]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
0307f791 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
091a364c | 5 | |
1ec57f33 | 6 | <refentry id="resolved.conf" conditional='ENABLE_RESOLVE' |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | <refentryinfo> | |
9 | <title>resolved.conf</title> | |
10 | <productname>systemd</productname> | |
798d3a52 ZJS |
11 | </refentryinfo> |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>resolved.conf</refentrytitle> | |
15 | <manvolnum>5</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>resolved.conf</refname> | |
20 | <refname>resolved.conf.d</refname> | |
21 | <refpurpose>Network Name Resolution configuration files</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
12b42c76 TG |
25 | <para><filename>/etc/systemd/resolved.conf</filename></para> |
26 | <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para> | |
798d3a52 | 27 | <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para> |
12b42c76 | 28 | <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para> |
798d3a52 ZJS |
29 | </refsynopsisdiv> |
30 | ||
31 | <refsect1> | |
32 | <title>Description</title> | |
33 | ||
34 | <para>These configuration files control local DNS and LLMNR | |
a8eaaee7 | 35 | name resolution.</para> |
798d3a52 ZJS |
36 | |
37 | </refsect1> | |
38 | ||
e93549ef | 39 | <xi:include href="standard-conf.xml" xpointer="main-conf" /> |
798d3a52 ZJS |
40 | |
41 | <refsect1> | |
42 | <title>Options</title> | |
43 | ||
bdac5608 | 44 | <para>The following options are available in the [Resolve] section:</para> |
dbc7bede | 45 | |
798d3a52 ZJS |
46 | <variablelist class='network-directives'> |
47 | ||
48 | <varlistentry> | |
49 | <term><varname>DNS=</varname></term> | |
711dd5db YW |
50 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. Each address can |
51 | optionally take a port number separated with <literal>:</literal>, a network interface name or index separated with | |
52 | <literal>%</literal>, and a Server Name Indication (SNI) separated with <literal>#</literal>. When IPv6 address is | |
53 | specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats | |
54 | are <literal>111.222.333.444:9953%ifname#example.com</literal> for IPv4 and | |
55 | <literal>[1111:2222::3333]:9953%ifname#example.com</literal> for IPv6. DNS requests are sent to one of the listed | |
56 | DNS servers in parallel to suitable per-link DNS servers acquired from | |
adc800a6 LP |
57 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or |
58 | set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS | |
59 | servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers | |
60 | are configured in it. This setting defaults to the empty list.</para></listitem> | |
798d3a52 ZJS |
61 | </varlistentry> |
62 | ||
63 | <varlistentry> | |
64 | <term><varname>FallbackDNS=</varname></term> | |
711dd5db YW |
65 | <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Please see |
66 | <varname>DNS=</varname> for acceptable format of adddresses. Any per-link DNS servers obtained from | |
798d3a52 | 67 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
adc800a6 LP |
68 | take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or |
69 | <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is | |
70 | known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem> | |
798d3a52 ZJS |
71 | </varlistentry> |
72 | ||
a51c1048 LP |
73 | <varlistentry> |
74 | <term><varname>Domains=</varname></term> | |
801d25ef ZJS |
75 | <listitem><para>A space-separated list of domains optionally prefixed with <literal>~</literal>, |
76 | used for two distinct purposes described below. Defaults to the empty list.</para> | |
77 | ||
78 | <para>Any domains <emphasis>not</emphasis> prefixed with <literal>~</literal> are used as search | |
79 | suffixes when resolving single-label hostnames (domain names which contain no dot), in order to | |
80 | qualify them into fully-qualified domain names (FQDNs). These "search domains" are strictly processed | |
81 | in the order they are specified in, until the name with the suffix appended is found. For | |
82 | compatibility reasons, if this setting is not specified, the search domains listed in | |
83 | <filename>/etc/resolv.conf</filename> with the <varname>search</varname> keyword are used instead, if | |
84 | that file exists and any domains are configured in it.</para> | |
85 | ||
86 | <para>The domains prefixed with <literal>~</literal> are called "routing domains". All domains listed | |
87 | here (both search domains and routing domains after removing the <literal>~</literal> prefix) define | |
cb713f16 | 88 | a search path that preferably directs DNS queries to this interface. This search path has an effect |
801d25ef ZJS |
89 | only when suitable per-link DNS servers are known. Such servers may be defined through the |
90 | <varname>DNS=</varname> setting (see above) and dynamically at run time, for example from DHCP | |
