]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
e803cf21 ZJS |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
4 | <!ENTITY % entities SYSTEM "custom-entities.ent" > | |
5 | %entities; | |
6 | ]> | |
db9ecf05 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
091a364c | 8 | |
1ec57f33 | 9 | <refentry id="resolved.conf" conditional='ENABLE_RESOLVE' |
798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
11 | <refentryinfo> | |
12 | <title>resolved.conf</title> | |
13 | <productname>systemd</productname> | |
798d3a52 ZJS |
14 | </refentryinfo> |
15 | ||
16 | <refmeta> | |
17 | <refentrytitle>resolved.conf</refentrytitle> | |
18 | <manvolnum>5</manvolnum> | |
19 | </refmeta> | |
20 | ||
21 | <refnamediv> | |
22 | <refname>resolved.conf</refname> | |
23 | <refname>resolved.conf.d</refname> | |
24 | <refpurpose>Network Name Resolution configuration files</refpurpose> | |
25 | </refnamediv> | |
26 | ||
27 | <refsynopsisdiv> | |
12b42c76 TG |
28 | <para><filename>/etc/systemd/resolved.conf</filename></para> |
29 | <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para> | |
798d3a52 | 30 | <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para> |
12b42c76 | 31 | <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para> |
798d3a52 ZJS |
32 | </refsynopsisdiv> |
33 | ||
34 | <refsect1> | |
35 | <title>Description</title> | |
36 | ||
37 | <para>These configuration files control local DNS and LLMNR | |
a8eaaee7 | 38 | name resolution.</para> |
798d3a52 ZJS |
39 | |
40 | </refsect1> | |
41 | ||
e93549ef | 42 | <xi:include href="standard-conf.xml" xpointer="main-conf" /> |
798d3a52 ZJS |
43 | |
44 | <refsect1> | |
45 | <title>Options</title> | |
46 | ||
bdac5608 | 47 | <para>The following options are available in the [Resolve] section:</para> |
dbc7bede | 48 | |
798d3a52 ZJS |
49 | <variablelist class='network-directives'> |
50 | ||
51 | <varlistentry> | |
52 | <term><varname>DNS=</varname></term> | |
711dd5db YW |
53 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. Each address can |
54 | optionally take a port number separated with <literal>:</literal>, a network interface name or index separated with | |
55 | <literal>%</literal>, and a Server Name Indication (SNI) separated with <literal>#</literal>. When IPv6 address is | |
56 | specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats | |
57 | are <literal>111.222.333.444:9953%ifname#example.com</literal> for IPv4 and | |
58 | <literal>[1111:2222::3333]:9953%ifname#example.com</literal> for IPv6. DNS requests are sent to one of the listed | |
59 | DNS servers in parallel to suitable per-link DNS servers acquired from | |
adc800a6 LP |
60 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or |
61 | set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS | |
62 | servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers | |
ec07c3c8 AK |
63 | are configured in it. This setting defaults to the empty list.</para> |
64 | ||
65 | <xi:include href="version-info.xml" xpointer="v213"/></listitem> | |
798d3a52 ZJS |
66 | </varlistentry> |
67 | ||
68 | <varlistentry> | |
69 | <term><varname>FallbackDNS=</varname></term> | |
711dd5db | 70 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Please see |
22c2f841 | 71 | <varname>DNS=</varname> for acceptable format of addresses. Any per-link DNS servers obtained from |
798d3a52 | 72 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
adc800a6 LP |
73 | take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or |
74 | <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is | |
ec07c3c8 AK |
75 | known. If this option is not given, a compiled-in list of DNS servers is used instead.</para> |
76 | ||
77 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
78 | </varlistentry> |
79 | ||
a51c1048 LP |
80 | <varlistentry> |
81 | <term><varname>Domains=</varname></term> | |
