Privacytools.io: ๐Ÿ†• Software Suggestion | systemd-resolved

Created on 30 Oct 2019  ยท  5Comments  ยท  Source: privacytools/privacytools.io

Basic Information

Name: systemd-resolved
Category: DNS-over-TLS client
URL: https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html

Description

systemd-resolved is a DNS client included in systemd, it has support for DNSSEC and DNS-over-TLS. If I understand correctly, it has recently gotten (or will soon receive) support for DoT strict mode in version 243 (rather than being vulnerable to downgrade attack) and I think we could finally list it on the DNS page.

The instructions may get a bit long, so I guess this involves linking to a source such as Arch Wiki on how to use it.

Blocker: https://github.com/systemd/systemd/issues/9397

OS feedback wanted ๐Ÿ†• software suggestion ๐Ÿ—„๏ธ DNS
Source
picture Mikaela
🚀11 🎉1 😄1 👍1

All 5 comments

@Mikaela it has already strict mode since version 243, version 244 will just get stricter host certificate checking to prevent man-in-the-middle attacks.

shibumi picture shibumi on 30 Oct 2019
👍1

Thanks for the correction :)

Meanwhile in the team chat, we had a small discussion (to use the word loosely as I only gave the short instructions before starting to type this comment and I am not even booted to Linux at the moment) on this feature:

iirc systemd-resolvd operates or does not operate based on distribution

Where I replied (not bothering to quote myself):

It can be enabled on any

  1. tell NetworkManager.conf (or preferably conf.d/something.conf)
[main]
dns=systemd-resolved
  1. sudo systemctl enable systemd-resolved --now
  2. restart NetworkManager

and if you want to configure it further than the DNS servers from NetworkManager and enable features like DoT or local DNSSEC validation, you drop files in /etc/systemd/resolved.conf.d/

Typing this I also remember that blog.privacytools.io is a thing, but for some reason I still think external link such as Arch Wiki would be a better idea.

Oh and I am of course assuming that the distribution in question is using NetworkManager or the user hasn't replaced it.

Mikaela picture Mikaela on 31 Oct 2019

Here is an example setup with stub resolver:

/etc/resolv.conf:

nameserver 127.0.0.53
options edns0

/etc/systemd/resolved.conf

[Resolve]
DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
DNSSEC=yes
DNSOverTLS=yes
Cache=yes
DNSStubListener=udp

(keep in Mind dns over tls is still buggy with systemd 243 and cloudflare, they will fix this with systemd 244)

shibumi picture shibumi on 31 Oct 2019
👍1

Is this still an issue?

dngray picture dngray on 26 Mar 2020

@dngray no systemd-resolved works fine now and it even supports hostname SNI validation from the newest version..

shibumi picture shibumi on 26 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BurungHantu1605 picture BurungHantu1605  ยท  3Comments
ghost picture ghost  ยท  3Comments
Mikaela picture Mikaela  ยท  3Comments
freddy-m picture freddy-m  ยท  3Comments
Strappazzon picture Strappazzon  ยท  3Comments