2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
6 <refentry id=
"resolved.conf" conditional='ENABLE_RESOLVE'
7 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
9 <title>resolved.conf
</title>
10 <productname>systemd
</productname>
14 <refentrytitle>resolved.conf
</refentrytitle>
15 <manvolnum>5</manvolnum>
19 <refname>resolved.conf
</refname>
20 <refname>resolved.conf.d
</refname>
21 <refpurpose>Network Name Resolution configuration files
</refpurpose>
25 <para><filename>/etc/systemd/resolved.conf
</filename></para>
26 <para><filename>/etc/systemd/resolved.conf.d/*.conf
</filename></para>
27 <para><filename>/run/systemd/resolved.conf.d/*.conf
</filename></para>
28 <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf
</filename></para>
32 <title>Description
</title>
34 <para>These configuration files control local DNS and LLMNR
35 name resolution.
</para>
39 <xi:include href=
"standard-conf.xml" xpointer=
"main-conf" />
42 <title>Options
</title>
44 <para>The following options are available in the [Resolve] section:
</para>
46 <variablelist class='network-directives'
>
49 <term><varname>DNS=
</varname></term>
50 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. Each address can
51 optionally take a port number separated with
<literal>:
</literal>, a network interface name or index separated with
52 <literal>%
</literal>, and a Server Name Indication (SNI) separated with
<literal>#
</literal>. When IPv6 address is
53 specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats
54 are
<literal>111.222.333.444:
9953%ifname#example.com
</literal> for IPv4 and
55 <literal>[
1111:
2222::
3333]:
9953%ifname#example.com
</literal> for IPv6. DNS requests are sent to one of the listed
56 DNS servers in parallel to suitable per-link DNS servers acquired from
57 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
58 set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS
59 servers listed in
<filename>/etc/resolv.conf
</filename> are used instead, if that file exists and any servers
60 are configured in it. This setting defaults to the empty list.
</para></listitem>
64 <term><varname>FallbackDNS=
</varname></term>
65 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Please see
66 <varname>DNS=
</varname> for acceptable format of adddresses. Any per-link DNS servers obtained from
67 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
68 take precedence over this setting, as do any servers set via
<varname>DNS=
</varname> above or
69 <filename>/etc/resolv.conf
</filename>. This setting is hence only used if no other DNS server information is
70 known. If this option is not given, a compiled-in list of DNS servers is used instead.
</para></listitem>
74 <term><varname>Domains=
</varname></term>
75 <listitem><para>A space-separated list of domains optionally prefixed with
<literal>~
</literal>,
76 used for two distinct purposes described below. Defaults to the empty list.
</para>
78 <para>Any domains
<emphasis>not
</emphasis> prefixed with
<literal>~
</literal> are used as search
79 suffixes when resolving single-label hostnames (domain names which contain no dot), in order to
80 qualify them into fully-qualified domain names (FQDNs). These
"search domains" are strictly processed
81 in the order they are specified in, until the name with the suffix appended is found. For
82 compatibility reasons, if this setting is not specified, the search domains listed in
83 <filename>/etc/resolv.conf
</filename> with the
<varname>search
</varname> keyword are used instead, if
84 that file exists and any domains are configured in it.
</para>
86 <para>The domains prefixed with
<literal>~
</literal> are called
"routing domains". All domains listed
87 here (both search domains and routing domains after removing the
<literal>~
</literal> prefix) define
88 a search path that preferably directs DNS queries to this interface. This search path has an effect
89 only when suitable per-link DNS servers are known. Such servers may be defined through the
90 <varname>DNS=
</varname> setting (see above) and dynamically at run time, for example from DHCP
91 leases. If no per-link DNS servers are known, routing domains have no effect.
</para>
93 <para>Use the construct
<literal>~.
</literal> (which is composed from
<literal>~
</literal> to
94 indicate a routing domain and
<literal>.
</literal> to indicate the DNS root domain that is the
95 implied suffix of all DNS domains) to use the DNS servers defined for this link preferably for all
96 domains.
</para></listitem>
100 <term><varname>LLMNR=
</varname></term>
101 <listitem><para>Takes a boolean argument or
102 <literal>resolve
</literal>. Controls Link-Local Multicast Name
103 Resolution support (
<ulink
104 url=
"https://tools.ietf.org/html/rfc4795">RFC
4795</ulink>) on
105 the local host. If true, enables full LLMNR responder and
106 resolver support. If false, disables both. If set to
107 <literal>resolve
</literal>, only resolution support is enabled,
108 but responding is disabled. Note that
109 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
110 also maintains per-link LLMNR settings. LLMNR will be
111 enabled on a link only if the per-link and the
112 global setting is on.