87291a26 | 82 | <listitem><para>A space-separated list of domains, optionally prefixed with <literal>~</literal>, |
801d25ef ZJS |
83 | used for two distinct purposes described below. Defaults to the empty list.</para> |
84 | ||
85 | <para>Any domains <emphasis>not</emphasis> prefixed with <literal>~</literal> are used as search | |
86 | suffixes when resolving single-label hostnames (domain names which contain no dot), in order to | |
87 | qualify them into fully-qualified domain names (FQDNs). These "search domains" are strictly processed | |
88 | in the order they are specified in, until the name with the suffix appended is found. For | |
89 | compatibility reasons, if this setting is not specified, the search domains listed in | |
90 | <filename>/etc/resolv.conf</filename> with the <varname>search</varname> keyword are used instead, if | |
91 | that file exists and any domains are configured in it.</para> | |
92 | ||
87291a26 ZJS |
93 | <para>The domains prefixed with <literal>~</literal> are called "route-only domains". All domains |
94 | listed here (<emphasis>both search domains and route-only domains</emphasis> after removing the | |
95 | <literal>~</literal> prefix) define a search path that preferably directs DNS queries to this | |
96 | interface. This search path has an effect only when suitable per-link DNS servers are known. Such | |
97 | servers may be defined through the <varname>DNS=</varname> setting (see above) and dynamically at run | |
98 | time, for example from DHCP leases. If no per-link DNS servers are known, route-only domains have no | |
99 | effect.</para> | |
801d25ef ZJS |
100 | |
101 | <para>Use the construct <literal>~.</literal> (which is composed from <literal>~</literal> to | |
87291a26 | 102 | indicate a route-only domain and <literal>.</literal> to indicate the DNS root domain that is the |
801d25ef | 103 | implied suffix of all DNS domains) to use the DNS servers defined for this link preferably for all |
87291a26 ZJS |
104 | domains.</para> |
105 | ||
106 | <para>See "Protocols and Routing" in | |
107 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
108 | for details of how search and route-only domains are used.</para> | |
ec07c3c8 AK |
109 | |
110 | <xi:include href="version-info.xml" xpointer="v229"/> | |
87291a26 | 111 | </listitem> |
a51c1048 LP |
112 | </varlistentry> |
113 | ||
798d3a52 ZJS |
114 | <varlistentry> |
115 | <term><varname>LLMNR=</varname></term> | |
116 | <listitem><para>Takes a boolean argument or | |
117 | <literal>resolve</literal>. Controls Link-Local Multicast Name | |
118 | Resolution support (<ulink | |
eaaec6cc | 119 | url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on |
b938cb90 | 120 | the local host. If true, enables full LLMNR responder and |
a8eaaee7 JE |
121 | resolver support. If false, disables both. If set to |
122 | <literal>resolve</literal>, only resolution support is enabled, | |
798d3a52 ZJS |
123 | but responding is disabled. Note that |
124 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 LP |
125 | also maintains per-link LLMNR settings. LLMNR will be |
126 | enabled on a link only if the per-link and the | |
ec07c3c8 AK |
127 | global setting is on.</para> |
128 | ||
129 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
130 | </varlistentry> |
131 | ||
77525fdc YW |
132 | <varlistentry> |
133 | <term><varname>MulticastDNS=</varname></term> | |
134 | <listitem><para>Takes a boolean argument or | |
135 | <literal>resolve</literal>. Controls Multicast DNS support (<ulink | |
136 | url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on | |
137 | the local host. If true, enables full Multicast DNS responder and | |
138 | resolver support. If false, disables both. If set to | |
139 | <literal>resolve</literal>, only resolution support is enabled, | |
140 | but responding is disabled. Note that | |
141 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
