]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/resolved.conf.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: more hyperlinks and other fixes
[thirdparty/systemd.git] / man / resolved.conf.xml
CommitLineData
514094f9 1<?xml version='1.0'?>
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
e803cf21
ZJS		 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % entities SYSTEM "custom-entities.ent" >
5%entities;
6]>
db9ecf05 7<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
091a364c 8
1ec57f33 9<refentry id="resolved.conf" conditional='ENABLE_RESOLVE'
798d3a52
ZJS		 10 xmlns:xi="http://www.w3.org/2001/XInclude">
11 <refentryinfo>
12 <title>resolved.conf</title>
13 <productname>systemd</productname>
798d3a52
ZJS		 14 </refentryinfo>
15
16 <refmeta>
17 <refentrytitle>resolved.conf</refentrytitle>
18 <manvolnum>5</manvolnum>
19 </refmeta>
20
21 <refnamediv>
22 <refname>resolved.conf</refname>
23 <refname>resolved.conf.d</refname>
24 <refpurpose>Network Name Resolution configuration files</refpurpose>
25 </refnamediv>
26
27 <refsynopsisdiv>
12b42c76
TG		 28 <para><filename>/etc/systemd/resolved.conf</filename></para>
29 <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para>
798d3a52 30 <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para>
12b42c76 31 <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para>
798d3a52
ZJS		 32 </refsynopsisdiv>
33
34 <refsect1>
35 <title>Description</title>
36
37 <para>These configuration files control local DNS and LLMNR
a8eaaee7 38 name resolution.</para>
798d3a52
ZJS		 39
40 </refsect1>
41
e93549ef 42 <xi:include href="standard-conf.xml" xpointer="main-conf" />
798d3a52
ZJS		 43
44 <refsect1>
45 <title>Options</title>
46
bdac5608 47 <para>The following options are available in the [Resolve] section:</para>
dbc7bede 48
798d3a52
ZJS		 49 <variablelist class='network-directives'>
50
51 <varlistentry>
52 <term><varname>DNS=</varname></term>
711dd5db
YW		 53 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. Each address can
54 optionally take a port number separated with <literal>:</literal>, a network interface name or index separated with
55 <literal>%</literal>, and a Server Name Indication (SNI) separated with <literal>#</literal>. When IPv6 address is
56 specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats
57 are <literal>111.222.333.444:9953%ifname#example.com</literal> for IPv4 and
58 <literal>[1111:2222::3333]:9953%ifname#example.com</literal> for IPv6. DNS requests are sent to one of the listed
59 DNS servers in parallel to suitable per-link DNS servers acquired from
adc800a6
LP		 60 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
61 set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS
62 servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers
ec07c3c8
AK		 63 are configured in it. This setting defaults to the empty list.</para>
64
65 <xi:include href="version-info.xml" xpointer="v213"/></listitem>
798d3a52
ZJS		 66 </varlistentry>
67
68 <varlistentry>
69 <term><varname>FallbackDNS=</varname></term>
711dd5db 70 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Please see
22c2f841 71 <varname>DNS=</varname> for acceptable format of addresses. Any per-link DNS servers obtained from
798d3a52 72 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
adc800a6
LP		 73 take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or
74 <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is
ec07c3c8
AK		 75 known. If this option is not given, a compiled-in list of DNS servers is used instead.</para>
76
77 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 78 </varlistentry>
79
a51c1048
LP		 80 <varlistentry>
81 <term><varname>Domains=</varname></term>
87291a26 82 <listitem><para>A space-separated list of domains, optionally prefixed with <literal>~</literal>,
801d25ef
ZJS		 83 used for two distinct purposes described below. Defaults to the empty list.</para>
84
85 <para>Any domains <emphasis>not</emphasis> prefixed with <literal>~</literal> are used as search
86 suffixes when resolving single-label hostnames (domain names which contain no dot), in order to
87 qualify them into fully-qualified domain names (FQDNs). These "search domains" are strictly processed
