]>
Commit | Line | Data |
---|---|---|
a51c1048 | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
091a364c | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
091a364c TG |
4 | |
5 | <!-- | |
572eb058 ZJS |
6 | SPDX-License-Identifier: LGPL-2.1+ |
7 | ||
96b2fb93 | 8 | Copyright © 2014 Tom Gundersen |
091a364c TG |
9 | --> |
10 | ||
1ec57f33 | 11 | <refentry id="resolved.conf" conditional='ENABLE_RESOLVE' |
798d3a52 ZJS |
12 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
13 | <refentryinfo> | |
14 | <title>resolved.conf</title> | |
15 | <productname>systemd</productname> | |
16 | ||
17 | <authorgroup> | |
18 | <author> | |
19 | <contrib>Developer</contrib> | |
20 | <firstname>Tom</firstname> | |
21 | <surname>Gundersen</surname> | |
22 | <email>teg@jklm.no</email> | |
23 | </author> | |
24 | </authorgroup> | |
25 | </refentryinfo> | |
26 | ||
27 | <refmeta> | |
28 | <refentrytitle>resolved.conf</refentrytitle> | |
29 | <manvolnum>5</manvolnum> | |
30 | </refmeta> | |
31 | ||
32 | <refnamediv> | |
33 | <refname>resolved.conf</refname> | |
34 | <refname>resolved.conf.d</refname> | |
35 | <refpurpose>Network Name Resolution configuration files</refpurpose> | |
36 | </refnamediv> | |
37 | ||
38 | <refsynopsisdiv> | |
12b42c76 TG |
39 | <para><filename>/etc/systemd/resolved.conf</filename></para> |
40 | <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para> | |
798d3a52 | 41 | <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para> |
12b42c76 | 42 | <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para> |
798d3a52 ZJS |
43 | </refsynopsisdiv> |
44 | ||
45 | <refsect1> | |
46 | <title>Description</title> | |
47 | ||
48 | <para>These configuration files control local DNS and LLMNR | |
a8eaaee7 | 49 | name resolution.</para> |
798d3a52 ZJS |
50 | |
51 | </refsect1> | |
52 | ||
e93549ef | 53 | <xi:include href="standard-conf.xml" xpointer="main-conf" /> |
798d3a52 ZJS |
54 | |
55 | <refsect1> | |
56 | <title>Options</title> | |
57 | ||
dbc7bede LP |
58 | <para>The following options are available in the <literal>[Resolve]</literal> section:</para> |
59 | ||
798d3a52 ZJS |
60 | <variablelist class='network-directives'> |
61 | ||
62 | <varlistentry> | |
63 | <term><varname>DNS=</varname></term> | |
adc800a6 LP |
64 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. DNS requests |
65 | are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from | |
66 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or | |
67 | set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS | |
68 | servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers | |
69 | are configured in it. This setting defaults to the empty list.</para></listitem> | |
798d3a52 ZJS |
70 | </varlistentry> |
71 | ||
72 | <varlistentry> | |
73 | <term><varname>FallbackDNS=</varname></term> | |
adc800a6 LP |
74 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any |
75 | per-link DNS servers obtained from | |
798d3a52 | 76 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
adc800a6 LP |
77 | take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or |
78 | <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is | |
79 | known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem> | |
798d3a52 ZJS |
80 | </varlistentry> |
81 | ||
a51c1048 LP |
82 | <varlistentry> |
83 | <term><varname>Domains=</varname></term> | |
adc800a6 LP |
84 | <listitem><para>A space-separated list of domains. These domains are used as search suffixes when resolving |
85 | single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified | |
86 | domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name | |
87 | with the suffix appended is found. For compatibility reasons, if this setting is not specified, the search | |
88 | domains listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any domains | |
89 | are configured in it. This setting defaults to the empty list.</para> | |
90 | ||
91 | <para>Specified domain names may optionally be prefixed with <literal>~</literal>. In this case they do not | |
92 | define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured | |
93 | with the system <varname>DNS=</varname> setting (see above), in case additional, suitable per-link DNS servers | |
94 | are known. If no per-link DNS servers are known using the <literal>~</literal> syntax has no effect. Use the | |
95 | construct <literal>~.</literal> (which is composed of <literal>~</literal> to indicate a routing domain and | |
96 | <literal>.</literal> to indicate the DNS root domain that is the implied suffix of all DNS domains) to use the | |
97 | system DNS server defined with <varname>DNS=</varname> preferably for all domains.</para></listitem> | |
a51c1048 LP |
98 | </varlistentry> |
99 | ||
798d3a52 ZJS |
100 | <varlistentry> |
101 | <term><varname>LLMNR=</varname></term> | |
102 | <listitem><para>Takes a boolean argument or | |
