]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
091a364c | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
091a364c TG |
4 | |
5 | <!-- | |
572eb058 | 6 | SPDX-License-Identifier: LGPL-2.1+ |
091a364c TG |
7 | --> |
8 | ||
1ec57f33 | 9 | <refentry id="resolved.conf" conditional='ENABLE_RESOLVE' |
798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
11 | <refentryinfo> | |
12 | <title>resolved.conf</title> | |
13 | <productname>systemd</productname> | |
798d3a52 ZJS |
14 | </refentryinfo> |
15 | ||
16 | <refmeta> | |
17 | <refentrytitle>resolved.conf</refentrytitle> | |
18 | <manvolnum>5</manvolnum> | |
19 | </refmeta> | |
20 | ||
21 | <refnamediv> | |
22 | <refname>resolved.conf</refname> | |
23 | <refname>resolved.conf.d</refname> | |
24 | <refpurpose>Network Name Resolution configuration files</refpurpose> | |
25 | </refnamediv> | |
26 | ||
27 | <refsynopsisdiv> | |
12b42c76 TG |
28 | <para><filename>/etc/systemd/resolved.conf</filename></para> |
29 | <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para> | |
798d3a52 | 30 | <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para> |
12b42c76 | 31 | <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para> |
798d3a52 ZJS |
32 | </refsynopsisdiv> |
33 | ||
34 | <refsect1> | |
35 | <title>Description</title> | |
36 | ||
37 | <para>These configuration files control local DNS and LLMNR | |
a8eaaee7 | 38 | name resolution.</para> |
798d3a52 ZJS |
39 | |
40 | </refsect1> | |
41 | ||
e93549ef | 42 | <xi:include href="standard-conf.xml" xpointer="main-conf" /> |
798d3a52 ZJS |
43 | |
44 | <refsect1> | |
45 | <title>Options</title> | |
46 | ||
dbc7bede LP |
47 | <para>The following options are available in the <literal>[Resolve]</literal> section:</para> |
48 | ||
798d3a52 ZJS |
49 | <variablelist class='network-directives'> |
50 | ||
51 | <varlistentry> | |
52 | <term><varname>DNS=</varname></term> | |
adc800a6 LP |
53 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. DNS requests |
54 | are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from | |
55 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or | |
56 | set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS | |
57 | servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers | |
58 | are configured in it. This setting defaults to the empty list.</para></listitem> | |
798d3a52 ZJS |
59 | </varlistentry> |
60 | ||
61 | <varlistentry> | |
62 | <term><varname>FallbackDNS=</varname></term> | |
adc800a6 LP |
63 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any |
64 | per-link DNS servers obtained from | |
798d3a52 | 65 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
adc800a6 LP |
66 | take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or |
67 | <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is | |
68 | known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem> | |
798d3a52 ZJS |
69 | </varlistentry> |
70 | ||
a51c1048 LP |
71 | <varlistentry> |
72 | <term><varname>Domains=</varname></term> | |
adc800a6 LP |
73 | <listitem><para>A space-separated list of domains. These domains are used as search suffixes when resolving |
74 | single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified | |
75 | domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name | |
76 | with the suffix appended is found. For compatibility reasons, if this setting is not specified, the search | |
77 | domains listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any domains | |
78 | are configured in it. This setting defaults to the empty list.</para> | |
79 | ||
80 | <para>Specified domain names may optionally be prefixed with <literal>~</literal>. In this case they do not | |
81 | define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured | |
82 | with the system <varname>DNS=</varname> setting (see above), in case additional, suitable per-link DNS servers | |
83 | are known. If no per-link DNS servers are known using the <literal>~</literal> syntax has no effect. Use the | |
84 | construct <literal>~.</literal> (which is composed of <literal>~</literal> to indicate a routing domain and | |
85 | <literal>.</literal> to indicate the DNS root domain that is the implied suffix of all DNS domains) to use the | |
86 | system DNS server defined with <varname>DNS=</varname> preferably for all domains.</para></listitem> | |
a51c1048 LP |
87 | </varlistentry> |
88 | ||
798d3a52 ZJS |
89 | <varlistentry> |
90 | <term><varname>LLMNR=</varname></term> | |
91 | <listitem><para>Takes a boolean argument or | |
92 | <literal>resolve</literal>. Controls Link-Local Multicast Name | |
93 | Resolution support (<ulink | |
eaaec6cc | 94 | url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on |
b938cb90 | 95 | the local host. If true, enables full LLMNR responder and |
a8eaaee7 JE |
96 | resolver support. If false, disables both. If set to |
97 | <literal>resolve</literal>, only resolution support is enabled, | |