91 | leases. If no per-link DNS servers are known, routing domains have no effect.</para> | |
92 | ||
93 | <para>Use the construct <literal>~.</literal> (which is composed from <literal>~</literal> to | |
94 | indicate a routing domain and <literal>.</literal> to indicate the DNS root domain that is the | |
95 | implied suffix of all DNS domains) to use the DNS servers defined for this link preferably for all | |
96 | domains.</para></listitem> | |
a51c1048 LP |
97 | </varlistentry> |
98 | ||
798d3a52 ZJS |
99 | <varlistentry> |
100 | <term><varname>LLMNR=</varname></term> | |
101 | <listitem><para>Takes a boolean argument or | |
102 | <literal>resolve</literal>. Controls Link-Local Multicast Name | |
103 | Resolution support (<ulink | |
eaaec6cc | 104 | url="https://tools.ietf.org/html/rfc4795">RFC 4795</ulink>) on |
b938cb90 | 105 | the local host. If true, enables full LLMNR responder and |
a8eaaee7 JE |
106 | resolver support. If false, disables both. If set to |
107 | <literal>resolve</literal>, only resolution support is enabled, | |
798d3a52 ZJS |
108 | but responding is disabled. Note that |
109 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 LP |
110 | also maintains per-link LLMNR settings. LLMNR will be |
111 | enabled on a link only if the per-link and the | |
798d3a52 ZJS |
112 | global setting is on.</para></listitem> |
113 | </varlistentry> | |
114 | ||
77525fdc YW |
115 | <varlistentry> |
116 | <term><varname>MulticastDNS=</varname></term> | |
117 | <listitem><para>Takes a boolean argument or | |
118 | <literal>resolve</literal>. Controls Multicast DNS support (<ulink | |
119 | url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on | |
120 | the local host. If true, enables full Multicast DNS responder and | |
121 | resolver support. If false, disables both. If set to | |
122 | <literal>resolve</literal>, only resolution support is enabled, | |
123 | but responding is disabled. Note that | |
124 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
125 | also maintains per-link Multicast DNS settings. Multicast DNS will be | |
126 | enabled on a link only if the per-link and the | |
127 | global setting is on.</para></listitem> | |
128 | </varlistentry> | |
129 | ||
519d39de LP |
130 | <varlistentry> |
131 | <term><varname>DNSSEC=</varname></term> | |
132 | <listitem><para>Takes a boolean argument or | |
1ed8c0fb | 133 | <literal>allow-downgrade</literal>. If true all DNS lookups are |
b83d91c0 | 134 | DNSSEC-validated locally (excluding LLMNR and Multicast |
c542f805 ZJS |
135 | DNS). If the response to a lookup request is detected to be invalid |
136 | a lookup failure is returned to applications. Note that | |
b83d91c0 LP |
137 | this mode requires a DNS server that supports DNSSEC. If the |
138 | DNS server does not properly support DNSSEC all validations | |
1ed8c0fb | 139 | will fail. If set to <literal>allow-downgrade</literal> DNSSEC |
b83d91c0 LP |
140 | validation is attempted, but if the server does not support |
141 | DNSSEC properly, DNSSEC mode is automatically disabled. Note | |
142 | that this mode makes DNSSEC validation vulnerable to | |
143 | "downgrade" attacks, where an attacker might be able to | |
144 | trigger a downgrade to non-DNSSEC mode by synthesizing a DNS | |
145 | response that suggests DNSSEC was not supported. If set to | |
146 | false, DNS lookups are not DNSSEC validated.</para> | |
519d39de LP |
147 | |
148 | <para>Note that DNSSEC validation requires retrieval of | |
149 | additional DNS data, and thus results in a small DNS look-up | |
150 | time penalty.</para> | |
151 | ||
152 | <para>DNSSEC requires knowledge of "trust anchors" to prove | |
153 | data integrity. The trust anchor for the Internet root domain | |
b5a8703f LP |
154 | is built into the resolver, additional trust anchors may be |
155 | defined with | |
156 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
c542f805 | 157 | Trust anchors may change at regular intervals, and old trust |
b5a8703f LP |
158 | anchors may be revoked. In such a case DNSSEC validation is |
159 | not possible until new trust anchors are configured locally or | |
160 | the resolver software package is updated with the new root | |
161 | trust anchor. In effect, when the built-in trust anchor is | |
162 | revoked and <varname>DNSSEC=</varname> is true, all further | |
163 | lookups will fail, as it cannot be proved anymore whether | |
164 | lookups are correctly signed, or validly unsigned. If | |
519d39de | 165 | <varname>DNSSEC=</varname> is set to |
1ed8c0fb | 166 | <literal>allow-downgrade</literal> the resolver will |
d57d3973 | 167 | automatically turn off DNSSEC validation in such a case.</para> |
519d39de LP |
168 | |
169 | <para>Client programs looking up DNS data will be informed | |
170 | whether lookups could be verified using DNSSEC, or whether the | |
171 | returned data could not be verified (either because the data | |
172 | was found unsigned in the DNS, or the DNS server did not | |
173 | support DNSSEC or no appropriate trust anchors were known). In | |
