserved for the local
44       administrator, who may use this logic to override the configuration
45       files installed by vendor packages. Drop-ins have to be used to
46       override package drop-ins, since the main configuration file has lower
47       precedence. It is recommended to prefix all filenames in those
48       subdirectories with a two-digit number and a dash, to simplify the
49       ordering of the files.
50
51       To disable a configuration file supplied by the vendor, the recommended
52       way is to place a symlink to /dev/null in the configuration directory
53       in /etc/, with the same filename as the vendor configuration file.
54

OPTIONS

56       The following options are available in the [Resolve] section:
57
58       DNS=
59           A space-separated list of IPv4 and IPv6 addresses to use as system
60           DNS servers. Each address can optionally take a port number
61           separated with ":", a network interface name or index separated
62           with "%", and a Server Name Indication (SNI) separated with "#".
63           When IPv6 address is specified with a port number, then the address
64           must be in the square brackets. That is, the acceptable full
65           formats are "111.222.333.444:9953%ifname#example.com" for IPv4 and
66           "[1111:2222::3333]:9953%ifname#example.com" for IPv6. DNS requests
67           are sent to one of the listed DNS servers in parallel to suitable
68           per-link DNS servers acquired from systemd-networkd.service(8) or
69           set at runtime by external applications. For compatibility reasons,
70           if this setting is not specified, the DNS servers listed in
71           /etc/resolv.conf are used instead, if that file exists and any
72           servers are configured in it. This setting defaults to the empty
73           list.
74
75       FallbackDNS=
76           A space-separated list of IPv4 and IPv6 addresses to use as the
77           fallback DNS servers. Please see DNS= for acceptable format of
78           addresses. Any per-link DNS servers obtained from systemd-
79           networkd.service(8) take precedence over this setting, as do any
80           servers set via DNS= above or /etc/resolv.conf. This setting is
81           hence only used if no other DNS server information is known. If
82           this option is not given, a compiled-in list of DNS servers is used
83           instead.
84
85       Domains=
86           A space-separated list of domains, optionally prefixed with "~",
87           used for two distinct purposes described below. Defaults to the
88           empty list.
89
90           Any domains not prefixed with "~" are used as search suffixes when
91           resolving single-label hostnames (domain names which contain no
92           dot), in order to qualify them into fully-qualified domain names
93           (FQDNs). These "search domains" are strictly processed in the order
94           they are specified in, until the name with the suffix appended is
95           found. For compatibility reasons, if this setting is not specified,
96           the search domains listed in /etc/resolv.conf with the search
97           keyword are used instead, if that file exists and any domains are
98           configured in it.
99
100           The domains prefixed with "~" are called "route-only domains". All
101           domains listed here (both search domains and route-only domains
102           after removing the "~" prefix) define a search path that preferably
103           directs DNS queries to this interface. This search path has an
104           effect only when suitable per-link DNS servers are known. Such
105           servers may be defined through the DNS= setting (see above) and
106           dynamically at run time, for example from DHCP leases. If no
107           per-link DNS servers are known, route-only domains have no effect.
108
109           Use the construct "~."  (which is composed from "~" to indicate a
110           route-only domain and "."  to indicate the DNS root domain that is
111           the implied suffix of all DNS domains) to use the DNS servers
112           defined for this link preferably for all domains.
113
114           See "Protocols and Routing" in systemd-resolved.service(8) for
115           details of how search and route-only domains are used.
116
117       LLMNR=
118           Takes a boolean argument or "resolve". Controls Link-Local
119           Multicast Name Resolution support (RFC 4795[1]) on the local host.
120           If true, enables full LLMNR responder and resolver support. If
121           false, disables both. If set to "resolve", only resolution support
122           is enabled, but responding is disabled. Note that systemd-
123           networkd.service(8) also maintains per-link LLMNR settings. LLMNR
124           will be enabled on a link only if the per-link and the global
125           setting is on.
126
127       MulticastDNS=
128           Takes a boolean argument or "resolve". Controls Multicast DNS
129           support (RFC 6762[2]) on the local host. If true, enables full
130           Multicast DNS responder and resolver support. If false, disables
131           both. If set to "resolve", only resolution support is enabled, but
132           responding is disabled. Note that systemd-networkd.service(8) also
133           maintains per-link Multicast DNS settings. Multicast DNS will be
134           enabled on a link only if the per-link and the global setting is
135           on.
136
137       DNSSEC=
138           Takes a boolean argument or "allow-downgrade".
139
140           If set to true, all DNS lookups are DNSSEC-validated locally
141           (excluding LLMNR and Multicast DNS). If the response to a lookup
142           request is detected to be invalid a lookup failure is returned to
143           applications. Note that this mode requires a DNS server that
144           supports DNSSEC. If the DNS server does not properly support DNSSEC
145           all validations will fail.
146
147           If set to "allow-downgrade", DNSSEC validation is attempted, but if
