]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
0307f791 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
091a364c | 5 | |
1ec57f33 | 6 | <refentry id="resolved.conf" conditional='ENABLE_RESOLVE' |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | <refentryinfo> | |
9 | <title>resolved.conf</title> | |
10 | <productname>systemd</productname> | |
798d3a52 ZJS |
11 | </refentryinfo> |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>resolved.conf</refentrytitle> | |
15 | <manvolnum>5</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>resolved.conf</refname> | |
20 | <refname>resolved.conf.d</refname> | |
21 | <refpurpose>Network Name Resolution configuration files</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
12b42c76 TG |
25 | <para><filename>/etc/systemd/resolved.conf</filename></para> |
26 | <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para> | |
798d3a52 | 27 | <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para> |
12b42c76 | 28 | <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para> |
798d3a52 ZJS |
29 | </refsynopsisdiv> |
30 | ||
31 | <refsect1> | |
32 | <title>Description</title> | |
33 | ||
34 | <para>These configuration files control local DNS and LLMNR | |
a8eaaee7 | 35 | name resolution.</para> |
798d3a52 ZJS |
36 | |
37 | </refsect1> | |
38 | ||
e93549ef | 39 | <xi:include href="standard-conf.xml" xpointer="main-conf" /> |
798d3a52 ZJS |
40 | |
41 | <refsect1> | |
42 | <title>Options</title> | |
43 | ||
dbc7bede LP |
44 | <para>The following options are available in the <literal>[Resolve]</literal> section:</para> |
45 | ||
798d3a52 ZJS |
46 | <variablelist class='network-directives'> |
47 | ||
48 | <varlistentry> | |
49 | <term><varname>DNS=</varname></term> | |
adc800a6 LP |
50 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. DNS requests |
51 | are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from | |
52 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or | |
53 | set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS | |
54 | servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers | |
55 | are configured in it. This setting defaults to the empty list.</para></listitem> | |
798d3a52 ZJS |
56 | </varlistentry> |
57 | ||
58 | <varlistentry> | |
59 | <term><varname>FallbackDNS=</varname></term> | |
adc800a6 LP |
60 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any |
61 | per-link DNS servers obtained from | |
798d3a52 | 62 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
adc800a6 LP |
63 | take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or |
64 | <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is | |
65 | known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem> | |
798d3a52 ZJS |
66 | </varlistentry> |
67 | ||
a51c1048 LP |
68 | <varlistentry> |
69 | <term><varname>Domains=</varname></term> | |
adc800a6 | 70 | <listitem><para>A space-separated list of domains. These domains are used as search suffixes when resolving |
38b38500 | 71 | single-label hostnames (domain names which contain no dot), in order to qualify them into fully-qualified |
adc800a6 LP |
72 | domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name |
73 | with the suffix appended is found. For compatibility reasons, if this setting is not specified, the search | |
74 | domains listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any domains | |
75 | are configured in it. This setting defaults to the empty list.</para> | |
76 | ||
77 | <para>Specified domain names may optionally be prefixed with <literal>~</literal>. In this case they do not | |
78 | define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured | |
79 | with the system <varname>DNS=</varname> setting (see above), in case additional, suitable per-link DNS servers | |
80 | are known. If no per-link DNS servers are known using the <literal>~</literal> syntax has no effect. Use the | |
81 | construct <literal>~.</literal> (which is composed of <literal>~</literal> to indicate a routing domain and | |
82 | <literal>.</literal> to indicate the DNS root domain that is the implied suffix of all DNS domains) to use the | |
83 | system DNS server defined with <varname>DNS=</varname> preferably for all domains.</para></listitem> | |
a51c1048 LP |
84 | </varlistentry> |
85 | ||
798d3a52 ZJS |
86 | <varlistentry> |
87 | <term><varname>LLMNR=</varname></term> | |
88 | <listitem><para>Takes a boolean argument or | |
89 | <literal>resolve</literal>. Controls Link-Local Multicast Name | |
90 | Resolution support (<ulink | |
eaaec6cc | 91 | url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on |
b938cb90 | 92 | the local host. If true, enables full LLMNR responder and |
a8eaaee7 JE |
93 | resolver support. If false, disables both. If set to |
94 | <literal>resolve</literal>, only resolution support is enabled, | |
798d3a52 ZJS |
95 | but responding is disabled. Note that |
96 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 LP |
97 | also maintains per-link LLMNR settings. LLMNR will be |
98 | enabled on a link only if the per-link and the | |
798d3a52 ZJS |
99 | global setting is on.</para></listitem> |