103 | <literal>resolve</literal>. Controls Link-Local Multicast Name | |
104 | Resolution support (<ulink | |
105 | url="https://tools.ietf.org/html/rfc4795">RFC 4794</ulink>) on | |
b938cb90 | 106 | the local host. If true, enables full LLMNR responder and |
a8eaaee7 JE |
107 | resolver support. If false, disables both. If set to |
108 | <literal>resolve</literal>, only resolution support is enabled, | |
798d3a52 ZJS |
109 | but responding is disabled. Note that |
110 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 LP |
111 | also maintains per-link LLMNR settings. LLMNR will be |
112 | enabled on a link only if the per-link and the | |
798d3a52 ZJS |
113 | global setting is on.</para></listitem> |
114 | </varlistentry> | |
115 | ||
77525fdc YW |
116 | <varlistentry> |
117 | <term><varname>MulticastDNS=</varname></term> | |
118 | <listitem><para>Takes a boolean argument or | |
119 | <literal>resolve</literal>. Controls Multicast DNS support (<ulink | |
120 | url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on | |
121 | the local host. If true, enables full Multicast DNS responder and | |
122 | resolver support. If false, disables both. If set to | |
123 | <literal>resolve</literal>, only resolution support is enabled, | |
124 | but responding is disabled. Note that | |
125 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
126 | also maintains per-link Multicast DNS settings. Multicast DNS will be | |
127 | enabled on a link only if the per-link and the | |
128 | global setting is on.</para></listitem> | |
129 | </varlistentry> | |
130 | ||
519d39de LP |
131 | <varlistentry> |
132 | <term><varname>DNSSEC=</varname></term> | |
133 | <listitem><para>Takes a boolean argument or | |
1ed8c0fb | 134 | <literal>allow-downgrade</literal>. If true all DNS lookups are |
b83d91c0 | 135 | DNSSEC-validated locally (excluding LLMNR and Multicast |
c542f805 ZJS |
136 | DNS). If the response to a lookup request is detected to be invalid |
137 | a lookup failure is returned to applications. Note that | |
b83d91c0 LP |
138 | this mode requires a DNS server that supports DNSSEC. If the |
139 | DNS server does not properly support DNSSEC all validations | |
1ed8c0fb | 140 | will fail. If set to <literal>allow-downgrade</literal> DNSSEC |
b83d91c0 LP |
141 | validation is attempted, but if the server does not support |
142 | DNSSEC properly, DNSSEC mode is automatically disabled. Note | |
143 | that this mode makes DNSSEC validation vulnerable to | |
144 | "downgrade" attacks, where an attacker might be able to | |
145 | trigger a downgrade to non-DNSSEC mode by synthesizing a DNS | |
146 | response that suggests DNSSEC was not supported. If set to | |
147 | false, DNS lookups are not DNSSEC validated.</para> | |
519d39de LP |
148 | |
149 | <para>Note that DNSSEC validation requires retrieval of | |
150 | additional DNS data, and thus results in a small DNS look-up | |
151 | time penalty.</para> | |
152 | ||
153 | <para>DNSSEC requires knowledge of "trust anchors" to prove | |
154 | data integrity. The trust anchor for the Internet root domain | |
b5a8703f LP |
155 | is built into the resolver, additional trust anchors may be |
156 | defined with | |
157 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
c542f805 | 158 | Trust anchors may change at regular intervals, and old trust |
b5a8703f LP |
159 | anchors may be revoked. In such a case DNSSEC validation is |
160 | not possible until new trust anchors are configured locally or | |
161 | the resolver software package is updated with the new root | |
162 | trust anchor. In effect, when the built-in trust anchor is | |
163 | revoked and <varname>DNSSEC=</varname> is true, all further | |
164 | lookups will fail, as it cannot be proved anymore whether | |
165 | lookups are correctly signed, or validly unsigned. If | |
519d39de | 166 | <varname>DNSSEC=</varname> is set to |
1ed8c0fb | 167 | <literal>allow-downgrade</literal> the resolver will |
d57d3973 | 168 | automatically turn off DNSSEC validation in such a case.</para> |
519d39de LP |
169 | |
170 | <para>Client programs looking up DNS data will be informed | |
171 | whether lookups could be verified using DNSSEC, or whether the | |
172 | returned data could not be verified (either because the data | |
173 | was found unsigned in the DNS, or the DNS server did not | |
174 | support DNSSEC or no appropriate trust anchors were known). In | |
175 | the latter case it is assumed that client programs employ a | |
176 | secondary scheme to validate the returned DNS data, should | |
177 | this be required.</para> | |
178 | ||
179 | <para>It is recommended to set <varname>DNSSEC=</varname> to | |
d57d3973 | 180 | true on systems where it is known that the DNS server supports |
519d39de LP |
181 | DNSSEC correctly, and where software or trust anchor updates |
