I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.
Modern browsers use their buit-in DNS settings which adds to the confusion.
I think this is one area that Linux needs more work and more standardization.
How do you think it should be fixed?
No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.
I wouldn’t call it a mess. There’s a reason it’s not standard. It’s because Linux is about having choices. Linux users have such a variety of use cases and there are a zillion different kinds of hardware it runs on. There’s no one thing that works for everyone.
I think this flexibility is a big part of what makes Linux special but also what makes it difficult for newcomers. The documentation on all the various software is typically very good to excellent. The harder part is figuring out which choice to make in the first place.
I don’t really have any answers except to take it all in and be more willing to do some research than some other platforms may require.
System-wide DoH is sort of a power user thing to begin with so other platforms will likely be similar. I think you would probably be using some kind of app to do it on Windows or Mac.
By the way, you might want to take a look at stubby for your situation. I did something similar a few weeks back and that’s what I used. It’s runs a little local DNS proxy that forwards requests to your upstream servers. Then you would set your DNS server to 127.0.0.1 in NetworkManager or whatever you’re using. You have to change like 3 lines in the default stubby config a typical distro may provide to make it work.
Well, I’m not using systemd and Portmaster (safing.io free open source without the VPN tunnels) has a DNS control over any request your Linux do… I don’t think I have any issues here… hehe
You haven’t used Ubuntu Server… The resolv.conf is managed by the network manager (NetworkManager if I recall correctly). But if you configure the DNS in NM it won’t survive the reboot because there is another layer on top, cloudinit.
Cloud-init is fairly well documented:
But if you do not need it (and if you’re configuring DNS by hand, it doesn’t sound like you do), you can disable it entirely:
https://cloudinit.readthedocs.io/en/latest/howto/disable_cloud_init.html
resolv.confitself should be managed bysystemd-resolvedon any modern Ubuntu Server release. And that service will use the DNS settings provided bynetplan.With cloud-init disabled, you should have the freedom to create/edit configuration files in
/etc/netplanand apply changes withnetplan apply.This is terrible. At least they should deprecate that file.
Can’t, it’s hardcoded by too many programs out there.
resolv.confis still the place to get DNS configuration, but it was hijacked by various “helping” tools so you can’t edit it manually anymore. Why they couldn’t stick to adding/etc/resolv.d/*.conffiles like to many other /etc/ stuff, I’ll never know.You basically just made the case for exactly why.
Programs should be using the system resolver, not parsing that file.
The system resolver should have predictable behavior. But if other programs are doing their own DNS resolution (or otherwise predicating their functionality) based directly on the contents of
resolv.confthen their behavior will not always be consistent with the system resolver (or with how the sysadmin intended things to function).And that can break things in subtle, unpredictable ways, which is always a headache.
Thus, on some modern systems,
resolv.confsimply declares the localsystemd-resolvedinstance (i.e. 127.0.0.1) and nothing else.A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace. Want to ensure DNS lookups for specific apps occur only through your VPN-specific DNS servers but all other apps only use the normal system resolvers (i.e. no leaking from either side of the divide)? Want to also ensure DNS lookups for those specific apps fail when the VPN is down (again, as opposed to leaking)?
systemd-resolvedhas your back.And before anyone asks, yes, I am aware there are other, more crude and convoluted ways to do that with e.g. iptables (just like you can use crude, inconsistent init.d spaghetti scripts to manage services). It’s just one single real-world example.
A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.
The point is to configure everything using consistent, predictable configuration files and syntax, and to ensure consistent, predictable behavior.
But if you ultimately still want
resolv.conf.dback, then your distro of choice undoubtedly provides a way to do so.Programs should be using the system resolver, not parsing that file.
What’s a “system resolver”? We’re talking about DNS servers. You’re either running one locally or not. Either way, you need a way for everybody to know what DNS servers to use, regardless of whether you run one on the machine. That’s where resolv.conf comes in.
And that can break things in subtle, unpredictable ways, which is always a headache.
Let’s see some examples.
A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.
Good, because that has nothing to do with DNS, it’s a matter of routing. They’re orthogonal issues.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Nor should there be. That’s what the configuration files are for, and the utility to edit them is the editor of your choice.
Just between yesterday and today I was struggling with this, to get DoH or DoT working, but Network Manager would override /etc/resolv.conf. At least I figured out how to stop NM from modifying the DNS.
I tried my putting my dns settings in /etc/systemd/resolv.conf, as suggested by Nextdns setup page, but that didn’t seem to work, at least on Tumbleweed. On my Debian laptop running as a headless server, the /etc/systemd/resolv.conf does work.
