Introduction to systemd-resolved
I’ve seen systemd-resolved become a crucial part of many Linux distributions, including Ubuntu, Debian, and Fedora, as of 2026. It’s designed to provide a robust and secure way to resolve domain names on Linux systems. However, like any complex system, it can sometimes behave unexpectedly, leading to DNS leaks and domain name resolution surprises.
Understanding DNS Leaks
A DNS leak occurs when your system sends DNS queries to an unintended DNS server, potentially revealing your browsing history and online activities to third parties. This can happen when your system is configured to use a specific DNS server, but systemd-resolved is not properly configured to respect this setting. Don’t bother with manually trying to diagnose DNS leaks - just use online tools such as dnsleaktest.com or ipleak.net to check for them.
Configuring systemd-resolved
To configure systemd-resolved, you’ll need to edit the /etc/systemd/resolved.conf file. The real trick is understanding the various options that control the behavior of systemd-resolved, including the DNS servers to use and the DNSSEC validation mode. For example, to set the DNS servers to use, you can add the following lines to the file:
[Resolve]
DNS=1.1.1.1 8.8.8.8
This sets the DNS servers to use Cloudflare’s DNS server (1.1.1.1) and Google’s DNS server (8.8.8.8). In practice, you’ll want to use DNS servers that support DNSSEC and have a good track record of security.
Troubleshooting DNS Resolution Issues
If you’re experiencing DNS resolution issues, there are several tools you can use to troubleshoot the problem. I usually start with resolvectl, which is a command-line utility that allows you to query and control systemd-resolved. For example, to check the current DNS servers in use, you can run the following command:
resolvectl status
This will display the current DNS servers in use, as well as other information about the systemd-resolved configuration.
Resolving Domain Name Surprises
Sometimes, you may encounter domain name surprises, where a domain name resolves to an unexpected IP address. This is where people usually get burned - they don’t realize that their DNS cache may be poisoned or that their DNS servers are misconfigured. To resolve this issue, you can try flushing the DNS cache using the following command:
resolvectl flush-caches
This will clear the DNS cache and force systemd-resolved to re-query the DNS servers for the domain name.
Security Considerations
From a security perspective, it’s essential to ensure that systemd-resolved is properly configured to use secure DNS servers and validate DNS responses using DNSSEC. You can enable DNSSEC validation by adding the following line to the /etc/systemd/resolved.conf file:
[Resolve]
DNSSEC=yes
This will enable DNSSEC validation and ensure that systemd-resolved only accepts DNS responses that are properly signed.
Practical Advice
To get the most out of systemd-resolved, follow these practical tips:
- Use secure DNS servers that support DNSSEC
- Enable DNSSEC validation
- Regularly update your system to ensure you have the latest security patches
- Monitor your system’s DNS traffic to detect potential issues
By following these tips and using the tools and techniques outlined in this article, you can ensure that your Linux system is properly configured to resolve domain names securely and efficiently.
See also
- Taming systemd-resolved: How to Configure DNS Settings for Split Horizon Environments
- Rescuing a Linux System Stuck in Emergency Mode: A Step-by-Step Recovery Guide
- Troubleshooting Failed Mounts at Boot Time with systemd and fstab
- Taming Disk-Hungry Logs with systemd-journald and logrotate
- Rescuing a Broken Linux System with a systemd Emergency Mode Shell