100 | </varlistentry> | |
101 | ||
77525fdc YW |
102 | <varlistentry> |
103 | <term><varname>MulticastDNS=</varname></term> | |
104 | <listitem><para>Takes a boolean argument or | |
105 | <literal>resolve</literal>. Controls Multicast DNS support (<ulink | |
106 | url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on | |
107 | the local host. If true, enables full Multicast DNS responder and | |
108 | resolver support. If false, disables both. If set to | |
109 | <literal>resolve</literal>, only resolution support is enabled, | |
110 | but responding is disabled. Note that | |
111 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
112 | also maintains per-link Multicast DNS settings. Multicast DNS will be | |
113 | enabled on a link only if the per-link and the | |
114 | global setting is on.</para></listitem> | |
115 | </varlistentry> | |
116 | ||
519d39de LP |
117 | <varlistentry> |
118 | <term><varname>DNSSEC=</varname></term> | |
119 | <listitem><para>Takes a boolean argument or | |
1ed8c0fb | 120 | <literal>allow-downgrade</literal>. If true all DNS lookups are |
b83d91c0 | 121 | DNSSEC-validated locally (excluding LLMNR and Multicast |
c542f805 ZJS |
122 | DNS). If the response to a lookup request is detected to be invalid |
123 | a lookup failure is returned to applications. Note that | |
b83d91c0 LP |
124 | this mode requires a DNS server that supports DNSSEC. If the |
125 | DNS server does not properly support DNSSEC all validations | |
1ed8c0fb | 126 | will fail. If set to <literal>allow-downgrade</literal> DNSSEC |
b83d91c0 LP |
127 | validation is attempted, but if the server does not support |
128 | DNSSEC properly, DNSSEC mode is automatically disabled. Note | |
129 | that this mode makes DNSSEC validation vulnerable to | |
130 | "downgrade" attacks, where an attacker might be able to | |
131 | trigger a downgrade to non-DNSSEC mode by synthesizing a DNS | |
132 | response that suggests DNSSEC was not supported. If set to | |
133 | false, DNS lookups are not DNSSEC validated.</para> | |
519d39de LP |
134 | |
135 | <para>Note that DNSSEC validation requires retrieval of | |
136 | additional DNS data, and thus results in a small DNS look-up | |
137 | time penalty.</para> | |
138 | ||
139 | <para>DNSSEC requires knowledge of "trust anchors" to prove | |
140 | data integrity. The trust anchor for the Internet root domain | |
b5a8703f LP |
141 | is built into the resolver, additional trust anchors may be |
142 | defined with | |
143 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
c542f805 | 144 | Trust anchors may change at regular intervals, and old trust |
b5a8703f LP |
145 | anchors may be revoked. In such a case DNSSEC validation is |
146 | not possible until new trust anchors are configured locally or | |
147 | the resolver software package is updated with the new root | |
148 | trust anchor. In effect, when the built-in trust anchor is | |
149 | revoked and <varname>DNSSEC=</varname> is true, all further | |
150 | lookups will fail, as it cannot be proved anymore whether | |
151 | lookups are correctly signed, or validly unsigned. If | |
519d39de | 152 | <varname>DNSSEC=</varname> is set to |
1ed8c0fb | 153 | <literal>allow-downgrade</literal> the resolver will |
d57d3973 | 154 | automatically turn off DNSSEC validation in such a case.</para> |
519d39de LP |
155 | |
156 | <para>Client programs looking up DNS data will be informed | |
157 | whether lookups could be verified using DNSSEC, or whether the | |
158 | returned data could not be verified (either because the data | |
159 | was found unsigned in the DNS, or the DNS server did not | |
160 | support DNSSEC or no appropriate trust anchors were known). In | |
161 | the latter case it is assumed that client programs employ a | |
162 | secondary scheme to validate the returned DNS data, should | |
163 | this be required.</para> | |
164 | ||
165 | <para>It is recommended to set <varname>DNSSEC=</varname> to | |
d57d3973 | 166 | true on systems where it is known that the DNS server supports |
519d39de LP |
167 | DNSSEC correctly, and where software or trust anchor updates |
168 | happen regularly. On other systems it is recommended to set | |
169 | <varname>DNSSEC=</varname> to | |
1ed8c0fb | 170 | <literal>allow-downgrade</literal>.</para> |
ad6c0475 LP |
171 | |
172 | <para>In addition to this global DNSSEC setting | |
173 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 | 174 | also maintains per-link DNSSEC settings. For system DNS |
ad6c0475 | 175 | servers (see above), only the global DNSSEC setting is in |
adc800a6 | 176 | effect. For per-link DNS servers the per-link |
ad6c0475 LP |
177 | setting is in effect, unless it is unset in which case the |
178 | global setting is used instead.</para> | |
179 | ||
d33b6cf3 LP |
180 | <para>Site-private DNS zones generally conflict with DNSSEC |
181 | operation, unless a negative (if the private zone is not | |
182 | signed) or positive (if the private zone is signed) trust | |
183 | anchor is configured for them. If | |
184 | <literal>allow-downgrade</literal> mode is selected, it is | |
185 | attempted to detect site-private DNS zones using top-level | |
