I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.
Modern browsers use their buit-in DNS settings which adds to the confusion.
I think this is one area that Linux needs more work and more standardization.
How do you think it should be fixed?
changing settings in Network Manager.
What’s wrong with this method? I feel like this is the main one and it works well for me. Even if you were using systemd-resolved, I believe it still works.
This is the answer for desktop Linux. Have NM create the drop in for systemd-resolved when the settings are changed. This is NM’s job.
I typically leave my DNS config to my router and PiHole. I run a VPN server to my home network so I have the same setup no matter where I am. I’ll agree, it used to be that /etc/resolv.conf was the go to, but systemd had been interesting to say the least.
I also found this if it helps you any.
Problems:
- you need an additional solution for Wifi captives portals, at least there is a gap in your solution for this situation
- intercontinental travelling might not be fun
Iirc, Unifi gear does captive portals, but good points all around.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
No. The average user would use NetworkManager GUI integrated into DE.
Network Manager doesn’t support DOH.
The average user barely know what is DNS, so DoH…
Android supports DoT, and it can be easily configured by the user. They call it ‘Private DNS’ though, in order to not confuse users with terminology like ‘DNS-over-TLS’. Also most browsers support DoH, Chromium just calls it ‘Secure DNS’, again, in order not to confuse users. NetworkManager could definitely implement DNSCrypt, DoT and DoH, maybe even DoQ and just call it ‘Encrypted DNS’ and add a toggle to choose the protocol.
This isn’t really a “Linux” problem. Calling it a Linux problem implies all distros do the same thing out of the box because it’s a part of the core system. Systemd has a file,
/etc/systemd/resolved.conf
which has one lineDNS=
that you can add the servers you want. It’s as simple as that. If you’re using Dnsmasq for DNS instead, you’d edit the Dnsmasq file. If you’re not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the/etc/reeolv.conf
directly without worry of it being overwritten.While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.
I read many replies to your post as “DNS software shouldn’t be allowed to change DNS settings” for the most part, and that doesn’t quite make sense to me. If it’s a problem, remove said software. Browsers are definitely annoying in the DNS front, I won’t disagree with that. Fortunately, they allow you to turn that off though.
My two cents: Yes, it’s bad. The biggest hurdle to people not “intimately familiar” with their distro is A) what it’s using for DNS configuration and B) realizing that there are so many different ways in different distributions, and sometimes within one distribution, that you have to be very careful what googled results you follow. That many browsers do their own thing doesn’t help. I think the best way to solve it would be some desktop level abstraction like PackageKit where it doesn’t really matter what services does the resolving under the hood.
Xkcd “standards”
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Nor should there be. That’s what the configuration files are for, and the utility to edit them is the editor of your choice.
I just edit
resolv.conf
directly, and then dochattr +i /etc/resolv.conf
to make it persistentSystemd likes to ruin all the easy stuff with overcomplicated bloated programms.
Modern browsers use their buit-in DNS settings which adds to the confusion.
There’s no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there’s a toggle to turn it off, I’m okay with that.
How do you think it should be fixed?
The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.
Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (
~home.arpa
for virtual machines and~lan
for machines in my home network).There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I’ll have to enable
DNSDefaultRoute=
in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It’s a lot of steps but I can automate most of them with a script for now.Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.
Edit: link to some blog post
You haven’t used Ubuntu Server… The resolv.conf is managed by the network manager (NetworkManager if I recall correctly). But if you configure the DNS in NM it won’t survive the reboot because there is another layer on top, cloudinit.
Cloud-init is fairly well documented:
But if you do not need it (and if you’re configuring DNS by hand, it doesn’t sound like you do), you can disable it entirely:
https://cloudinit.readthedocs.io/en/latest/howto/disable_cloud_init.html
resolv.conf
itself should be managed bysystemd-resolved
on any modern Ubuntu Server release. And that service will use the DNS settings provided bynetplan
.With cloud-init disabled, you should have the freedom to create/edit configuration files in
/etc/netplan
and apply changes withnetplan apply
.This is terrible. At least they should deprecate that file.
It’s very easy when not using systemd-resolved.
No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.
Its bad if you dont like having a bunch of options for your network stack.
No software should EVER touch any DNS related configuration or file and no application should bring it’s own system for DNS request. Everything regarding DNS without any exception should be done by the application that sets up and handle the network connection.
deleted by creator
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Because it’s systemd. You take it or you take it. Brought to you by the same people who brought PulseAudio and GNOME 3.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots)
True, but at least by this point it is documented everywhere (at least on Arch and Debian) and if you want to play around with resolv.conf their go-to interface is to install
resolvconf
and edit only thebase
orhead
files.How do you think it should be fixed?
IMO people should just install and learn to use dnsmasq / bind9. They’re there precisely to cover most cases (including forwarding local DNS queries to DoH, or having your own intranet, etc).