142 | also maintains per-link Multicast DNS settings. Multicast DNS will be | |
143 | enabled on a link only if the per-link and the | |
ec07c3c8 AK |
144 | global setting is on.</para> |
145 | ||
146 | <xi:include href="version-info.xml" xpointer="v234"/></listitem> | |
77525fdc YW |
147 | </varlistentry> |
148 | ||
519d39de LP |
149 | <varlistentry> |
150 | <term><varname>DNSSEC=</varname></term> | |
e51846ad ZJS |
151 | <listitem><para>Takes a boolean argument or <literal>allow-downgrade</literal>.</para> |
152 | ||
153 | <para>If set to true, all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast | |
154 | DNS). If the response to a lookup request is detected to be invalid a lookup failure is returned to | |
155 | applications. Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does | |
156 | not properly support DNSSEC all validations will fail.</para> | |
157 | ||
158 | <para>If set to <literal>allow-downgrade</literal>, DNSSEC validation is attempted, but if the server | |
159 | does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes | |
160 | DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a | |
161 | downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not | |
162 | supported.</para> | |
163 | ||
164 | <para>If set to false, DNS lookups are not DNSSEC validated. In this mode, or when set to | |
165 | <literal>allow-downgrade</literal> and the downgrade has happened, the resolver becomes | |
166 | security-unaware and all forwarded queries have DNSSEC OK (DO) bit unset.</para> | |
167 | ||
168 | <para>Note that DNSSEC validation requires retrieval of additional DNS data, and thus results in a | |
169 | small DNS lookup time penalty.</para> | |
519d39de LP |
170 | |
171 | <para>DNSSEC requires knowledge of "trust anchors" to prove | |
172 | data integrity. The trust anchor for the Internet root domain | |
b5a8703f LP |
173 | is built into the resolver, additional trust anchors may be |
174 | defined with | |
175 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
c542f805 | 176 | Trust anchors may change at regular intervals, and old trust |
b5a8703f LP |
177 | anchors may be revoked. In such a case DNSSEC validation is |
178 | not possible until new trust anchors are configured locally or | |
179 | the resolver software package is updated with the new root | |
180 | trust anchor. In effect, when the built-in trust anchor is | |
181 | revoked and <varname>DNSSEC=</varname> is true, all further | |
182 | lookups will fail, as it cannot be proved anymore whether | |
183 | lookups are correctly signed, or validly unsigned. If | |
519d39de | 184 | <varname>DNSSEC=</varname> is set to |
1ed8c0fb | 185 | <literal>allow-downgrade</literal> the resolver will |
d57d3973 | 186 | automatically turn off DNSSEC validation in such a case.</para> |
519d39de LP |
187 | |
188 | <para>Client programs looking up DNS data will be informed | |
189 | whether lookups could be verified using DNSSEC, or whether the | |
190 | returned data could not be verified (either because the data | |
191 | was found unsigned in the DNS, or the DNS server did not | |
192 | support DNSSEC or no appropriate trust anchors were known). In | |
193 | the latter case it is assumed that client programs employ a | |
194 | secondary scheme to validate the returned DNS data, should | |
195 | this be required.</para> | |
196 | ||
197 | <para>It is recommended to set <varname>DNSSEC=</varname> to | |
d57d3973 | 198 | true on systems where it is known that the DNS server supports |
519d39de LP |
199 | DNSSEC correctly, and where software or trust anchor updates |
200 | happen regularly. On other systems it is recommended to set | |
201 | <varname>DNSSEC=</varname> to | |
1ed8c0fb | 202 | <literal>allow-downgrade</literal>.</para> |
ad6c0475 LP |
203 | |
204 | <para>In addition to this global DNSSEC setting | |
205 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 | 206 | also maintains per-link DNSSEC settings. For system DNS |