182 | happen regularly. On other systems it is recommended to set | |
183 | <varname>DNSSEC=</varname> to | |
1ed8c0fb | 184 | <literal>allow-downgrade</literal>.</para> |
ad6c0475 LP |
185 | |
186 | <para>In addition to this global DNSSEC setting | |
187 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 | 188 | also maintains per-link DNSSEC settings. For system DNS |
ad6c0475 | 189 | servers (see above), only the global DNSSEC setting is in |
adc800a6 | 190 | effect. For per-link DNS servers the per-link |
ad6c0475 LP |
191 | setting is in effect, unless it is unset in which case the |
192 | global setting is used instead.</para> | |
193 | ||
d33b6cf3 LP |
194 | <para>Site-private DNS zones generally conflict with DNSSEC |
195 | operation, unless a negative (if the private zone is not | |
196 | signed) or positive (if the private zone is signed) trust | |
197 | anchor is configured for them. If | |
198 | <literal>allow-downgrade</literal> mode is selected, it is | |
199 | attempted to detect site-private DNS zones using top-level | |
200 | domains (TLDs) that are not known by the DNS root server. This | |
201 | logic does not work in all private zone setups.</para> | |
202 | ||
ad6c0475 | 203 | <para>Defaults to off.</para> |
519d39de LP |
204 | </listitem> |
205 | </varlistentry> | |
206 | ||
30e59c84 | 207 | <varlistentry> |
c9299be2 | 208 | <term><varname>DNSOverTLS=</varname></term> |
30e59c84 IT |
209 | <listitem> |
210 | <para>Takes false or | |
211 | <literal>opportunistic</literal>. When set to <literal>opportunistic</literal> | |
212 | DNS request are attempted to send encrypted with DNS-over-TLS. | |
213 | If the DNS server does not support TLS, DNS-over-TLS is disabled. | |
214 | Note that this mode makes DNS-over-TLS vulnerable to "downgrade" | |
215 | attacks, where an attacker might be able to trigger a downgrade | |
216 | to non-encrypted mode by synthesizing a response that suggests | |
217 | DNS-over-TLS was not supported. If set to false, DNS lookups | |
218 | are send over UDP.</para> | |
219 | ||
220 | <para>Note that DNS-over-TLS requires additional data to be | |
221 | send for setting up an encrypted connection, and thus results | |
222 | in a small DNS look-up time penalty.</para> | |
223 | ||
224 | <para>Note as the resolver is not capable of authenticating | |
225 | the server, it is vulnerable for "man-in-the-middle" attacks.</para> | |
226 | ||
c9299be2 | 227 | <para>In addition to this global DNSOverTLS setting |
30e59c84 | 228 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
c9299be2 IT |
229 | also maintains per-link DNSOverTLS settings. For system DNS |
230 | servers (see above), only the global DNSOverTLS setting is in | |
30e59c84 IT |
231 | effect. For per-link DNS servers the per-link |
232 | setting is in effect, unless it is unset in which case the | |
233 | global setting is used instead.</para> | |
234 | ||
235 | <para>Defaults to off.</para> | |
236 | </listitem> | |
237 | </varlistentry> | |
238 | ||
ceeddf79 MP |
239 | <varlistentry> |
240 | <term><varname>Cache=</varname></term> | |
5bd73426 LP |
241 | <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got |
242 | queried earlier will return the previous result as long as it is still valid, and thus does not result in a new | |
cfaf4b75 | 243 | network request. Be aware that turning off caching comes at a performance penalty, which is particularly |
5bd73426 LP |
244 | high when DNSSEC is used.</para> |
245 | ||
246 | <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address | |
247 | (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> | |
ceeddf79 MP |
248 | </varlistentry> |
249 | ||
1ae43295 DM |
250 | <varlistentry> |
251 | <term><varname>DNSStubListener=</varname></term> | |
252 | <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If | |
253 | <literal>udp</literal> (the default), a DNS stub resolver will listen for UDP requests on address 127.0.0.53 | |
254 | port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If | |
255 | <literal>yes</literal>, the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub | |
256 | listener is disabled.</para> | |
257 | ||
258 | <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already | |
259 | in use.</para></listitem> | |
260 | </varlistentry> | |
261 | ||
798d3a52 ZJS |
262 | </variablelist> |
263 | </refsect1> | |
264 | ||
265 | <refsect1> | |
266 | <title>See Also</title> | |
267 | <para> | |
268 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
269 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
270 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
b5a8703f | 271 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
524f3e5c | 272 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry> |
798d3a52 ZJS |
273 | </para> |
274 | </refsect1> | |
091a364c TG |
275 | |
276 | </refentry> |