Introduction to DNS Leaks
I’ve seen DNS leaks cause issues on even the most secure Linux servers. Ensuring your DNS setup is solid is crucial, and one common problem is a DNS leak, where your system inadvertently reveals your DNS queries to unauthorized parties. In this article, I’ll walk you through troubleshooting DNS leaks using systemd-resolved and resolv.conf on a Linux server.
Understanding systemd-resolved
systemd-resolved is a powerful tool that provides DNS resolution capabilities. It’s designed to be a caching, validating DNS resolver that can also handle DNSSEC validation. To check if systemd-resolved is running on your system, use the following command:
systemctl status systemd-resolved
If the service is not running, you can start it with:
systemctl start systemd-resolved
Don’t bother with manually configuring the service unless you have a specific reason to do so - the defaults usually work just fine.
Configuring resolv.conf
The resolv.conf file is used to configure the DNS resolver on your system. By default, systemd-resolved will generate a resolv.conf file with the following contents:
nameserver 127.0.0.53
options edns0
This configuration tells the system to use the systemd-resolved service as the DNS resolver. You can verify this by checking the contents of the resolv.conf file:
cat /etc/resolv.conf
In practice, you shouldn’t need to modify this file unless you’re using a custom DNS setup.
Troubleshooting DNS Leaks
To troubleshoot DNS leaks, I usually start with the dig command to query a DNS server and verify that the query is being handled by systemd-resolved. For example:
dig +short example.com @127.0.0.53
This command will query the example.com domain using the systemd-resolved service. If the query is successful, it will return the IP address of the domain.
You can also use the tcpdump command to capture DNS traffic and verify that it’s being encrypted:
tcpdump -i any -n -vv -s 0 -c 100 -W 100 port 53
This command will capture the first 100 DNS packets on all interfaces and display them in a verbose format. This is where people usually get burned - if your DNS traffic isn’t encrypted, you’re vulnerable to eavesdropping.
Verifying DNSSEC Validation
To verify that DNSSEC validation is working correctly, you can use the dig command with the +dnssec option:
dig +dnssec +short example.com @127.0.0.53
This command will query the example.com domain using the systemd-resolved service and verify that the response is DNSSEC-validated.
Security Considerations
When configuring your DNS setup, security is paramount. Using a secure DNS resolver like systemd-resolved can help protect your system from DNS-based attacks. Additionally, ensuring that your resolv.conf file is properly configured can help prevent DNS leaks.
For more information on systemd-resolved and DNS security, you can visit the systemd.io website or the debian.org website.
Additional Tools and Resources
There are several additional tools and resources available to help you troubleshoot DNS leaks and configure your DNS setup. Some notable tools include:
dnsleaktest.com: A website that provides a DNS leak test tool.github.com/systemd/systemd: The official systemd repository on GitHub.
By following these steps and using the tools and resources provided, you can help ensure that your Linux server is properly configured to prevent DNS leaks and maintain a secure DNS setup.
See also
- Debugging systemd Service Startup Failures with systemd-analyze and Journalctl
- Taming Split DNS Chaos with systemd-resolved and Local Hostname Resolution
- Reclaiming Disk Space from Unused Snapshot Copies on Btrfs Filesystems
- Troubleshooting Slow DNS Lookups with systemd-resolved and resolvectl
- Taming systemd-resolved: Avoiding DNS Leaks and Surprises with Split DNS Configurations