ad6c0475 | 207 | servers (see above), only the global DNSSEC setting is in |
adc800a6 | 208 | effect. For per-link DNS servers the per-link |
ad6c0475 LP |
209 | setting is in effect, unless it is unset in which case the |
210 | global setting is used instead.</para> | |
211 | ||
d33b6cf3 LP |
212 | <para>Site-private DNS zones generally conflict with DNSSEC |
213 | operation, unless a negative (if the private zone is not | |
214 | signed) or positive (if the private zone is signed) trust | |
215 | anchor is configured for them. If | |
216 | <literal>allow-downgrade</literal> mode is selected, it is | |
217 | attempted to detect site-private DNS zones using top-level | |
218 | domains (TLDs) that are not known by the DNS root server. This | |
219 | logic does not work in all private zone setups.</para> | |
220 | ||
e803cf21 | 221 | <para>Defaults to <literal>&DEFAULT_DNSSEC_MODE;</literal>.</para> |
ec07c3c8 AK |
222 | |
223 | <xi:include href="version-info.xml" xpointer="v229"/> | |
519d39de LP |
224 | </listitem> |
225 | </varlistentry> | |
226 | ||
30e59c84 | 227 | <varlistentry> |
c9299be2 | 228 | <term><varname>DNSOverTLS=</varname></term> |
30e59c84 | 229 | <listitem> |
eec394f1 JT |
230 | <para>Takes a boolean argument or <literal>opportunistic</literal>. If |
231 | true all connections to the server will be encrypted. Note that this | |
232 | mode requires a DNS server that supports DNS-over-TLS and has a valid | |
233 | certificate. If the hostname was specified in <varname>DNS=</varname> | |
84b10e53 | 234 | by using the format <literal>address#server_name</literal> it |
eec394f1 JT |
235 | is used to validate its certificate and also to enable Server Name |
236 | Indication (SNI) when opening a TLS connection. Otherwise | |
237 | the certificate is checked against the server's IP. | |
238 | If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para> | |
239 | ||
240 | <para>When set to <literal>opportunistic</literal> | |
30e59c84 IT |
241 | DNS request are attempted to send encrypted with DNS-over-TLS. |
242 | If the DNS server does not support TLS, DNS-over-TLS is disabled. | |
243 | Note that this mode makes DNS-over-TLS vulnerable to "downgrade" | |
244 | attacks, where an attacker might be able to trigger a downgrade | |
245 | to non-encrypted mode by synthesizing a response that suggests | |
246 | DNS-over-TLS was not supported. If set to false, DNS lookups | |
247 | are send over UDP.</para> | |
248 | ||
249 | <para>Note that DNS-over-TLS requires additional data to be | |
250 | send for setting up an encrypted connection, and thus results | |
251 | in a small DNS look-up time penalty.</para> | |
252 | ||
2f2b28ab RS |
253 | <para>Note that in <literal>opportunistic</literal> mode the |
254 | resolver is not capable of authenticating the server, so it is | |
255 | vulnerable to "man-in-the-middle" attacks.</para> | |
30e59c84 | 256 | |
bb4cbb25 | 257 | <para>In addition to this global <varname>DNSOverTLS=</varname> setting |
30e59c84 | 258 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
bb4cbb25 LP |
259 | also maintains per-link <varname>DNSOverTLS=</varname> settings. For system DNS servers (see above), only the global |
260 | <varname>DNSOverTLS=</varname> setting is in effect. For per-link DNS servers the per-link setting is in effect, unless | |
261 | it is unset in which case the global setting is used instead.</para> | |
30e59c84 | 262 | |
e803cf21 | 263 | <para>Defaults to <literal>&DEFAULT_DNS_OVER_TLS_MODE;</literal>.</para> |
ec07c3c8 AK |
264 | |
265 | <xi:include href="version-info.xml" xpointer="v239"/> | |
30e59c84 IT |
266 | </listitem> |
267 | </varlistentry> | |
268 | ||
ceeddf79 MP |
269 | <varlistentry> |
270 | <term><varname>Cache=</varname></term> | |
d8c73cb7 ZJS |
271 | <listitem><para>Takes a boolean or <literal>no-negative</literal> as argument. If |