174 | the latter case it is assumed that client programs employ a | |
175 | secondary scheme to validate the returned DNS data, should | |
176 | this be required.</para> | |
177 | ||
178 | <para>It is recommended to set <varname>DNSSEC=</varname> to | |
d57d3973 | 179 | true on systems where it is known that the DNS server supports |
519d39de LP |
180 | DNSSEC correctly, and where software or trust anchor updates |
181 | happen regularly. On other systems it is recommended to set | |
182 | <varname>DNSSEC=</varname> to | |
1ed8c0fb | 183 | <literal>allow-downgrade</literal>.</para> |
ad6c0475 LP |
184 | |
185 | <para>In addition to this global DNSSEC setting | |
186 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
adc800a6 | 187 | also maintains per-link DNSSEC settings. For system DNS |
ad6c0475 | 188 | servers (see above), only the global DNSSEC setting is in |
adc800a6 | 189 | effect. For per-link DNS servers the per-link |
ad6c0475 LP |
190 | setting is in effect, unless it is unset in which case the |
191 | global setting is used instead.</para> | |
192 | ||
d33b6cf3 LP |
193 | <para>Site-private DNS zones generally conflict with DNSSEC |
194 | operation, unless a negative (if the private zone is not | |
195 | signed) or positive (if the private zone is signed) trust | |
196 | anchor is configured for them. If | |
197 | <literal>allow-downgrade</literal> mode is selected, it is | |
198 | attempted to detect site-private DNS zones using top-level | |
199 | domains (TLDs) that are not known by the DNS root server. This | |
200 | logic does not work in all private zone setups.</para> | |
201 | ||
f628e3ee | 202 | <para>Defaults to <literal>allow-downgrade</literal></para> |
519d39de LP |
203 | </listitem> |
204 | </varlistentry> | |
205 | ||
30e59c84 | 206 | <varlistentry> |
c9299be2 | 207 | <term><varname>DNSOverTLS=</varname></term> |
30e59c84 | 208 | <listitem> |
eec394f1 JT |
209 | <para>Takes a boolean argument or <literal>opportunistic</literal>. If |
210 | true all connections to the server will be encrypted. Note that this | |
211 | mode requires a DNS server that supports DNS-over-TLS and has a valid | |
212 | certificate. If the hostname was specified in <varname>DNS=</varname> | |
213 | by using the format format <literal>address#server_name</literal> it | |
214 | is used to validate its certificate and also to enable Server Name | |
215 | Indication (SNI) when opening a TLS connection. Otherwise | |
216 | the certificate is checked against the server's IP. | |
217 | If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para> | |
218 | ||
219 | <para>When set to <literal>opportunistic</literal> | |
30e59c84 IT |
220 | DNS request are attempted to send encrypted with DNS-over-TLS. |
221 | If the DNS server does not support TLS, DNS-over-TLS is disabled. | |
222 | Note that this mode makes DNS-over-TLS vulnerable to "downgrade" | |
223 | attacks, where an attacker might be able to trigger a downgrade | |
224 | to non-encrypted mode by synthesizing a response that suggests | |
225 | DNS-over-TLS was not supported. If set to false, DNS lookups | |
226 | are send over UDP.</para> | |
227 | ||
228 | <para>Note that DNS-over-TLS requires additional data to be | |
229 | send for setting up an encrypted connection, and thus results | |
230 | in a small DNS look-up time penalty.</para> | |
231 | ||
2f2b28ab RS |
232 | <para>Note that in <literal>opportunistic</literal> mode the |
233 | resolver is not capable of authenticating the server, so it is | |
234 | vulnerable to "man-in-the-middle" attacks.</para> | |
30e59c84 | 235 | |
c9299be2 | 236 | <para>In addition to this global DNSOverTLS setting |
30e59c84 | 237 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
c9299be2 IT |
238 | also maintains per-link DNSOverTLS settings. For system DNS |
239 | servers (see above), only the global DNSOverTLS setting is in | |
30e59c84 IT |
240 | effect. For per-link DNS servers the per-link |
241 | setting is in effect, unless it is unset in which case the | |
242 | global setting is used instead.</para> | |
243 | ||
244 | <para>Defaults to off.</para> | |
245 | </listitem> | |
246 | </varlistentry> | |
247 | ||
ceeddf79 MP |
248 | <varlistentry> |
249 | <term><varname>Cache=</varname></term> | |
d8c73cb7 ZJS |
250 | <listitem><para>Takes a boolean or <literal>no-negative</literal> as argument. If |
251 | <literal>yes</literal> (the default), resolving a domain name which already got queried earlier will | |
252 | return the previous result as long as it is still valid, and thus does not result in a new network | |
253 | request. Be aware that turning off caching comes at a performance penalty, which is particularly high | |
254 | when DNSSEC is used. If <literal>no-negative</literal>, only positive answers are cached.</para> | |
5bd73426 LP |
255 | |
256 | <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address | |
257 | (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem> | |
