Turn on/of systemd-resolved override.conf Files? Different Security levels

The correct way, afaik, to change the systemd resolved config is this:

cd /etc/systemd/
mkdir resolved.conf.d
cp resolved.conf /resolved.conf.d/override1.conf

and then edit that override. But my idea is this:

  1. Insecure default profile. This is necessary for using Captive portals
  2. Secure profile, that uses DNSSec and a secure DoT DNS provider

To make the Captive portal experience on Linux better, this would need to be switched. You could rename one conf file to deactivate it, and rename the other to “*.conf”. Using pkexec this could be GUI-possible.

But is there a better way of doing this? Having that integrated into the KDE networkmanager applet for example would be really great.

Example to make insecure

# insecure DNS enable

pkexec sudo mv /etc/systemd/resolved.conf.d/hardened.conf /etc/systemd/resolved.conf.d/hardened.disabled &&\

pkexec sudo mv /etc/systemd/resolved.conf.d/default-resolved.disabled /etc/systemd/resolved.conf.d/default-resolved.conf &&\

pkexec sudo systemctl restart systemd-resolved.service &&\

notify-send -a "systemd resolved" "DNS is now insecure"

Is there a recommended way to set custom DNS (over TLS / HTTPS) servers globally *that will not break captive portal logins?* - #2 by vgaetera

I would start with a feature request on GitHub - systemd/systemd: The systemd System and Service Manager project. I think captive portal handling of systemd-resolved is not good enough and should be adapted. But AFAIK there are no people working on resolved intensively at the moment.

But for my part, I would try to use runtime reconfiguration via resolvectl command for temporary dnssec disabling at captive portal. Reset to normal configuration should be simple in runtime, if it does not already exist.

1 Like

this is true, I will open a FR there. Have to find how to use resolvectl, this could for sure be a good way to temporarily disable DNSSEC and the custom DNS server, and DoT enforcement and whatnot.

Having some way for all systems to do this temporarily for these damn CaptivePortals would be pretty important. KDE 6 will have a captive portal login feature of some sort, this should totally work there for a good experience