🆕 Software Suggestion | systemd-resolved #1448
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1448
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: systemd-resolved
Category: DNS-over-TLS client
URL: https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
Description
systemd-resolved is a DNS client included in systemd, it has support for DNSSEC and DNS-over-TLS. If I understand correctly, it has
recentlygotten(or will soon receive)support for DoT strict mode in version 243 (rather than being vulnerable to downgrade attack) and I think we could finally list it on the DNS page.The instructions may get a bit long, so I guess this involves linking to a source such as Arch Wiki on how to use it.
Blocker: https://github.com/systemd/systemd/issues/9397
@Mikaela it has already strict mode since version 243, version 244 will just get stricter host certificate checking to prevent man-in-the-middle attacks.
Thanks for the correction :)
Meanwhile in the team chat, we had a small discussion (to use the word loosely as I only gave the short instructions before starting to type this comment and I am not even booted to Linux at the moment) on this feature:
Where I replied (not bothering to quote myself):
It can be enabled on any
NetworkManager.conf
(or preferablyconf.d/something.conf
)sudo systemctl enable systemd-resolved --now
and if you want to configure it further than the DNS servers from NetworkManager and enable features like DoT or local DNSSEC validation, you drop files in /etc/systemd/resolved.conf.d/
Typing this I also remember that blog.privacytools.io is a thing, but for some reason I still think external link such as Arch Wiki would be a better idea.
Oh and I am of course assuming that the distribution in question is using NetworkManager or the user hasn't replaced it.
Here is an example setup with stub resolver:
/etc/resolv.conf
:/etc/systemd/resolved.conf
(keep in Mind dns over tls is still buggy with systemd 243 and cloudflare, they will fix this with systemd 244)
Is this still an issue?
@dngray no systemd-resolved works fine now and it even supports hostname SNI validation from the newest version..