88 in the order they are specified in, until the name with the suffix appended is found. For
89 compatibility reasons, if this setting is not specified, the search domains listed in
90 <filename>/etc/resolv.conf</filename> with the <varname>search</varname> keyword are used instead, if
91 that file exists and any domains are configured in it.</para>
92
87291a26
ZJS		 93 <para>The domains prefixed with <literal>~</literal> are called "route-only domains". All domains
94 listed here (<emphasis>both search domains and route-only domains</emphasis> after removing the
95 <literal>~</literal> prefix) define a search path that preferably directs DNS queries to this
96 interface. This search path has an effect only when suitable per-link DNS servers are known. Such
97 servers may be defined through the <varname>DNS=</varname> setting (see above) and dynamically at run
98 time, for example from DHCP leases. If no per-link DNS servers are known, route-only domains have no
99 effect.</para>
801d25ef
ZJS		 100
101 <para>Use the construct <literal>~.</literal> (which is composed from <literal>~</literal> to
87291a26 102 indicate a route-only domain and <literal>.</literal> to indicate the DNS root domain that is the
801d25ef 103 implied suffix of all DNS domains) to use the DNS servers defined for this link preferably for all
87291a26
ZJS		 104 domains.</para>
105
106 <para>See "Protocols and Routing" in
107 <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
108 for details of how search and route-only domains are used.</para>
ec07c3c8
AK		 109
110 <xi:include href="version-info.xml" xpointer="v229"/>
87291a26 111 </listitem>
a51c1048
LP		 112 </varlistentry>
113
798d3a52
ZJS		 114 <varlistentry>
115 <term><varname>LLMNR=</varname></term>
116 <listitem><para>Takes a boolean argument or
117 <literal>resolve</literal>. Controls Link-Local Multicast Name
118 Resolution support (<ulink
eaaec6cc 119 url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on
b938cb90 120 the local host. If true, enables full LLMNR responder and
a8eaaee7
JE		 121 resolver support. If false, disables both. If set to
122 <literal>resolve</literal>, only resolution support is enabled,
798d3a52
ZJS		 123 but responding is disabled. Note that
124 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
adc800a6
LP		 125 also maintains per-link LLMNR settings. LLMNR will be
126 enabled on a link only if the per-link and the
ec07c3c8
AK		 127 global setting is on.</para>
128
129 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 130 </varlistentry>
131
77525fdc
YW		 132 <varlistentry>
133 <term><varname>MulticastDNS=</varname></term>
134 <listitem><para>Takes a boolean argument or
135 <literal>resolve</literal>. Controls Multicast DNS support (<ulink
136 url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on
137 the local host. If true, enables full Multicast DNS responder and
138 resolver support. If false, disables both. If set to
139 <literal>resolve</literal>, only resolution support is enabled,
140 but responding is disabled. Note that
141 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
142 also maintains per-link Multicast DNS settings. Multicast DNS will be
143 enabled on a link only if the per-link and the
ec07c3c8
AK		 144 global setting is on.</para>
145
146 <xi:include href="version-info.xml" xpointer="v234"/></listitem>
77525fdc
YW		 147 </varlistentry>
148
519d39de
LP		 149 <varlistentry>
150 <term><varname>DNSSEC=</varname></term>
e51846ad
ZJS		 151 <listitem><para>Takes a boolean argument or <literal>allow-downgrade</literal>.</para>
152
153 <para>If set to true, all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast
154 DNS). If the response to a lookup request is detected to be invalid a lookup failure is returned to
155 applications. Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does
156 not properly support DNSSEC all validations will fail.</para>
157
158 <para>If set to <literal>allow-downgrade</literal>, DNSSEC validation is attempted, but if the server
159 does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes
160 DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a
161 downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not
162 supported.</para>
163
164 <para>If set to false, DNS lookups are not DNSSEC validated. In this mode, or when set to
