21

I would like my newer GNU/Linux system (Ubuntu 18.04 LTS) to use a single, manually-configured, DNS server for all DNS queries. In the past, I could simply do echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf to clobber the /etc/resolv.conf file and persistently set the DNS server's IP address for my entire system.

On this (and many newer GNU/Linux distributions), /etc/resolv.conf is managed by the resolvconf(8) utilties. On Ubuntu 18.04, this file contains a line like this:

nameserver 127.0.0.53

As can see by sudo ss --listening --numeric --processes, the local system's systemd-resolved DNS stub resolver is bound to this IP address and is listening on port 53 for incoming DNS requests. Therefore, the above nameserver line in the /etc/resolv.conf file is directing all applications that do not use systemd-resolved's D-Bus or glibc API to the systemd-resolved service via "normal" DNS requests.

That's all fine and well, but all this means that I can no longer simply write persistent changes to the /etc/resolv.conf file in order to effect a nameserver change.

After reading numerous manual pages and blog posts, I learned that I could set "global" DNS nameserver IP address(es) by editing, for example, the /etc/systemd/resolve.conf file such that this file contained a line as follows:

DNS=1.1.1.1 9.9.9.9

After making this change and invoking sudo systemctl restart systemd-resolved, running systemd-resolve --status did show the new nameservers (1.1.1.1 and 9.9.9.9) in the "Global" section. However, a Wireshark packet capture confirmed that my system was still sending DNS queries to the "per-link" DNS server presumably configured via DHCP (say, 192.168.1.1).

Further experimentation lead me to add the following line to my /etc/systemd/resolve.conf file:

Domains=~.

This seems to have successfully instructed systemd-resolved to always use the global nameservers (set in the DNS= option) and to never query any DHCP-supplied nameservers, even though those nameservers still show up when I inspect the output of systemd-resolve --status.

Finally my questions: Aside from the obvious impact this will have on, say, ignoring VPN-supplied DNS information, what other potential impact will this have on my system? And, more importantly, is there a recommended way to completely override dynamically-configured nameserver settings, such as those provided by DHCP, on a system using systemd-resolved such as Ubuntu 18.04 that is more complete than simply editing each NetworkManager-managed connection via the GUI? In particular, I do not want to have to edit the DNS settings for each individual Wi-Fi network that I join; I want all connections to automatically always use statically-configured nameservers for DNS resolution. What is the "best" way to do that, and why?

Thank you.

Improve this question
1
  • Does /etc/NetworkManager/NetworkManager.conf refer to dnsmasq? Commented Feb 4, 2020 at 13:51

3 Answers 3

Reset to default
9

I don't think there's a recommended way, but here are a few options.

Disclaimer: all of this was tested on an Ubuntu 20.04 system, there may be some differences on other versions.

Manual /etc/resolv.conf management

  1. Create your own resolv.conf:

    echo 'nameserver 8.8.8.8' | sudo tee /etc/resolv-manual.conf

  2. Remove the systemd-resolved symlink and link to your own file:

    sudo rm /etc/resolv.conf sudo ln -s /etc/resolv-manual.conf /etc/resolv.conf

  3. Verify your dns config is being used by issuing a query: dig google.com

Having resolv.conf be a symlink is importante because it gets overriden by NetworkManager otherwise.

Note that resolvectl status will still show the DHCP-provided DNS servers for the connection, and they may still be used by queries done through the dbus interface of resolved.

Forced global DNS on resolved

You already had this one:

  1. Create /etc/systemd/resolved.conf.d/dns_servers.conf 
    sudo mkdir -p /etc/systemd/resolved.conf.d cat <<EOF | sudo tee /etc/systemd/resolved.conf.d/dns_servers.conf [Resolve] DNS=192.168.35.1 fd7b:d0bd:7a6e::1 Domains=~. EOF
  2. Restart resolved: sudo systemctl restart systemd-resolved
  3. Verify with resolvectl status

You will still see the ISP-provided DNS server for the connection, but they will only be used for the domains listed under DNS Domain: in the resolvectl status output.

If you want to fully get rid of those DNS servers:

  1. Tell NetworkManager not to set DNS servers for resolved: 
    cat <<EOF | sudo tee /etc/NetworkManager/conf.d/dns.conf [main] dns=none systemd-resolved=false
  2. Reload NetworkManager: sudo systemctl reload NetworkManager.service
  3. resolved will remember the last DNS for the interface, so manually override them: sudo systemd-resolve --interface=wlp3s0 --set-dns 8.8.8.8
Improve this answer
5

I miss the days when was easy to manage nameservers, just editing /etc/resolv.conf. While this actually still works, now distros like Ubuntu add services that symlink and manage /etc/resolv.conf replacing all setup I do.

Using ubuntu, I have a issue where my the systemd-resolve does not set the "Current DNS Server" from nm VPN configuration. I'm using this to circumvent it.

sudo systemd-resolve --interface=ppp0 --set-dns=172.19.40.11
Improve this answer
1

I'll assume you are using NetworkManager, as it's Ubuntu.

To your first question. Unless you have the need for any non-global DNS, then I can't see any issue with setting a global DNS to a well-known, and stable DNS provider. Any change here will also be easily reversible.

systemd-resolved will on many systems have gained priority over /etc/resolv.conf, as you might see in /etc/nsswitch.conf, resolve is probably before dns.

The resolve daemon will use the addresses from the DNS= setting in /etc/systemd/resolved.conf, BUT will also use any server learned for an interface in parallel with the server from its DNS= option. Usually this is not an issue, as public DNS requests should either fail or return similarly useful results.

I don't know if there is a way to stop systemd-resolved from learning new DNS servers, but there might be ways to stop NetworkManager from installing them, e.g.

From https://wiki.archlinux.org/index.php/NetworkManager#Unmanaged_/etc/resolv.conf:

In /etc/NetworkManager/conf.d/dns.conf, add or change:

[main] dns=none systemd-resolved=false

After various service restarts, systemd-resolved should have default DNS servers, and NetworkManager should ignore setting DNS. Give it a try.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.