I’m currently with Stubby, and it’s working at least, but I would’ve liked to figure out the systemd-resolved way on Tumbleweed.
Did you try dnscrypt-proxy?
Not yet but I will check it out, thanks!
It’s very easy when not using systemd-resolved.
In defense of systemd-resolved, it’s meant for static configurations. I absolutely love it for my stationary machines for its simplicity and tooling. However, for machines that might need to change settings at one point - say notebooks - I’d never consider it. Same for systemd-networkd.
My two cents: Yes, it’s bad. The biggest hurdle to people not “intimately familiar” with their distro is A) what it’s using for DNS configuration and B) realizing that there are so many different ways in different distributions, and sometimes within one distribution, that you have to be very careful what googled results you follow. That many browsers do their own thing doesn’t help. I think the best way to solve it would be some desktop level abstraction like PackageKit where it doesn’t really matter what services does the resolving under the hood.
Xkcd “standards”
Totally agree. There should be only one place for setting the system-wide DNS.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Because it’s systemd. You take it or you take it. Brought to you by the same people who brought PulseAudio and GNOME 3.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots)
True, but at least by this point it is documented everywhere (at least on Arch and Debian) and if you want to play around with resolv.conf their go-to interface is to install
resolvconfand edit only thebaseorheadfiles.How do you think it should be fixed?
IMO people should just install and learn to use dnsmasq / bind9. They’re there precisely to cover most cases (including forwarding local DNS queries to DoH, or having your own intranet, etc).
changing settings in Network Manager.
What’s wrong with this method? I feel like this is the main one and it works well for me. Even if you were using systemd-resolved, I believe it still works.
Do any modern OS’s set DNS system wide?
I don’t disagree there should be an option because I see maybe why they wouldn’t do that.
All of them?
Oh never mind. I’m thinking per adapter, not per connection. You’re right.
Yeah, it’s pretty easy on macos using configuration profiles
This is the answer for desktop Linux. Have NM create the drop in for systemd-resolved when the settings are changed. This is NM’s job.
Slightly off topic, but as long as we’re ranting about DNS…
Proxmox handles DNS for each container as a setting in the hypervisor. It’s not a bad way of simplifying things, but if, hypothetically, you didn’t know about that, then you could find yourself in a situation where you spend an entire afternoon trying every single one of the million different ways to edit DNS in Linux and getting increasingly frustrated because the IP gets overwritten every time you restart the container no matter what you do, until eventually you figure out that the solution is just like three clicks and a text entry box in the Proxmox GUI!
…Hypothetically, of course.
Wait, what? LOL didn’t know Proxmox had that!
Thanks, you’ve saved me from spending some afternoons. I don’t want to think about how much time I spent on DNS before this
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
No. The average user would use NetworkManager GUI integrated into DE.
Network Manager doesn’t support DOH.
The average user barely know what is DNS, so DoH…
Android supports DoT, and it can be easily configured by the user. They call it ‘Private DNS’ though, in order to not confuse users with terminology like ‘DNS-over-TLS’. Also most browsers support DoH, Chromium just calls it ‘Secure DNS’, again, in order not to confuse users. NetworkManager could definitely implement DNSCrypt, DoT and DoH, maybe even DoQ and just call it ‘Encrypted DNS’ and add a toggle to choose the protocol.
Very much agreed 👍 I realized when using the dnscrypt to set the DNS settings. There is resolv.conf which used to be the final authority regarding your DNS. Now I don’t know anymore
it still is, just make it read only.
chattr +i
;)
not reliable, even if it should be. i’ve seen updates replace the file in a way that clears the read-only flag. same with other clever tricks like making it a symlink.
Yup. Tried that, doesn’t work.
No software should EVER touch any DNS related configuration or file and no application should bring it’s own system for DNS request. Everything regarding DNS without any exception should be done by the application that sets up and handle the network connection.
No software should EVER touch any DNS related configuration
Uhh good luck with that. If it were stored on magnetic media I’d suggest “a magnet and a very steady hand” but that doesn’t work so much for SSDs.
Modern browsers use their buit-in DNS settings which adds to the confusion.
There’s no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there’s a toggle to turn it off, I’m okay with that.
How do you think it should be fixed?
The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.
Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (
~home.arpafor virtual machines and~lanfor machines in my home network).There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I’ll have to enable
DNSDefaultRoute=in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It’s a lot of steps but I can automate most of them with a script for now.Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.
Edit: link to some blog post