798d3a52 ZJS |
98 | but responding is disabled. Note that |
99 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 LP |
100 | also maintains per-link LLMNR settings. LLMNR will be |
101 | enabled on a link only if the per-link and the | |
798d3a52 ZJS |
102 | global setting is on.</para></listitem> |
103 | </varlistentry> | |
104 | ||
77525fdc YW |
105 | <varlistentry> |
106 | <term><varname>MulticastDNS=</varname></term> | |
107 | <listitem><para>Takes a boolean argument or | |
108 | <literal>resolve</literal>. Controls Multicast DNS support (<ulink | |
109 | url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on | |
110 | the local host. If true, enables full Multicast DNS responder and | |
111 | resolver support. If false, disables both. If set to | |
112 | <literal>resolve</literal>, only resolution support is enabled, | |
113 | but responding is disabled. Note that | |
114 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
115 | also maintains per-link Multicast DNS settings. Multicast DNS will be | |
116 | enabled on a link only if the per-link and the | |
117 | global setting is on.</para></listitem> | |
118 | </varlistentry> | |
119 | ||
519d39de LP |
120 | <varlistentry> |
121 | <term><varname>DNSSEC=</varname></term> | |
122 | <listitem><para>Takes a boolean argument or | |
1ed8c0fb | 123 | <literal>allow-downgrade</literal>. If true all DNS lookups are |
b83d91c0 | 124 | DNSSEC-validated locally (excluding LLMNR and Multicast |
c542f805 ZJS |
125 | DNS). If the response to a lookup request is detected to be invalid |
126 | a lookup failure is returned to applications. Note that | |
b83d91c0 LP |
127 | this mode requires a DNS server that supports DNSSEC. If the |
128 | DNS server does not properly support DNSSEC all validations | |
1ed8c0fb | 129 | will fail. If set to <literal>allow-downgrade</literal> DNSSEC |
b83d91c0 LP |
130 | validation is attempted, but if the server does not support |
131 | DNSSEC properly, DNSSEC mode is automatically disabled. Note | |
132 | that this mode makes DNSSEC validation vulnerable to | |
133 | "downgrade" attacks, where an attacker might be able to | |
134 | trigger a downgrade to non-DNSSEC mode by synthesizing a DNS | |
135 | response that suggests DNSSEC was not supported. If set to | |
136 | false, DNS lookups are not DNSSEC validated.</para> | |
519d39de LP |
137 | |
138 | <para>Note that DNSSEC validation requires retrieval of | |
139 | additional DNS data, and thus results in a small DNS look-up | |
140 | time penalty.</para> | |
141 | ||
142 | <para>DNSSEC requires knowledge of "trust anchors" to prove | |
143 | data integrity. The trust anchor for the Internet root domain | |
b5a8703f LP |
144 | is built into the resolver, additional trust anchors may be |
145 | defined with | |
146 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
c542f805 | 147 | Trust anchors may change at regular intervals, and old trust |
b5a8703f LP |
148 | anchors may be revoked. In such a case DNSSEC validation is |
149 | not possible until new trust anchors are configured locally or | |
150 | the resolver software package is updated with the new root | |
151 | trust anchor. In effect, when the built-in trust anchor is | |
152 | revoked and <varname>DNSSEC=</varname> is true, all further | |
153 | lookups will fail, as it cannot be proved anymore whether | |
154 | lookups are correctly signed, or validly unsigned. If | |
519d39de | 155 | <varname>DNSSEC=</varname> is set to |
1ed8c0fb | 156 | <literal>allow-downgrade</literal> the resolver will |
d57d3973 | 157 | automatically turn off DNSSEC validation in such a case.</para> |
519d39de LP |
158 | |
159 | <para>Client programs looking up DNS data will be informed | |
160 | whether lookups could be verified using DNSSEC, or whether the | |
161 | returned data could not be verified (either because the data | |
162 | was found unsigned in the DNS, or the DNS server did not | |
163 | support DNSSEC or no appropriate trust anchors were known). In | |
164 | the latter case it is assumed that client programs employ a | |
165 | secondary scheme to validate the returned DNS data, should | |
166 | this be required.</para> | |
167 | ||
168 | <para>It is recommended to set <varname>DNSSEC=</varname> to | |
d57d3973 | 169 | true on systems where it is known that the DNS server supports |
519d39de LP |
170 | DNSSEC correctly, and where software or trust anchor updates |
171 | happen regularly. On other systems it is recommended to set | |
172 | <varname>DNSSEC=</varname> to | |
1ed8c0fb | 173 | <literal>allow-downgrade</literal>.</para> |
ad6c0475 LP |
174 | |
175 | <para>In addition to this global DNSSEC setting | |
176 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 | 177 | also maintains per-link DNSSEC settings. For system DNS |
ad6c0475 | 178 | servers (see above), only the global DNSSEC setting is in |
