]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/resolved.conf.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
resolve: rename PrivateDNS to DNSOverTLS
[thirdparty/systemd.git] / man / resolved.conf.xml
1 <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <!--
6 SPDX-License-Identifier: LGPL-2.1+
7
8 This file is part of systemd.
9
10 Copyright 2014 Tom Gundersen
11 -->
12
13 <refentry id="resolved.conf" conditional='ENABLE_RESOLVE'
14 xmlns:xi="http://www.w3.org/2001/XInclude">
15 <refentryinfo>
16 <title>resolved.conf</title>
17 <productname>systemd</productname>
18
19 <authorgroup>
20 <author>
21 <contrib>Developer</contrib>
22 <firstname>Tom</firstname>
23 <surname>Gundersen</surname>
24 <email>teg@jklm.no</email>
25 </author>
26 </authorgroup>
27 </refentryinfo>
28
29 <refmeta>
30 <refentrytitle>resolved.conf</refentrytitle>
31 <manvolnum>5</manvolnum>
32 </refmeta>
33
34 <refnamediv>
35 <refname>resolved.conf</refname>
36 <refname>resolved.conf.d</refname>
37 <refpurpose>Network Name Resolution configuration files</refpurpose>
38 </refnamediv>
39
40 <refsynopsisdiv>
41 <para><filename>/etc/systemd/resolved.conf</filename></para>
42 <para><filename>/etc/systemd/resolved.conf.d/*.conf</filename></para>
43 <para><filename>/run/systemd/resolved.conf.d/*.conf</filename></para>
44 <para><filename>/usr/lib/systemd/resolved.conf.d/*.conf</filename></para>
45 </refsynopsisdiv>
46
47 <refsect1>
48 <title>Description</title>
49
50 <para>These configuration files control local DNS and LLMNR
51 name resolution.</para>
52
53 </refsect1>
54
55 <xi:include href="standard-conf.xml" xpointer="main-conf" />
56
57 <refsect1>
58 <title>Options</title>
59
60 <para>The following options are available in the <literal>[Resolve]</literal> section:</para>
61
62 <variablelist class='network-directives'>
63
64 <varlistentry>
65 <term><varname>DNS=</varname></term>
66 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. DNS requests
67 are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from
68 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
69 set at runtime by external applications. For compatibility reasons, if this setting is not specified, the DNS
70 servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers
71 are configured in it. This setting defaults to the empty list.</para></listitem>
72 </varlistentry>
73
74 <varlistentry>
75 <term><varname>FallbackDNS=</varname></term>
76 <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any
77 per-link DNS servers obtained from
78 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
79 take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or
80 <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is
81 known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem>
82 </varlistentry>
83
84 <varlistentry>
85 <term><varname>Domains=</varname></term>
86 <listitem><para>A space-separated list of domains. These domains are used as search suffixes when resolving
87 single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified
88 domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name
89 with the suffix appended is found. For compatibility reasons, if this setting is not specified, the search
90 domains listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any domains
91 are configured in it. This setting defaults to the empty list.</para>
92
93 <para>Specified domain names may optionally be prefixed with <literal>~</literal>. In this case they do not
94 define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured
95 with the system <varname>DNS=</varname> setting (see above), in case additional, suitable per-link DNS servers
96 are known. If no per-link DNS servers are known using the <literal>~</literal> syntax has no effect. Use the
97 construct <literal>~.</literal> (which is composed of <literal>~</literal> to indicate a routing domain and
98 <literal>.</literal> to indicate the DNS root domain that is the implied suffix of all DNS domains) to use the
99 system DNS server defined with <varname>DNS=</varname> preferably for all domains.</para></listitem>
100 </varlistentry>
101
102 <varlistentry>
103 <term><varname>LLMNR=</varname></term>
104 <listitem><para>Takes a boolean argument or
105 <literal>resolve</literal>. Controls Link-Local Multicast Name
106 Resolution support (<ulink
107 url="https://tools.ietf.org/html/rfc4795">RFC 4794</ulink>) on
108 the local host. If true, enables full LLMNR responder and
109 resolver support. If false, disables both. If set to
110 <literal>resolve</literal>, only resolution support is enabled,
111 but responding is disabled. Note that
112 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
113 also maintains per-link LLMNR settings. LLMNR will be
114 enabled on a link only if the per-link and the
115 global setting is on.</para></listitem>
116 </varlistentry>
117
118 <varlistentry>
119 <term><varname>MulticastDNS=</varname></term>
120 <listitem><para>Takes a boolean argument or
121 <literal>resolve</literal>. Controls Multicast DNS support (<ulink
122 url="https://tools.ietf.org/html/rfc6762">RFC 6762</ulink>) on
123 the local host. If true, enables full Multicast DNS responder and
124 resolver support. If false, disables both. If set to
125 <literal>resolve</literal>, only resolution support is enabled,
126 but responding is disabled. Note that
127 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
128 also maintains per-link Multicast DNS settings. Multicast DNS will be
129 enabled on a link only if the per-link and the
130 global setting is on.</para></listitem>
131 </varlistentry>
132
133 <varlistentry>
134 <term><varname>DNSSEC=</varname></term>
135 <listitem><para>Takes a boolean argument or
136 <literal>allow-downgrade</literal>. If true all DNS lookups are
137 DNSSEC-validated locally (excluding LLMNR and Multicast
138 DNS). If the response to a lookup request is detected to be invalid
139 a lookup failure is returned to applications. Note that
140 this mode requires a DNS server that supports DNSSEC. If the
141 DNS server does not properly support DNSSEC all validations
142 will fail. If set to <literal>allow-downgrade</literal> DNSSEC
143 validation is attempted, but if the server does not support