272 | <literal>yes</literal> (the default), resolving a domain name which already got queried earlier will | |
273 | return the previous result as long as it is still valid, and thus does not result in a new network | |
274 | request. Be aware that turning off caching comes at a performance penalty, which is particularly high | |
275 | when DNSSEC is used. If <literal>no-negative</literal>, only positive answers are cached.</para> | |
5bd73426 | 276 | |
6d8325f6 | 277 | <para>Note that caching is turned off by default for host-local DNS servers. |
ec07c3c8 AK |
278 | See <varname>CacheFromLocalhost=</varname> for details.</para> |
279 | ||
280 | <xi:include href="version-info.xml" xpointer="v231"/></listitem> | |
6d8325f6 PS |
281 | </varlistentry> |
282 | ||
283 | <varlistentry> | |
284 | <term><varname>CacheFromLocalhost=</varname></term> | |
285 | <listitem><para>Takes a boolean as argument. If <literal>no</literal> (the default), and response cames from | |
286 | host-local IP address (such as 127.0.0.1 or ::1), the result wouldn't be cached in order to avoid | |
287 | potential duplicate local caching.</para> | |
ec07c3c8 AK |
288 | |
289 | <xi:include href="version-info.xml" xpointer="v248"/> | |
6d8325f6 | 290 | </listitem> |
ceeddf79 MP |
291 | </varlistentry> |
292 | ||
1ae43295 DM |
293 | <varlistentry> |
294 | <term><varname>DNSStubListener=</varname></term> | |
a8d09063 LP |
295 | <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and |
296 | <literal>tcp</literal>. If <literal>udp</literal>, a DNS stub resolver will listen for UDP requests | |
297 | on addresses 127.0.0.53 and 127.0.0.54, port 53. If <literal>tcp</literal>, the stub will listen for | |
298 | TCP requests on the same addresses and port. If <literal>yes</literal> (the default), the stub listens | |
299 | for both UDP and TCP requests. If <literal>no</literal>, the stub listener is disabled.</para> | |
300 | ||
301 | <xi:include href="systemd-resolved.service.xml" xpointer="proxy-stub" /> | |
1ae43295 DM |
302 | |
303 | <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already | |
ec07c3c8 AK |
304 | in use.</para> |
305 | ||
306 | <xi:include href="version-info.xml" xpointer="v232"/></listitem> | |
1ae43295 DM |
307 | </varlistentry> |
308 | ||
1f05101f SS |
309 | <varlistentry> |
310 | <term><varname>DNSStubListenerExtra=</varname></term> | |
6421194b YW |
311 | <listitem><para>Takes an IPv4 or IPv6 address to listen on. The address may be optionally |
312 | prefixed with a protocol name (<literal>udp</literal> or <literal>tcp</literal>) separated with | |
313 | <literal>:</literal>. If the protocol is not specified, the service will listen on both UDP and | |
314 | TCP. It may be also optionally suffixed by a numeric port number with separator | |
315 | <literal>:</literal>. When an IPv6 address is specified with a port number, then the address | |
316 | must be in the square brackets. If the port is not specified, then the service uses port 53. | |
317 | Note that this is independent of the primary DNS stub configured with | |
318 | <varname>DNSStubListener=</varname>, and only configures <emphasis>additional</emphasis> | |
319 | sockets to listen on. This option can be specified multiple times. If an empty string is | |
320 | assigned, then the all previous assignments are cleared. Defaults to unset.</para> | |
321 | ||
322 | <para>Examples: | |
323 | <programlisting>DNSStubListenerExtra=192.168.10.10 | |
324 | DNSStubListenerExtra=2001:db8:0:f102::10 | |
325 | DNSStubListenerExtra=192.168.10.11:9953 | |
326 | DNSStubListenerExtra=[2001:db8:0:f102::11]:9953 | |
327 | DNSStubListenerExtra=tcp:192.168.10.12 | |
328 | DNSStubListenerExtra=udp:2001:db8:0:f102::12 | |
329 | DNSStubListenerExtra=tcp:192.168.10.13:9953 | |
330 | DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953</programlisting> | |
ec07c3c8 AK |
331 | </para> |
332 | ||