</para></listitem>
116 <term><varname>MulticastDNS=
</varname></term>
117 <listitem><para>Takes a boolean argument or
118 <literal>resolve
</literal>. Controls Multicast DNS support (
<ulink
119 url=
"https://tools.ietf.org/html/rfc6762">RFC
6762</ulink>) on
120 the local host. If true, enables full Multicast DNS responder and
121 resolver support. If false, disables both. If set to
122 <literal>resolve
</literal>, only resolution support is enabled,
123 but responding is disabled. Note that
124 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
125 also maintains per-link Multicast DNS settings. Multicast DNS will be
126 enabled on a link only if the per-link and the
127 global setting is on.
</para></listitem>
131 <term><varname>DNSSEC=
</varname></term>
132 <listitem><para>Takes a boolean argument or
133 <literal>allow-downgrade
</literal>. If true all DNS lookups are
134 DNSSEC-validated locally (excluding LLMNR and Multicast
135 DNS). If the response to a lookup request is detected to be invalid
136 a lookup failure is returned to applications. Note that
137 this mode requires a DNS server that supports DNSSEC. If the
138 DNS server does not properly support DNSSEC all validations
139 will fail. If set to
<literal>allow-downgrade
</literal> DNSSEC
140 validation is attempted, but if the server does not support
141 DNSSEC properly, DNSSEC mode is automatically disabled. Note
142 that this mode makes DNSSEC validation vulnerable to
143 "downgrade" attacks, where an attacker might be able to
144 trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
145 response that suggests DNSSEC was not supported. If set to
146 false, DNS lookups are not DNSSEC validated.
</para>
148 <para>Note that DNSSEC validation requires retrieval of
149 additional DNS data, and thus results in a small DNS look-up
152 <para>DNSSEC requires knowledge of
"trust anchors" to prove
153 data integrity. The trust anchor for the Internet root domain
154 is built into the resolver, additional trust anchors may be
156 <citerefentry><refentrytitle>dnssec-trust-anchors.d
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
157 Trust anchors may change at regular intervals, and old trust
158 anchors may be revoked. In such a case DNSSEC validation is
159 not possible until new trust anchors are configured locally or
160 the resolver software package is updated with the new root
161 trust anchor. In effect, when the built-in trust anchor is
162 revoked and
<varname>DNSSEC=
</varname> is true, all further
163 lookups will fail, as it cannot be proved anymore whether
164 lookups are correctly signed, or validly unsigned. If
165 <varname>DNSSEC=
</varname> is set to
166 <literal>allow-downgrade
</literal> the resolver will
167 automatically turn off DNSSEC validation in such a case.
</para>
169 <para>Client programs looking up DNS data will be informed
170 whether lookups could be verified using DNSSEC, or whether the
171 returned data could not be verified (either because the data
172 was found unsigned in the DNS, or the DNS server did not
173 support DNSSEC or no appropriate trust anchors were known). In
174 the latter case it is assumed that client programs employ a
175 secondary scheme to validate the returned DNS data, should
176 this be required.
</para>
178 <para>It is recommended to set
<varname>DNSSEC=
</varname> to
179 true on systems where it is known that the DNS server supports
180 DNSSEC correctly, and where software or trust anchor updates
181 happen regularly. On other systems it is recommended to set
182 <varname>DNSSEC=
</varname> to
183 <literal>allow-downgrade
</literal>.
</para>
185 <para>In addition to this global DNSSEC setting
186 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
187 also maintains per-link DNSSEC settings. For system DNS
188 servers (see above), only the global DNSSEC setting is in
189 effect. For per-link DNS servers the per-link
190 setting is in effect, unless it is unset in which case the
191 global setting is used instead.
</para>
193 <para>Site-private DNS zones generally conflict with DNSSEC
194 operation, unless a negative (if the private zone is not
195 signed) or positive (if the private zone is signed) trust
196 anchor is configured for them. If
197 <literal>allow-downgrade
</literal> mode is selected, it is
198 attempted to detect site-private DNS zones using top-level
199 domains (TLDs) that are not known by the DNS root server. This
200 logic does not work in all private zone setups.