adc800a6 | 179 | effect. For per-link DNS servers the per-link |
ad6c0475 LP |
180 | setting is in effect, unless it is unset in which case the |
181 | global setting is used instead.</para> | |
182 | ||
d33b6cf3 LP |
183 | <para>Site-private DNS zones generally conflict with DNSSEC |
184 | operation, unless a negative (if the private zone is not | |
185 | signed) or positive (if the private zone is signed) trust | |
186 | anchor is configured for them. If | |
187 | <literal>allow-downgrade</literal> mode is selected, it is | |
188 | attempted to detect site-private DNS zones using top-level | |
189 | domains (TLDs) that are not known by the DNS root server. This | |
190 | logic does not work in all private zone setups.</para> | |
191 | ||
f628e3ee | 192 | <para>Defaults to <literal>allow-downgrade</literal></para> |
519d39de LP |
193 | </listitem> |
194 | </varlistentry> | |
195 | ||
30e59c84 | 196 | <varlistentry> |
c9299be2 | 197 | <term><varname>DNSOverTLS=</varname></term> |
30e59c84 IT |
198 | <listitem> |
199 | <para>Takes false or | |
200 | <literal>opportunistic</literal>. When set to <literal>opportunistic</literal> | |
201 | DNS request are attempted to send encrypted with DNS-over-TLS. | |
202 | If the DNS server does not support TLS, DNS-over-TLS is disabled. | |
203 | Note that this mode makes DNS-over-TLS vulnerable to "downgrade" | |
204 | attacks, where an attacker might be able to trigger a downgrade | |
205 | to non-encrypted mode by synthesizing a response that suggests | |
206 | DNS-over-TLS was not supported. If set to false, DNS lookups | |
207 | are send over UDP.</para> | |
208 | ||
209 | <para>Note that DNS-over-TLS requires additional data to be | |
210 | send for setting up an encrypted connection, and thus results | |
211 | in a small DNS look-up time penalty.</para> | |
212 | ||
213 | <para>Note as the resolver is not capable of authenticating | |
214 | the server, it is vulnerable for "man-in-the-middle" attacks.</para> | |
215 | ||
c9299be2 | 216 | <para>In addition to this global DNSOverTLS setting |
30e59c84 | 217 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
c9299be2 IT |
218 | also maintains per-link DNSOverTLS settings. For system DNS |
219 | servers (see above), only the global DNSOverTLS setting is in | |
30e59c84 IT |
220 | effect. For per-link DNS servers the per-link |
221 | setting is in effect, unless it is unset in which case the | |
222 | global setting is used instead.</para> | |
223 | ||
224 | <para>Defaults to off.</para> | |
225 | </listitem> | |
226 | </varlistentry> | |
227 | ||
ceeddf79 MP |
228 | <varlistentry> |
229 | <term><varname>Cache=</varname></term> | |
494c5676 YW |
230 | <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), resolving a domain name |
231 | which already got queried earlier will return the previous result as long as it is still valid, and thus does | |
232 | not result in a new network request. Be aware that turning off caching comes at a performance penalty, which | |
233 | is particularly high when DNSSEC is used.</para> | |
5bd73426 LP |
234 | |
235 | <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address | |
236 | (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> | |
ceeddf79 MP |
237 | </varlistentry> |
238 | ||
1ae43295 DM |
239 | <varlistentry> |
240 | <term><varname>DNSStubListener=</varname></term> | |
241 | <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If | |
4b987478 | 242 | <literal>udp</literal>, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 |
1ae43295 | 243 | port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If |
4b987478 | 244 | <literal>yes</literal> (the default), the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub |
1ae43295 DM |
245 | listener is disabled.</para> |
246 | ||
247 | <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already | |
248 | in use.</para></listitem> | |
249 | </varlistentry> | |
250 | ||
86317087 YW |
251 | <varlistentry> |
252 | <term><varname>ReadEtcHosts=</varname></term> | |
253 | <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), the DNS stub resolver will read | |
254 | <filename>/etc/hosts</filename>, and try to resolve hosts or address by using the entries in the file before | |
255 | sending query to DNS servers.</para></listitem> | |
256 | </varlistentry> | |
257 | ||
798d3a52 ZJS |
258 | </variablelist> |
259 | </refsect1> | |
260 | ||
261 | <refsect1> | |
262 | <title>See Also</title> | |
263 | <para> | |
264 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
265 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
266 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
b5a8703f | 267 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
524f3e5c | 268 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry> |
798d3a52 ZJS |
269 | </para> |
270 | </refsect1> | |
091a364c TG |
271 | |
272 | </refentry> |