165 <literal>allow-downgrade</literal> and the downgrade has happened, the resolver becomes
166 security-unaware and all forwarded queries have DNSSEC OK (DO) bit unset.</para>
167
168 <para>Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a
169 small DNS lookup time penalty.</para>
519d39de
LP		 170
171 <para>DNSSEC requires knowledge of "trust anchors" to prove
172 data integrity. The trust anchor for the Internet root domain
b5a8703f
LP		 173 is built into the resolver, additional trust anchors may be
174 defined with
175 <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
c542f805 176 Trust anchors may change at regular intervals, and old trust
b5a8703f
LP		 177 anchors may be revoked. In such a case DNSSEC validation is
178 not possible until new trust anchors are configured locally or
179 the resolver software package is updated with the new root
180 trust anchor. In effect, when the built-in trust anchor is
181 revoked and <varname>DNSSEC=</varname> is true, all further
182 lookups will fail, as it cannot be proved anymore whether
183 lookups are correctly signed, or validly unsigned. If
519d39de 184 <varname>DNSSEC=</varname> is set to
1ed8c0fb 185 <literal>allow-downgrade</literal> the resolver will
d57d3973 186 automatically turn off DNSSEC validation in such a case.</para>
519d39de
LP		 187
188 <para>Client programs looking up DNS data will be informed
189 whether lookups could be verified using DNSSEC, or whether the
190 returned data could not be verified (either because the data
191 was found unsigned in the DNS, or the DNS server did not
192 support DNSSEC or no appropriate trust anchors were known). In
193 the latter case it is assumed that client programs employ a
194 secondary scheme to validate the returned DNS data, should
195 this be required.</para>
196
197 <para>It is recommended to set <varname>DNSSEC=</varname> to
d57d3973 198 true on systems where it is known that the DNS server supports
519d39de
LP		 199 DNSSEC correctly, and where software or trust anchor updates
200 happen regularly. On other systems it is recommended to set
201 <varname>DNSSEC=</varname> to
1ed8c0fb 202 <literal>allow-downgrade</literal>.</para>
ad6c0475
LP		 203
204 <para>In addition to this global DNSSEC setting
205 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
adc800a6 206 also maintains per-link DNSSEC settings. For system DNS
ad6c0475 207 servers (see above), only the global DNSSEC setting is in
adc800a6 208 effect. For per-link DNS servers the per-link
ad6c0475
LP		 209 setting is in effect, unless it is unset in which case the
210 global setting is used instead.</para>
211
d33b6cf3
LP		 212 <para>Site-private DNS zones generally conflict with DNSSEC
213 operation, unless a negative (if the private zone is not
214 signed) or positive (if the private zone is signed) trust
215 anchor is configured for them. If
216 <literal>allow-downgrade</literal> mode is selected, it is
217 attempted to detect site-private DNS zones using top-level
218 domains (TLDs) that are not known by the DNS root server. This
219 logic does not work in all private zone setups.</para>
220
e803cf21 221 <para>Defaults to <literal>&DEFAULT_DNSSEC_MODE;</literal>.</para>
ec07c3c8
AK		 222
223 <xi:include href="version-info.xml" xpointer="v229"/>
519d39de
LP		 224 </listitem>
225 </varlistentry>
226
30e59c84 227 <varlistentry>
c9299be2 228 <term><varname>DNSOverTLS=</varname></term>
30e59c84 229 <listitem>
eec394f1
JT		 230 <para>Takes a boolean argument or <literal>opportunistic</literal>. If
231 true all connections to the server will be encrypted. Note that this
232 mode requires a DNS server that supports DNS-over-TLS and has a valid
233 certificate. If the hostname was specified in <varname>DNS=</varname>
84b10e53 234 by using the format <literal>address#server_name</literal> it
eec394f1
JT		 235 is used to validate its certificate and also to enable Server Name
236 Indication (SNI) when opening a TLS connection. Otherwise
237 the certificate is checked against the server's IP.
238 If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
239
240 <para>When set to <literal>opportunistic</literal>
30e59c84
IT		 241 DNS request are attempted to send encrypted with DNS-over-TLS.