</para>
202 <para>Defaults to
<literal>allow-downgrade
</literal></para>
207 <term><varname>DNSOverTLS=
</varname></term>
209 <para>Takes a boolean argument or
<literal>opportunistic
</literal>. If
210 true all connections to the server will be encrypted. Note that this
211 mode requires a DNS server that supports DNS-over-TLS and has a valid
212 certificate. If the hostname was specified in
<varname>DNS=
</varname>
213 by using the format format
<literal>address#server_name
</literal> it
214 is used to validate its certificate and also to enable Server Name
215 Indication (SNI) when opening a TLS connection. Otherwise
216 the certificate is checked against the server's IP.
217 If the DNS server does not support DNS-over-TLS all DNS requests will fail.
</para>
219 <para>When set to
<literal>opportunistic
</literal>
220 DNS request are attempted to send encrypted with DNS-over-TLS.
221 If the DNS server does not support TLS, DNS-over-TLS is disabled.
222 Note that this mode makes DNS-over-TLS vulnerable to
"downgrade"
223 attacks, where an attacker might be able to trigger a downgrade
224 to non-encrypted mode by synthesizing a response that suggests
225 DNS-over-TLS was not supported. If set to false, DNS lookups
226 are send over UDP.
</para>
228 <para>Note that DNS-over-TLS requires additional data to be
229 send for setting up an encrypted connection, and thus results
230 in a small DNS look-up time penalty.
</para>
232 <para>Note that in
<literal>opportunistic
</literal> mode the
233 resolver is not capable of authenticating the server, so it is
234 vulnerable to
"man-in-the-middle" attacks.
</para>
236 <para>In addition to this global DNSOverTLS setting
237 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
238 also maintains per-link DNSOverTLS settings. For system DNS
239 servers (see above), only the global DNSOverTLS setting is in
240 effect. For per-link DNS servers the per-link
241 setting is in effect, unless it is unset in which case the
242 global setting is used instead.
</para>
244 <para>Defaults to off.
</para>
249 <term><varname>Cache=
</varname></term>
250 <listitem><para>Takes a boolean or
<literal>no-negative
</literal> as argument. If
251 <literal>yes
</literal> (the default), resolving a domain name which already got queried earlier will
252 return the previous result as long as it is still valid, and thus does not result in a new network
253 request. Be aware that turning off caching comes at a performance penalty, which is particularly high
254 when DNSSEC is used. If
<literal>no-negative
</literal>, only positive answers are cached.
</para>
256 <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
257 (such as
127.0.0.1 or ::
1), in order to avoid duplicate local caching.
</para></listitem>
261 <term><varname>DNSStubListener=
</varname></term>
262 <listitem><para>Takes a boolean argument or one of
<literal>udp
</literal> and
<literal>tcp
</literal>. If
263 <literal>udp
</literal>, a DNS stub resolver will listen for UDP requests on address
127.0.0.53
264 port
53. If
<literal>tcp
</literal>, the stub will listen for TCP requests on the same address and port. If
265 <literal>yes
</literal> (the default), the stub listens for both UDP and TCP requests. If
<literal>no
</literal>, the stub
266 listener is disabled.
</para>
268 <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already
269 in use.
</para></listitem>
273 <term><varname>ReadEtcHosts=
</varname></term>
274 <listitem><para>Takes a boolean argument. If
<literal>yes
</literal> (the default),
275 <command>systemd-resolved
</command> will read
<filename>/etc/hosts
</filename>, and try to resolve
276 hosts or address by using the entries in the file before sending query to DNS servers.
281 <term><varname>ResolveUnicastSingleLabel=
</varname></term>
282 <listitem><para>Takes a boolean argument. When false (the default),
283 <command>systemd-resolved
</command> will not resolve A and AAAA queries for single-label names over
284 classic DNS. Note that such names may still be resolved if search domains are specified (see
285 <varname>Domains=
</varname> above), or using other mechanisms, in particular via LLMNR or from
286 <filename>/etc/hosts
</filename>. When true, queries for single-label names will be forwarded to
287 global DNS servers even if no search domains are defined.
290 <para>This option is provided for compatibility with configurations where
<emphasis>public DNS
291 servers are not used
</emphasis>. Forwarding single-label names to servers not under your control is
292 not standard-conformant, see
<ulink
293 url=
"https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB
294 Statement
</ulink>, and may create a privacy and security risk.
</para></listitem>
300 <title>See Also
</title>
302 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
303 <citerefentry><refentrytitle>systemd-resolved.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
304 <citerefentry><refentrytitle>systemd-networkd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
305 <citerefentry><refentrytitle>dnssec-trust-anchors.d
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
306 <citerefentry project='man-pages'
><refentrytitle>resolv.conf
</refentrytitle><manvolnum>4</manvolnum></citerefentry>
projects / thirdparty / systemd.git / blob