148           the server does not support DNSSEC properly, DNSSEC mode is
149           automatically disabled. Note that this mode makes DNSSEC validation
150           vulnerable to "downgrade" attacks, where an attacker might be able
151           to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
152           response that suggests DNSSEC was not supported.
153
154           If set to false, DNS lookups are not DNSSEC validated. In this
155           mode, or when set to "allow-downgrade" and the downgrade has
156           happened, the resolver becomes security-unaware and all forwarded
157           queries have DNSSEC OK (DO) bit unset.
158
159           Note that DNSSEC validation requires retrieval of additional DNS
160           data, and thus results in a small DNS lookup time penalty.
161
162           DNSSEC requires knowledge of "trust anchors" to prove data
163           integrity. The trust anchor for the Internet root domain is built
164           into the resolver, additional trust anchors may be defined with
165           dnssec-trust-anchors.d(5). Trust anchors may change at regular
166           intervals, and old trust anchors may be revoked. In such a case
167           DNSSEC validation is not possible until new trust anchors are
168           configured locally or the resolver software package is updated with
169           the new root trust anchor. In effect, when the built-in trust
170           anchor is revoked and DNSSEC= is true, all further lookups will
171           fail, as it cannot be proved anymore whether lookups are correctly
172           signed, or validly unsigned. If DNSSEC= is set to "allow-downgrade"
173           the resolver will automatically turn off DNSSEC validation in such
174           a case.
175
176           Client programs looking up DNS data will be informed whether
177           lookups could be verified using DNSSEC, or whether the returned
178           data could not be verified (either because the data was found
179           unsigned in the DNS, or the DNS server did not support DNSSEC or no
180           appropriate trust anchors were known). In the latter case it is
181           assumed that client programs employ a secondary scheme to validate
182           the returned DNS data, should this be required.
183
184           It is recommended to set DNSSEC= to true on systems where it is
185           known that the DNS server supports DNSSEC correctly, and where
186           software or trust anchor updates happen regularly. On other systems
187           it is recommended to set DNSSEC= to "allow-downgrade".
188
189           In addition to this global DNSSEC setting systemd-
190           networkd.service(8) also maintains per-link DNSSEC settings. For
191           system DNS servers (see above), only the global DNSSEC setting is
192           in effect. For per-link DNS servers the per-link setting is in
193           effect, unless it is unset in which case the global setting is used
194           instead.
195
196           Site-private DNS zones generally conflict with DNSSEC operation,
197           unless a negative (if the private zone is not signed) or positive
198           (if the private zone is signed) trust anchor is configured for
199           them. If "allow-downgrade" mode is selected, it is attempted to
200           detect site-private DNS zones using top-level domains (TLDs) that
201           are not known by the DNS root server. This logic does not work in
202           all private zone setups.
203
204           Defaults to "no".
205
206       DNSOverTLS=
207           Takes a boolean argument or "opportunistic". If true all
208           connections to the server will be encrypted. Note that this mode
209           requires a DNS server that supports DNS-over-TLS and has a valid
210           certificate. If the hostname was specified in DNS= by using the
211           format "address#server_name" it is used to validate its certificate
212           and also to enable Server Name Indication (SNI) when opening a TLS
213           connection. Otherwise the certificate is checked against the
214           server's IP. If the DNS server does not support DNS-over-TLS all
215           DNS requests will fail.
216
217           When set to "opportunistic" DNS request are attempted to send
218           encrypted with DNS-over-TLS. If the DNS server does not support
219           TLS, DNS-over-TLS is disabled. Note that this mode makes
220           DNS-over-TLS vulnerable to "downgrade" attacks, where an attacker
221           might be able to trigger a downgrade to non-encrypted mode by
222           synthesizing a response that suggests DNS-over-TLS was not
223           supported. If set to false, DNS lookups are send over UDP.
224
225           Note that DNS-over-TLS requires additional data to be send for
226           setting up an encrypted connection, and thus results in a small DNS
227           look-up time penalty.
228
229           Note that in "opportunistic" mode the resolver is not capable of
230           authenticating the server, so it is vulnerable to
231           "man-in-the-middle" attacks.
232
233           In addition to this global DNSOverTLS= setting systemd-
234           networkd.service(8) also maintains per-link DNSOverTLS= settings.
235           For system DNS servers (see above), only the global DNSOverTLS=
236           setting is in effect. For per-link DNS servers the per-link setting
237           is in effect, unless it is unset in which case the global setting
238           is used instead.
239
240           Defaults to "no".
241
242       Cache=
243           Takes a boolean or "no-negative" as argument. If "yes" (the
244           default), resolving a domain name which already got queried earlier
245           will return the previous result as long as it is still valid, and
246           thus does not result in a new network request. Be aware that
247           turning off caching comes at a performance penalty, which is
248           particularly high when DNSSEC is used. If "no-negative", only
