Using systemd-resolved with Multiple DNS Servers and Split Horizon DNS -

Introduction to systemd-resolved

I’ve been using systemd-resolved for a while now, and I have to say, it’s a game-changer when it comes to managing DNS resolution on Linux systems. As of 2026, it’s become a crucial component in many Linux distributions, including Ubuntu, Debian, and Fedora. In this article, I’ll walk you through how to use systemd-resolved with multiple DNS servers and split horizon DNS, including some practical examples and troubleshooting notes.

Configuring Multiple DNS Servers

To configure multiple DNS servers with systemd-resolved, you’ll need to edit the /etc/systemd/resolved.conf file. This file contains various settings for the resolver, including the DNS servers to use. I’ve seen this go wrong when people forget to separate the DNS servers with spaces. You can add multiple DNS servers by specifying them in the DNS parameter, separated by spaces.

[Resolve]
DNS=8.8.8.8 1.1.1.1 2001:4860:4860::8888 2606:4700:4700::1111

In this example, we’re using Google’s public DNS servers (8.8.8.8 and 2001:4860:4860::8888) and Cloudflare’s public DNS servers (1.1.1.1 and 2606:4700:4700::1111). Don’t bother with using just one DNS server - it’s always a good idea to have a few backups. You can replace these with your own DNS servers or use other public DNS services.

Split Horizon DNS

Split horizon DNS is a technique used to provide different DNS responses based on the client’s location or network. This is where people usually get burned - configuring it can be tricky. Systemd-resolved supports split horizon DNS through the use of DNS zones. The real trick is to create a DNS zone file in the /etc/systemd/resolved.conf.d/ directory. For example, let’s say you want to resolve the example.com domain only from within your internal network. You can create a file called example.com.zone with the following contents:

[Match]
Domain=example.com

[Resolve]
DNS=192.168.1.100

In this example, we’re telling systemd-resolved to use the 192.168.1.100 DNS server only for the example.com domain. This DNS server should be configured to resolve internal hostnames for the example.com domain. I usually start with a simple configuration like this and then build upon it.

Troubleshooting

When troubleshooting systemd-resolved issues, it’s essential to check the resolver’s status and logs. In practice, I’ve found that using the systemd-resolve command to check the resolver’s status is a good place to start:

systemd-resolve --status

This command will display the current resolver configuration, including the DNS servers and zones. You can also use the journalctl command to view the resolver’s logs:

journalctl -u systemd-resolved

This command will display the resolver’s logs, which can help you diagnose issues with DNS resolution.

Security Considerations

When using systemd-resolved with multiple DNS servers and split horizon DNS, it’s essential to consider security implications. One potential issue is DNS spoofing, where an attacker intercepts and alters DNS responses. To mitigate this risk, you can use DNSSEC (Domain Name System Security Extensions) to validate DNS responses. Systemd-resolved supports DNSSEC out of the box, but you need to ensure that your DNS servers are configured to use DNSSEC. You can check the DNSSEC status of your DNS servers using the systemd-resolve command:

systemd-resolve --status

Look for the DNSSEC line, which should indicate whether DNSSEC is enabled or not.

Additional Resources

For more information on systemd-resolved and DNS configuration, you can refer to the systemd-resolved documentation on the freedesktop.org website. Additionally, the Debian wiki provides a comprehensive guide to configuring systemd-resolved on Debian-based systems.