144 DNSSEC properly, DNSSEC mode is automatically disabled. Note
145 that this mode makes DNSSEC validation vulnerable to
146 "downgrade" attacks, where an attacker might be able to
147 trigger a downgrade to non-DNSSEC mode by synthesizing a DNS
148 response that suggests DNSSEC was not supported. If set to
149 false, DNS lookups are not DNSSEC validated.</para>
150
151 <para>Note that DNSSEC validation requires retrieval of
152 additional DNS data, and thus results in a small DNS look-up
153 time penalty.</para>
154
155 <para>DNSSEC requires knowledge of "trust anchors" to prove
156 data integrity. The trust anchor for the Internet root domain
157 is built into the resolver, additional trust anchors may be
158 defined with
159 <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
160 Trust anchors may change at regular intervals, and old trust
161 anchors may be revoked. In such a case DNSSEC validation is
162 not possible until new trust anchors are configured locally or
163 the resolver software package is updated with the new root
164 trust anchor. In effect, when the built-in trust anchor is
165 revoked and <varname>DNSSEC=</varname> is true, all further
166 lookups will fail, as it cannot be proved anymore whether
167 lookups are correctly signed, or validly unsigned. If
168 <varname>DNSSEC=</varname> is set to
169 <literal>allow-downgrade</literal> the resolver will
170 automatically turn off DNSSEC validation in such a case.</para>
171
172 <para>Client programs looking up DNS data will be informed
173 whether lookups could be verified using DNSSEC, or whether the
174 returned data could not be verified (either because the data
175 was found unsigned in the DNS, or the DNS server did not
176 support DNSSEC or no appropriate trust anchors were known). In
177 the latter case it is assumed that client programs employ a
178 secondary scheme to validate the returned DNS data, should
179 this be required.</para>
180
181 <para>It is recommended to set <varname>DNSSEC=</varname> to
182 true on systems where it is known that the DNS server supports
183 DNSSEC correctly, and where software or trust anchor updates
184 happen regularly. On other systems it is recommended to set
185 <varname>DNSSEC=</varname> to
186 <literal>allow-downgrade</literal>.</para>
187
188 <para>In addition to this global DNSSEC setting
189 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
190 also maintains per-link DNSSEC settings. For system DNS
191 servers (see above), only the global DNSSEC setting is in
192 effect. For per-link DNS servers the per-link
193 setting is in effect, unless it is unset in which case the
194 global setting is used instead.</para>
195
196 <para>Site-private DNS zones generally conflict with DNSSEC
197 operation, unless a negative (if the private zone is not
198 signed) or positive (if the private zone is signed) trust
199 anchor is configured for them. If
200 <literal>allow-downgrade</literal> mode is selected, it is
201 attempted to detect site-private DNS zones using top-level
202 domains (TLDs) that are not known by the DNS root server. This
203 logic does not work in all private zone setups.</para>
204
205 <para>Defaults to off.</para>
206 </listitem>
207 </varlistentry>
208
209 <varlistentry>
210 <term><varname>DNSOverTLS=</varname></term>
211 <listitem>
212 <para>Takes false or
213 <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>
214 DNS request are attempted to send encrypted with DNS-over-TLS.
215 If the DNS server does not support TLS, DNS-over-TLS is disabled.
216 Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
217 attacks, where an attacker might be able to trigger a downgrade
218 to non-encrypted mode by synthesizing a response that suggests
219 DNS-over-TLS was not supported. If set to false, DNS lookups
220 are send over UDP.</para>
221
222 <para>Note that DNS-over-TLS requires additional data to be
223 send for setting up an encrypted connection, and thus results
224 in a small DNS look-up time penalty.</para>
225
226 <para>Note as the resolver is not capable of authenticating
227 the server, it is vulnerable for "man-in-the-middle" attacks.</para>
228
229 <para>In addition to this global DNSOverTLS setting
230 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
231 also maintains per-link DNSOverTLS settings. For system DNS
232 servers (see above), only the global DNSOverTLS setting is in
233 effect. For per-link DNS servers the per-link
234 setting is in effect, unless it is unset in which case the
235 global setting is used instead.</para>
236
237 <para>Defaults to off.</para>
238 </listitem>
239 </varlistentry>
240
241 <varlistentry>
242 <term><varname>Cache=</varname></term>
243 <listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
244 queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
245 network request. Be aware that turning off caching comes at a performance penalty, which is particularly
246 high when DNSSEC is used.</para>
247
248 <para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
249 (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem>
250 </varlistentry>
251
252 <varlistentry>
253 <term><varname>DNSStubListener=</varname></term>
254 <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If
255 <literal>udp</literal> (the default), a DNS stub resolver will listen for UDP requests on address 127.0.0.53
256 port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If
257 <literal>yes</literal>, the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub
258 listener is disabled.</para>
259
260 <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already
261 in use.</para></listitem>
262 </varlistentry>
263
264 </variablelist>
265 </refsect1>
266
267 <refsect1>
268 <title>See Also</title>
269 <para>
270 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
271 <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
272 <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
273 <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
274 <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>4</manvolnum></citerefentry>
275 </para>
276 </refsect1>
277
278 </refentry>
Unnamed repository; edit this file 'description' to name the repository.