🆕 Software Suggestion | systemd-resolved #1448

New Issue

2019-10-30T12:08:06Z

Mikaela commented

2019-10-30 12:08:06 +00:00

(Migrated from github.com)

Basic Information

Name: systemd-resolved
Category: DNS-over-TLS client
URL: https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html

Description

systemd-resolved is a DNS client included in systemd, it has support for DNSSEC and DNS-over-TLS. If I understand correctly, it has ~~recently~~ gotten ~~(or will soon receive)~~ support for DoT strict mode in version 243 (rather than being vulnerable to downgrade attack) and I think we could finally list it on the DNS page.

The instructions may get a bit long, so I guess this involves linking to a source such as Arch Wiki on how to use it.

Blocker: https://github.com/systemd/systemd/issues/9397

## Basic Information **Name:** systemd-resolved **Category:** DNS-over-TLS client **URL:** https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html ## Description systemd-resolved is a DNS client included in systemd, it has support for DNSSEC and DNS-over-TLS. If I understand correctly, it has ~~recently~~ gotten ~~(or will soon receive)~~ support for DoT strict mode in version 243 (rather than being vulnerable to downgrade attack) and I think we could finally list it on the DNS page. The instructions may get a bit long, so I guess this involves linking to a source such as [Arch Wiki](https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS) on how to use it. Blocker: https://github.com/systemd/systemd/issues/9397

👍 1 ❤️ 1 🎉 1 😆 1 🚀 1

shibumi commented

2019-10-30 21:31:14 +00:00

(Migrated from github.com)

@Mikaela it has already strict mode since version 243, version 244 will just get stricter host certificate checking to prevent man-in-the-middle attacks.

👍 1

Mikaela commented

2019-10-31 14:44:35 +00:00

(Migrated from github.com)

Thanks for the correction :)

Meanwhile in the team chat, we had a small discussion (to use the word loosely as I only gave the short instructions before starting to type this comment and I am not even booted to Linux at the moment) on this feature:

iirc systemd-resolvd operates or does not operate based on distribution

Where I replied (not bothering to quote myself):

It can be enabled on any

tell NetworkManager.conf (or preferably conf.d/something.conf)

[main]
dns=systemd-resolved

sudo systemctl enable systemd-resolved --now
restart NetworkManager

and if you want to configure it further than the DNS servers from NetworkManager and enable features like DoT or local DNSSEC validation, you drop files in /etc/systemd/resolved.conf.d/

Typing this I also remember that blog.privacytools.io is a thing, but for some reason I still think external link such as Arch Wiki would be a better idea.

Oh and I am of course assuming that the distribution in question is using NetworkManager or the user hasn't replaced it.

Thanks for the correction :) * * * * * Meanwhile in the team chat, we had a small discussion (to use the word loosely as I only gave the short instructions before starting to type this comment and I am not even booted to Linux at the moment) on this feature: > iirc systemd-resolvd operates or does not operate based on distribution Where I replied (not bothering to quote myself): It can be enabled on any 1. tell `NetworkManager.conf` (or preferably `conf.d/something.conf`) ``` [main] dns=systemd-resolved ``` 2. `sudo systemctl enable systemd-resolved --now` 3. restart NetworkManager and if you want to configure it further than the DNS servers from NetworkManager and enable features like DoT or local DNSSEC validation, you drop files in /etc/systemd/resolved.conf.d/ * * * * * Typing this I also remember that blog.privacytools.io is a thing, but for some reason I still think external link such as Arch Wiki would be a better idea. Oh and I am of course assuming that the distribution in question is using NetworkManager or the user hasn't replaced it.

shibumi commented

2019-10-31 15:26:10 +00:00

(Migrated from github.com)

Here is an example setup with stub resolver:

/etc/resolv.conf:

nameserver 127.0.0.53
options edns0

/etc/systemd/resolved.conf

[Resolve]
DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
DNSSEC=yes
DNSOverTLS=yes
Cache=yes
DNSStubListener=udp

(keep in Mind dns over tls is still buggy with systemd 243 and cloudflare, they will fix this with systemd 244)

Here is an example setup with stub resolver: `/etc/resolv.conf`: ``` nameserver 127.0.0.53 options edns0 ``` `/etc/systemd/resolved.conf` ```ini [Resolve] DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 DNSSEC=yes DNSOverTLS=yes Cache=yes DNSStubListener=udp ``` (keep in Mind dns over tls is still buggy with systemd 243 and cloudflare, they will fix this with systemd 244)

👍 1

dngray commented

2020-03-26 18:41:53 +00:00

(Migrated from github.com)

Is this still an issue?

shibumi commented

2020-03-26 20:02:07 +00:00

(Migrated from github.com)

@dngray no systemd-resolved works fine now and it even supports hostname SNI validation from the newest version..

👍 1

This repo is archived. You cannot comment on issues.