ceeddf79 MP |
258 | </varlistentry> |
259 | ||
1ae43295 DM |
260 | <varlistentry> |
261 | <term><varname>DNSStubListener=</varname></term> | |
262 | <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If | |
4b987478 | 263 | <literal>udp</literal>, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 |
1ae43295 | 264 | port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If |
4b987478 | 265 | <literal>yes</literal> (the default), the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub |
1ae43295 DM |
266 | listener is disabled.</para> |
267 | ||
268 | <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already | |
269 | in use.</para></listitem> | |
270 | </varlistentry> | |
271 | ||
1f05101f SS |
272 | <varlistentry> |
273 | <term><varname>DNSStubListenerExtra=</varname></term> | |
274 | <listitem><para>Takes an IPv4 or IPv6 address to listen on. The address may optionally be prefixed by <literal>:</literal> and | |
275 | a protocol name (<literal>udp</literal> or <literal>tcp</literal>). When an IPv6 address is specified with a port number, then the | |
276 | address must be in the square brackets. This option can be specified multiple times. If an empty string is assigned, then the all | |
277 | previous assignments are cleared. It may also be optionally suffixed by a numeric port number with separator <literal>:</literal>. | |
278 | If the protocol is not specified, the service will listen on both <literal>UDP</literal> and <literal>TCP</literal>. If the port is not | |
279 | specified, then the service takes port as 53. This option may be used multiple times. Note that this is independent of the | |
280 | primary DNS stub configured with <varname>DNSStubListener=</varname>, and only configures <emphasis>additional</emphasis> | |
281 | sockets to listen on. Defaults to unset.</para> | |
282 | ||
283 | <para>If the string in the format <literal>udp</literal>:[<replaceable>x</replaceable>]:<replaceable>y</replaceable>, | |
284 | it is read as protocol <literal>udp</literal> and IPv6 address x on a port y.</para> | |
285 | ||
286 | <para>If the string in the format [<replaceable>x</replaceable>]:<replaceable>y</replaceable>, it is read as both protocol | |
287 | <literal>udp</literal> and <literal>tcp</literal>, IPv6 address x on a port y.</para> | |
288 | ||
289 | <para>If the string in the format <replaceable>x</replaceable>, it is read as protocol both <literal>udp</literal> and | |
290 | <literal>tcp</literal>, IPv6/IPv4 address x on a port 53.</para> | |
291 | ||
292 | <para>If the string in the format <literal>udp</literal>:<replaceable>x</replaceable>:<replaceable>y</replaceable>, | |
293 | it is read as protocol <literal>udp</literal> and IPv4 address x on a port y.</para> | |
294 | </listitem> | |
295 | </varlistentry> | |
296 | ||
86317087 YW |
297 | <varlistentry> |
298 | <term><varname>ReadEtcHosts=</varname></term> | |
2bd5e1b2 ZJS |
299 | <listitem><para>Takes a boolean argument. If <literal>yes</literal> (the default), |
300 | <command>systemd-resolved</command> will read <filename>/etc/hosts</filename>, and try to resolve | |
301 | hosts or address by using the entries in the file before sending query to DNS servers. | |
302 | </para></listitem> | |
86317087 YW |
303 | </varlistentry> |
304 | ||
2bd5e1b2 ZJS |
305 | <varlistentry> |
306 | <term><varname>ResolveUnicastSingleLabel=</varname></term> | |
307 | <listitem><para>Takes a boolean argument. When false (the default), | |
308 | <command>systemd-resolved</command> will not resolve A and AAAA queries for single-label names over | |
309 | classic DNS. Note that such names may still be resolved if search domains are specified (see | |
310 | <varname>Domains=</varname> above), or using other mechanisms, in particular via LLMNR or from | |
311 | <filename>/etc/hosts</filename>. When true, queries for single-label names will be forwarded to | |
312 | global DNS servers even if no search domains are defined. | |
313 | </para> | |
314 | ||
315 | <para>This option is provided for compatibility with configurations where <emphasis>public DNS | |
316 | servers are not used</emphasis>. Forwarding single-label names to servers not under your control is | |
317 | not standard-conformant, see <ulink | |
318 | url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB | |
319 | Statement</ulink>, and may create a privacy and security risk.</para></listitem> | |
320 | </varlistentry> | |
798d3a52 ZJS |
321 | </variablelist> |
322 | </refsect1> | |
323 | ||
324 | <refsect1> | |
325 | <title>See Also</title> | |
326 | <para> | |
327 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
328 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
329 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
b5a8703f | 330 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
524f3e5c | 331 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry> |
798d3a52 ZJS |
332 | </para> |
333 | </refsect1> | |
091a364c TG |
334 | |
335 | </refentry> |