Turn on/of systemd-resolved override.conf Files? Different Security levels

boredsquirrel · November 3, 2023, 11:34am

The correct way, afaik, to change the systemd resolved config is this:

cd /etc/systemd/
mkdir resolved.conf.d
cp resolved.conf /resolved.conf.d/override1.conf

and then edit that override. But my idea is this:

Insecure default profile. This is necessary for using Captive portals
Secure profile, that uses DNSSec and a secure DoT DNS provider

To make the Captive portal experience on Linux better, this would need to be switched. You could rename one conf file to deactivate it, and rename the other to “*.conf”. Using pkexec this could be GUI-possible.

But is there a better way of doing this? Having that integrated into the KDE networkmanager applet for example would be really great.

Example to make insecure

#!/bin/bash
# insecure DNS enable

pkexec sudo mv /etc/systemd/resolved.conf.d/hardened.conf /etc/systemd/resolved.conf.d/hardened.disabled &&\

pkexec sudo mv /etc/systemd/resolved.conf.d/default-resolved.disabled /etc/systemd/resolved.conf.d/default-resolved.conf &&\

pkexec sudo systemctl restart systemd-resolved.service &&\

notify-send -a "systemd resolved" "DNS is now insecure"

vgaetera · November 3, 2023, 9:55pm

Is there a recommended way to set custom DNS (over TLS / HTTPS) servers globally *that will not break captive portal logins?* - #2 by vgaetera

pemensik · November 3, 2023, 10:06pm

I would start with a feature request on GitHub - systemd/systemd: The systemd System and Service Manager project. I think captive portal handling of systemd-resolved is not good enough and should be adapted. But AFAIK there are no people working on resolved intensively at the moment.

But for my part, I would try to use runtime reconfiguration via resolvectl command for temporary dnssec disabling at captive portal. Reset to normal configuration should be simple in runtime, if it does not already exist.

boredsquirrel · November 5, 2023, 12:24pm

this is true, I will open a FR there. Have to find how to use resolvectl, this could for sure be a good way to temporarily disable DNSSEC and the custom DNS server, and DoT enforcement and whatnot.

Having some way for all systems to do this temporarily for these damn CaptivePortals would be pretty important. KDE 6 will have a captive portal login feature of some sort, this should totally work there for a good experience

Topic		Replies	Views
Is there a recommended way to set custom DNS (over TLS / HTTPS) servers globally that will not break captive portal logins? Ask Fedora	5	1255	January 27, 2024
How to edit the systemd-resolved service file on Fedora? Ask Fedora	2	3026	June 10, 2023
Systemd-resolved etc/systemd/resolved.conf not found Ask Fedora	15	492	May 21, 2025
HowTo: change system configs without changing defaults Ask Fedora howto , systemd-resolved , networkmanager , networking , selinux , dns , config	5	188	January 30, 2025
Systemd-resolved with DoT and DNSSEC configuration Ask Fedora problem , f38 , systemd-resolved , f39 , workstation	3	882	December 22, 2023

Turn on/of systemd-resolved override.conf Files? Different Security levels

Related topics