Taming systemd-resolved: How to Configure DNS Settings for Split Horizon Environments

Introduction to systemd-resolved

I’ve seen many Linux admins struggle with configuring DNS settings for split horizon environments. systemd-resolved, a DNS resolver component of the systemd suite, can make life easier. In this article, I’ll walk you through how to configure DNS settings for split horizon environments using systemd-resolved.

Understanding Split Horizon Environments

Split horizon environments are network setups where multiple DNS servers provide different answers for the same domain name, depending on the client’s location or network. I’ve encountered this in organizations with multiple offices or data centers, where different DNS servers serve different locations. For example, a company with offices in the US and Europe might have two separate DNS servers, one for each region, providing different IP addresses for the same domain name.

Configuring systemd-resolved

To configure systemd-resolved for a split horizon environment, you need to create a configuration file that specifies the DNS servers for each domain. Don’t bother with editing the main resolved.conf file - instead, create a new file in the /etc/systemd/resolved.conf.d/ directory. For example, to configure DNS settings for the example.com domain, you can create a file called example.com.conf with the following contents:

[Match]
Domains=example.com

[Resolve]
DNS=192.168.1.100 192.168.1.200

The real trick is to make sure you specify the correct DNS servers for each domain.

Using Multiple DNS Servers

In a split horizon environment, you may need to use multiple DNS servers to resolve domain names. systemd-resolved allows you to specify multiple DNS servers for a single domain. For example:

[Match]
Domains=example.com

[Resolve]
DNS=192.168.1.100 192.168.1.200 192.168.1.300

This way, you can ensure that your system can resolve domain names even if one of the DNS servers is down.

Fallback DNS Servers

This is where people usually get burned - they forget to specify fallback DNS servers. In case the primary DNS servers are not available, you can specify fallback DNS servers using the FallbackDNS option. For example:

[Match]
Domains=example.com

[Resolve]
DNS=192.168.1.100 192.168.1.200
FallbackDNS=8.8.8.8 8.8.4.4

This way, your system will still be able to resolve domain names even if the primary DNS servers are down.

DNS over TLS

To improve DNS security, you can use DNS over TLS (DoT) to encrypt DNS traffic. systemd-resolved supports DoT out of the box. To enable DoT, you need to specify the DNSOverTLS option. For example:

[Match]
Domains=example.com

[Resolve]
DNS=192.168.1.100 192.168.1.200
DNSOverTLS=yes

I usually start with DoT enabled, as it provides an extra layer of security.

Troubleshooting

If you encounter issues with systemd-resolved, you can use the systemd-resolve command to troubleshoot. For example, you can use the systemd-resolve command to test DNS resolution:

systemd-resolve example.com

This command will display the DNS resolution results for the example.com domain. In practice, I’ve found this command to be very useful in debugging DNS issues.

Further Reading

For more information on systemd-resolved, you can refer to the systemd documentation. Additionally, you can check out the Debian wiki for more information on configuring systemd-resolved on Debian-based systems.

See also

• Rescuing a Linux System Stuck in Emergency Mode: A Step-by-Step Recovery Guide
• Troubleshooting Failed Mounts at Boot Time with systemd and fstab
• Taming Disk-Hungry Logs with systemd-journald and logrotate
• Rescuing a Broken Linux System with a systemd Emergency Mode Shell
• When Disk Space Disappears: Tracking Down and Preventing Logs from Filling Up Your Linux Disks