249           positive answers are cached.
250
251           Note that caching is turned off by default for host-local DNS
252           servers. See CacheFromLocalhost= for details.
253
254       CacheFromLocalhost=
255           Takes a boolean as argument. If "no" (the default), and response
256           cames from host-local IP address (such as 127.0.0.1 or ::1), the
257           result wouldn't be cached in order to avoid potential duplicate
258           local caching.
259
260       DNSStubListener=
261           Takes a boolean argument or one of "udp" and "tcp". If "udp", a DNS
262           stub resolver will listen for UDP requests on addresses 127.0.0.53
263           and 127.0.0.54, port 53. If "tcp", the stub will listen for TCP
264           requests on the same addresses and port. If "yes" (the default),
265           the stub listens for both UDP and TCP requests. If "no", the stub
266           listener is disabled.
267
268           The DNS stub resolver on 127.0.0.53 provides the full feature set
269           of the local resolver, which includes offering LLMNR/MulticastDNS
270           resolution. The DNS stub resolver on 127.0.0.54 provides a more
271           limited resolver, that operates in "proxy" mode only, i.e. it will
272           pass most DNS messages relatively unmodified to the current
273           upstream DNS servers and back, but not try to process the messages
274           locally, and hence does not validate DNSSEC, or offer up
275           LLMNR/MulticastDNS. (It will translate to DNS-over-TLS
276           communication if needed however.)
277
278           Note that the DNS stub listener is turned off implicitly when its
279           listening address and port are already in use.
280
281       DNSStubListenerExtra=
282           Takes an IPv4 or IPv6 address to listen on. The address may be
283           optionally prefixed with a protocol name ("udp" or "tcp") separated
284           with ":". If the protocol is not specified, the service will listen
285           on both UDP and TCP. It may be also optionally suffixed by a
286           numeric port number with separator ":". When an IPv6 address is
287           specified with a port number, then the address must be in the
288           square brackets. If the port is not specified, then the service
289           uses port 53. Note that this is independent of the primary DNS stub
290           configured with DNSStubListener=, and only configures additional
291           sockets to listen on. This option can be specified multiple times.
292           If an empty string is assigned, then the all previous assignments
293           are cleared. Defaults to unset.
294
295           Examples:
296
297               DNSStubListenerExtra=192.168.10.10
298               DNSStubListenerExtra=2001:db8:0:f102::10
299               DNSStubListenerExtra=192.168.10.11:9953
300               DNSStubListenerExtra=[2001:db8:0:f102::11]:9953
301               DNSStubListenerExtra=tcp:192.168.10.12
302               DNSStubListenerExtra=udp:2001:db8:0:f102::12
303               DNSStubListenerExtra=tcp:192.168.10.13:9953
304               DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953
305
306
307       ReadEtcHosts=
308           Takes a boolean argument. If "yes" (the default), systemd-resolved
309           will read /etc/hosts, and try to resolve hosts or address by using
310           the entries in the file before sending query to DNS servers.
311
312       ResolveUnicastSingleLabel=
313           Takes a boolean argument. When false (the default),
314           systemd-resolved will not resolve A and AAAA queries for
315           single-label names over classic DNS. Note that such names may still
316           be resolved if search domains are specified (see Domains= above),
317           or using other mechanisms, in particular via LLMNR or from
318           /etc/hosts. When true, queries for single-label names will be
319           forwarded to global DNS servers even if no search domains are
320           defined.
321
322           This option is provided for compatibility with configurations where
323           public DNS servers are not used. Forwarding single-label names to
324           servers not under your control is not standard-conformant, see IAB
325           Statement[3], and may create a privacy and security risk.
326
327       StaleRetentionSec=SECONDS
328           Takes a duration value, which determines the length of time DNS
329           resource records can be retained in the cache beyond their Time To
330           Live (TTL). This allows these records to be returned as stale
331           records. By default, this value is set to zero, meaning that DNS
332           resource records are not stored in the cache after their TTL
333           expires.
334
335           This is useful when a DNS server failure occurs or becomes
336           unreachable. In such cases, systemd-resolved continues to use the
337           stale records to answer DNS queries, particularly when no valid
338           response can be obtained from the upstream DNS servers. However,
339           this doesn't apply to NXDOMAIN responses, as those are still
340           perfectly valid responses. This feature enhances resilience against
341           DNS infrastructure failures and outages.
342
343           systemd-resolved always attempts to reach the upstream DNS servers
344           first, before providing the client application with any stale data.
345           If this feature is enabled, cache will not be flushed when changing
346           servers.
347

SEE ALSO

349       systemd(1), systemd-resolved.service(8), systemd-networkd.service(8),
350       dnssec-trust-anchors.d(5), resolv.conf(5)
351

NOTES

353        1. RFC 4795
354           https://tools.ietf.org/html/rfc4795
355
356        2. RFC 6762
357           https://tools.ietf.org/html/rfc6762
358
359        3. IAB Statement
360           https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/
361
362
363
364systemd 254                                                   RESOLVED.CONF(5)
Impressum