186 | domains (TLDs) that are not known by the DNS root server. This | |
187 | logic does not work in all private zone setups.</para> | |
188 | ||
f628e3ee | 189 | <para>Defaults to <literal>allow-downgrade</literal></para> |
519d39de LP |
190 | </listitem> |
191 | </varlistentry> | |
192 | ||
30e59c84 | 193 | <varlistentry> |
c9299be2 | 194 | <term><varname>DNSOverTLS=</varname></term> |
30e59c84 | 195 | <listitem> |
eec394f1 JT |
196 | <para>Takes a boolean argument or <literal>opportunistic</literal>. If |
197 | true all connections to the server will be encrypted. Note that this | |
198 | mode requires a DNS server that supports DNS-over-TLS and has a valid | |
199 | certificate. If the hostname was specified in <varname>DNS=</varname> | |
200 | by using the format format <literal>address#server_name</literal> it | |
201 | is used to validate its certificate and also to enable Server Name | |
202 | Indication (SNI) when opening a TLS connection. Otherwise | |
203 | the certificate is checked against the server's IP. | |
204 | If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para> | |
205 | ||
206 | <para>When set to <literal>opportunistic</literal> | |
30e59c84 IT |
207 | DNS request are attempted to send encrypted with DNS-over-TLS. |
208 | If the DNS server does not support TLS, DNS-over-TLS is disabled. | |
209 | Note that this mode makes DNS-over-TLS vulnerable to "downgrade" | |
210 | attacks, where an attacker might be able to trigger a downgrade | |
211 | to non-encrypted mode by synthesizing a response that suggests | |
212 | DNS-over-TLS was not supported. If set to false, DNS lookups | |
213 | are send over UDP.</para> | |
214 | ||
215 | <para>Note that DNS-over-TLS requires additional data to be | |
216 | send for setting up an encrypted connection, and thus results | |
217 | in a small DNS look-up time penalty.</para> | |
218 | ||
2f2b28ab RS |
219 | <para>Note that in <literal>opportunistic</literal> mode the |
220 | resolver is not capable of authenticating the server, so it is | |
221 | vulnerable to "man-in-the-middle" attacks.</para> | |
30e59c84 | 222 | |
c9299be2 | 223 | <para>In addition to this global DNSOverTLS setting |
30e59c84 | 224 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
c9299be2 IT |
225 | also maintains per-link DNSOverTLS settings. For system DNS |
226 | servers (see above), only the global DNSOverTLS setting is in | |
30e59c84 IT |
227 | effect. For per-link DNS servers the per-link |
228 | setting is in effect, unless it is unset in which case the | |
229 | global setting is used instead.</para> | |
230 | ||
231 | <para>Defaults to off.</para> | |
232 | </listitem> | |
233 | </varlistentry> | |
234 | ||
ceeddf79 MP |
235 | <varlistentry> |
236 | <term><varname>Cache=</varname></term> | |
d8c73cb7 ZJS |
237 | <listitem><para>Takes a boolean or <literal>no-negative</literal> as argument. If |
238 | <literal>yes</literal> (the default), resolving a domain name which already got queried earlier will | |
239 | return the previous result as long as it is still valid, and thus does not result in a new network | |
240 | request. Be aware that turning off caching comes at a performance penalty, which is particularly high | |
241 | when DNSSEC is used. If <literal>no-negative</literal>, only positive answers are cached.</para> | |
5bd73426 LP |
242 | |
243 | <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address | |
244 | (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> | |
ceeddf79 MP |
245 | </varlistentry> |
246 | ||
1ae43295 DM |
247 | <varlistentry> |
248 | <term><varname>DNSStubListener=</varname></term> | |
249 | <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If | |
4b987478 | 250 | <literal>udp</literal>, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 |
1ae43295 | 251 | port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If |
4b987478 | 252 | <literal>yes</literal> (the default), the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub |
1ae43295 DM |
253 | listener is disabled.</para> |
254 | ||
255 | <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already | |
256 | in use.</para></listitem> | |
257 | </varlistentry> | |
258 | ||
86317087 YW |
259 | <varlistentry> |
260 | <term><varname>ReadEtcHosts=</varname></term> | |
261 | <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), the DNS stub resolver will read | |
262 | <filename>/etc/hosts</filename>, and try to resolve hosts or address by using the entries in the file before | |
263 | sending query to DNS servers.</para></listitem> | |
264 | </varlistentry> | |
265 | ||
798d3a52 ZJS |
266 | </variablelist> |
267 | </refsect1> | |
268 | ||
269 | <refsect1> | |
270 | <title>See Also</title> | |
271 | <para> | |
272 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
273 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
274 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
b5a8703f | 275 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
524f3e5c | 276 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry> |
798d3a52 ZJS |
277 | </para> |
278 | </refsect1> | |
091a364c TG |
279 | |
280 | </refentry> |