Systemd-resolved with DoT and DNSSEC configuration

msmafra · December 22, 2023, 3:24pm

Hello there!

I have disabled since F38 my systemd-resolve configuration because it stopped working out of nowhere… and forgot about it.

Did various modifications to the resolved.conf, but I’m sill not able to navigate the Internet if I keep any configurations with DoT with or without DNSSEC. Commenting them out restores my navigation.

/etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf
[main]
dns=systemd-resolved
systemd-resolved=false

/etc/systemd/resolved.conf
[Resolve]
DNS=9.9.9.11 1.1.1.1
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=9.9.9.9 1.0.0.1
Domains=~.
#LLMNR=yes
#MulticastDNS=yes
Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes

resolvectl query fedoraproject.org
fedoraproject.org: resolve call failed: All attempts to contact name servers or networks failed

~
resolvectl query openwrt.org
openwrt.org: resolve call failed: All attempts to contact name servers or networks failed

~
resolvectl query ddg.co
ddg.co: resolve call failed: All attempts to contact name servers or networks failed

I tested with various public DNS with and without DNSSEC (Quad9, CloudFlare, Mullvad, OpenDNS, AdGuard…), disabled and flushed cache, removed the fallbacks,

Did the configuration method changed? Is it a bug?

vgaetera · December 22, 2023, 4:20pm

It works fine for me like this:

# Comment out custom settings
sudo sed -i -e "/^[^[#]/s/^/#/" /etc/systemd/resolved.conf

# Set up systemd-resolved
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNS=8.8.8.8#dns.google
DNS=8.8.4.4#dns.google
DNS=2001:4860:4860::8888#dns.google
DNS=2001:4860:4860::8844#dns.google
DNSOverTLS=yes
EOF
sudo systemctl enable systemd-resolved.service
sudo systemctl restart systemd-resolved.service

# Prevent NetworkManager from changing resolvers
sudo tee /etc/NetworkManager/conf.d/00-custom.conf << EOF > /dev/null
[main]
dns=none
systemd-resolved=false
EOF
sudo systemctl restart NetworkManager.service

msmafra · December 22, 2023, 5:26pm

Thanks for the tip, but it also did not work for me.

vgaetera · December 22, 2023, 5:38pm

There must be something wrong with your setup or configuration.
Start with basic diagnostics:

grep -v -r -e "^#" -e "^$" /etc/systemd/resolved.*
grep -v -e "^#" -e "^$" /etc/resolv.conf
grep -e ^hosts: /etc/nsswitch.conf
resolvectl --no-pager status
resolvectl --no-pager query example.org
systemctl status systemd-resolved.service
journalctl --no-pager -b -u systemd-resolved.service

Topic		Replies	Views
DNS not resolving on Fedora Server 39 Ask Fedora intel , f39 , server	1	2183	November 16, 2023
DNS server changes not being applied Ask Fedora systemd-resolved , dns , server	16	17420	April 12, 2024
DNS Broken in Fedora 33 after update Ask Fedora f33 , networking	2	375	June 27, 2021
DNS Issue on first update of Fedora 38 Ask Fedora f38	11	3271	July 7, 2023
How do I configure search domains in systemd-resolved? Ask Fedora server	4	1572	June 12, 2024

Systemd-resolved with DoT and DNSSEC configuration

Related topics