242 If the DNS server does not support TLS, DNS-over-TLS is disabled.
243 Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
244 attacks, where an attacker might be able to trigger a downgrade
245 to non-encrypted mode by synthesizing a response that suggests
246 DNS-over-TLS was not supported. If set to false, DNS lookups
247 are send over UDP.</para>
248
249 <para>Note that DNS-over-TLS requires additional data to be
250 send for setting up an encrypted connection, and thus results
251 in a small DNS look-up time penalty.</para>
252
2f2b28ab
RS		 253 <para>Note that in <literal>opportunistic</literal> mode the
254 resolver is not capable of authenticating the server, so it is
255 vulnerable to "man-in-the-middle" attacks.</para>
30e59c84 256
bb4cbb25 257 <para>In addition to this global <varname>DNSOverTLS=</varname> setting
30e59c84 258 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
bb4cbb25
LP		 259 also maintains per-link <varname>DNSOverTLS=</varname> settings. For system DNS servers (see above), only the global
260 <varname>DNSOverTLS=</varname> setting is in effect. For per-link DNS servers the per-link setting is in effect, unless
261 it is unset in which case the global setting is used instead.</para>
30e59c84 262
e803cf21 263 <para>Defaults to <literal>&DEFAULT_DNS_OVER_TLS_MODE;</literal>.</para>
ec07c3c8
AK		 264
265 <xi:include href="version-info.xml" xpointer="v239"/>
30e59c84
IT		 266 </listitem>
267 </varlistentry>
268
ceeddf79
MP		 269 <varlistentry>
270 <term><varname>Cache=</varname></term>
d8c73cb7
ZJS		 271 <listitem><para>Takes a boolean or <literal>no-negative</literal> as argument. If
272 <literal>yes</literal> (the default), resolving a domain name which already got queried earlier will
273 return the previous result as long as it is still valid, and thus does not result in a new network
274 request. Be aware that turning off caching comes at a performance penalty, which is particularly high
275 when DNSSEC is used. If <literal>no-negative</literal>, only positive answers are cached.</para>
5bd73426 276
6d8325f6 277 <para>Note that caching is turned off by default for host-local DNS servers.
ec07c3c8
AK		 278 See <varname>CacheFromLocalhost=</varname> for details.</para>
279
280 <xi:include href="version-info.xml" xpointer="v231"/></listitem>
6d8325f6
PS		 281 </varlistentry>
282
283 <varlistentry>
284 <term><varname>CacheFromLocalhost=</varname></term>
285 <listitem><para>Takes a boolean as argument. If <literal>no</literal> (the default), and response cames from
286 host-local IP address (such as 127.0.0.1 or ::1), the result wouldn't be cached in order to avoid
287 potential duplicate local caching.</para>
ec07c3c8
AK		 288
289 <xi:include href="version-info.xml" xpointer="v248"/>
6d8325f6 290 </listitem>
ceeddf79
MP		 291 </varlistentry>
292
1ae43295
DM		 293 <varlistentry>
294 <term><varname>DNSStubListener=</varname></term>
a8d09063
LP		 295 <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and
296 <literal>tcp</literal>. If <literal>udp</literal>, a DNS stub resolver will listen for UDP requests
297 on addresses 127.0.0.53 and 127.0.0.54, port 53. If <literal>tcp</literal>, the stub will listen for
298 TCP requests on the same addresses and port. If <literal>yes</literal> (the default), the stub listens
299 for both UDP and TCP requests. If <literal>no</literal>, the stub listener is disabled.</para>
300
301 <xi:include href="systemd-resolved.service.xml" xpointer="proxy-stub" />
1ae43295
DM		 302
303 <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already
ec07c3c8
AK		 304 in use.</para>
305
306 <xi:include href="version-info.xml" xpointer="v232"/></listitem>
1ae43295
DM		 307 </varlistentry>
308
1f05101f
SS		 309 <varlistentry>
310 <term><varname>DNSStubListenerExtra=</varname></term>
6421194b
YW		 311 <listitem><para>Takes an IPv4 or IPv6 address to listen on. The address may be optionally
312 prefixed with a protocol name (<literal>udp</literal> or <literal>tcp</literal>) separated with
313 <literal>:</literal>. If the protocol is not specified, the service will listen on both UDP and
314 TCP. It may be also optionally suffixed by a numeric port number with separator
315 <literal>:</literal>. When an IPv6 address is specified with a port number, then the address
316 must be in the square brackets. If the port is not specified, then the service uses port 53.