333 | <xi:include href="version-info.xml" xpointer="v247"/></listitem> | |
1f05101f SS |
334 | </varlistentry> |
335 | ||
86317087 YW |
336 | <varlistentry> |
337 | <term><varname>ReadEtcHosts=</varname></term> | |
2bd5e1b2 ZJS |
338 | <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), |
339 | <command>systemd-resolved</command> will read <filename>/etc/hosts</filename>, and try to resolve | |
340 | hosts or address by using the entries in the file before sending query to DNS servers. | |
ec07c3c8 AK |
341 | </para> |
342 | ||
343 | <xi:include href="version-info.xml" xpointer="v240"/></listitem> | |
86317087 YW |
344 | </varlistentry> |
345 | ||
2bd5e1b2 ZJS |
346 | <varlistentry> |
347 | <term><varname>ResolveUnicastSingleLabel=</varname></term> | |
348 | <listitem><para>Takes a boolean argument. When false (the default), | |
349 | <command>systemd-resolved</command> will not resolve A and AAAA queries for single-label names over | |
350 | classic DNS. Note that such names may still be resolved if search domains are specified (see | |
351 | <varname>Domains=</varname> above), or using other mechanisms, in particular via LLMNR or from | |
352 | <filename>/etc/hosts</filename>. When true, queries for single-label names will be forwarded to | |
353 | global DNS servers even if no search domains are defined. | |
354 | </para> | |
355 | ||
356 | <para>This option is provided for compatibility with configurations where <emphasis>public DNS | |
357 | servers are not used</emphasis>. Forwarding single-label names to servers not under your control is | |
358 | not standard-conformant, see <ulink | |
359 | url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB | |
ec07c3c8 AK |
360 | Statement</ulink>, and may create a privacy and security risk.</para> |
361 | ||
362 | <xi:include href="version-info.xml" xpointer="v246"/></listitem> | |
2bd5e1b2 | 363 | </varlistentry> |
5ed91481 KV |
364 | <varlistentry> |
365 | <term>StaleRetentionSec=<replaceable>SECONDS</replaceable></term> | |
bf63dadb ZJS |
366 | <listitem><para>Takes a duration value, which determines the length of time DNS resource records can |
367 | be retained in the cache beyond their Time To Live (TTL). This allows these records to be returned as | |
368 | stale records. By default, this value is set to zero, meaning that DNS resource records are not | |
369 | stored in the cache after their TTL expires.</para> | |
370 | ||
371 | <para>This is useful when a DNS server failure occurs or becomes unreachable. In such cases, | |
372 | <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
373 | continues to use the stale records to answer DNS queries, particularly when no valid response can be | |
374 | obtained from the upstream DNS servers. However, this doesn't apply to NXDOMAIN responses, as those | |
375 | are still perfectly valid responses. This feature enhances resilience against DNS infrastructure | |
376 | failures and outages.</para> | |
377 | ||
378 | <para><command>systemd-resolved</command> always attempts to reach the upstream DNS servers first, | |
379 | before providing the client application with any stale data. If this feature is enabled, cache will | |
380 | not be flushed when changing servers.</para> | |
ec07c3c8 AK |
381 | |
382 | <xi:include href="version-info.xml" xpointer="v254"/> | |
5ed91481 KV |
383 | </listitem> |
384 | </varlistentry> | |
798d3a52 ZJS |
385 | </variablelist> |
386 | </refsect1> | |
387 | ||
388 | <refsect1> | |
389 | <title>See Also</title> | |
390 | <para> | |
391 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
392 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
393 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
b5a8703f | 394 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
12c0bb31 | 395 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
798d3a52 ZJS |
396 | </para> |
397 | </refsect1> | |
091a364c TG |
398 | |
399 | </refentry> |