317 Note that this is independent of the primary DNS stub configured with
318 <varname>DNSStubListener=</varname>, and only configures <emphasis>additional</emphasis>
319 sockets to listen on. This option can be specified multiple times. If an empty string is
320 assigned, then the all previous assignments are cleared. Defaults to unset.</para>
321
322 <para>Examples:
323 <programlisting>DNSStubListenerExtra=192.168.10.10
324DNSStubListenerExtra=2001:db8:0:f102::10
325DNSStubListenerExtra=192.168.10.11:9953
326DNSStubListenerExtra=[2001:db8:0:f102::11]:9953
327DNSStubListenerExtra=tcp:192.168.10.12
328DNSStubListenerExtra=udp:2001:db8:0:f102::12
329DNSStubListenerExtra=tcp:192.168.10.13:9953
330DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953</programlisting>
ec07c3c8
AK		 331 </para>
332
333 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
1f05101f
SS		 334 </varlistentry>
335
86317087
YW		 336 <varlistentry>
337 <term><varname>ReadEtcHosts=</varname></term>
2bd5e1b2
ZJS		 338 <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default),
339 <command>systemd-resolved</command> will read <filename>/etc/hosts</filename>, and try to resolve
340 hosts or address by using the entries in the file before sending query to DNS servers.
ec07c3c8
AK		 341 </para>
342
343 <xi:include href="version-info.xml" xpointer="v240"/></listitem>
86317087
YW		 344 </varlistentry>
345
2bd5e1b2
ZJS		 346 <varlistentry>
347 <term><varname>ResolveUnicastSingleLabel=</varname></term>
348 <listitem><para>Takes a boolean argument. When false (the default),
349 <command>systemd-resolved</command> will not resolve A and AAAA queries for single-label names over
350 classic DNS. Note that such names may still be resolved if search domains are specified (see
351 <varname>Domains=</varname> above), or using other mechanisms, in particular via LLMNR or from
352 <filename>/etc/hosts</filename>. When true, queries for single-label names will be forwarded to
353 global DNS servers even if no search domains are defined.
354 </para>
355
356 <para>This option is provided for compatibility with configurations where <emphasis>public DNS
357 servers are not used</emphasis>. Forwarding single-label names to servers not under your control is
358 not standard-conformant, see <ulink
359 url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB
ec07c3c8
AK		 360 Statement</ulink>, and may create a privacy and security risk.</para>
361
362 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
2bd5e1b2 363 </varlistentry>
5ed91481
KV		 364 <varlistentry>
365 <term>StaleRetentionSec=<replaceable>SECONDS</replaceable></term>
bf63dadb
ZJS		 366 <listitem><para>Takes a duration value, which determines the length of time DNS resource records can
367 be retained in the cache beyond their Time To Live (TTL). This allows these records to be returned as
368 stale records. By default, this value is set to zero, meaning that DNS resource records are not
369 stored in the cache after their TTL expires.</para>
370
371 <para>This is useful when a DNS server failure occurs or becomes unreachable. In such cases,
372 <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
373 continues to use the stale records to answer DNS queries, particularly when no valid response can be
374 obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those
375 are still perfectly valid responses. This feature enhances resilience against DNS infrastructure
376 failures and outages.</para>
377
378 <para><command>systemd-resolved</command> always attempts to reach the upstream DNS servers first,
379 before providing the client application with any stale data. If this feature is enabled, cache will
380 not be flushed when changing servers.</para>
ec07c3c8
AK		 381
382 <xi:include href="version-info.xml" xpointer="v254"/>
5ed91481
KV		 383 </listitem>
384 </varlistentry>
798d3a52
ZJS		 385 </variablelist>
386 </refsect1>
387
388 <refsect1>
389 <title>See Also</title>
390 <para>
391 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
392 <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
393 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
b5a8703f 394 <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
12c0bb31 395 <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
798d3a52
ZJS		 396 </para>
397 </refsect1>
091a364c
TG		 398
399</refentry>
Unnamed repository; edit this file 'description' to name the repository.