The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.
No. The average user would use NetworkManager GUI integrated into DE.
changing settings in Network Manager.
What's wrong with this method? I feel like this is the main one and it works well for me. Even if you were using systemd-resolved, I believe it still works.
This is the answer for desktop Linux. Have NM create the drop in for systemd-resolved when the settings are changed. This is NM’s job.
1.It doesn't support DoH 2.It's set per connection, not system-wide. If you connect to another wifi network you have to set dns again.
I typically leave my DNS config to my router and PiHole. I run a VPN server to my home network so I have the same setup no matter where I am. I'll agree, it used to be that /etc/resolv.conf was the go to, but systemd had been interesting to say the least.
I also found this if it helps you any.
Problems:
Iirc, Unifi gear does captive portals, but good points all around.
Slightly off topic, but as long as we're ranting about DNS...
Proxmox handles DNS for each container as a setting in the hypervisor. It's not a bad way of simplifying things, but if, hypothetically, you didn't know about that, then you could find yourself in a situation where you spend an entire afternoon trying every single one of the million different ways to edit DNS in Linux and getting increasingly frustrated because the IP gets overwritten every time you restart the container no matter what you do, until eventually you figure out that the solution is just like three clicks and a text entry box in the Proxmox GUI!
...Hypothetically, of course.
Wait, what? LOL didn’t know Proxmox had that!
Thanks, you’ve saved me from spending some afternoons. I don’t want to think about how much time I spent on DNS before this
I don't touch my fedora DNS settings because my openwrt router handles DoT for the entire network.
That doesn't help outside of home. When we are in an untrusted network then the DNS mess makes us vulnerable for spoofing attacks.
Wireguard to home or a vps running a pihole. Block all dns other than over wireguard.
PS. And yes, I fucking love to solve captchas. No, I am not a Robot.
DoT and DoH are really the most important when you're not at home.
My two cents: Yes, it's bad. The biggest hurdle to people not "intimately familiar" with their distro is A) what it's using for DNS configuration and B) realizing that there are so many different ways in different distributions, and sometimes within one distribution, that you have to be very careful what googled results you follow. That many browsers do their own thing doesn't help. I think the best way to solve it would be some desktop level abstraction like PackageKit where it doesn't really matter what services does the resolving under the hood.
Xkcd “standards”
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Nor should there be. That's what the configuration files are for, and the utility to edit them is the editor of your choice.
I don't think systemd-resolved has support for DNS-over-HTTPS yet but it has support for DNS over TLS which I have used issue free for years now.
All the browsers will use your system configured DNS if you do not touch the browser's DNS settings.
DNS is not broken on Linux, your configuration is.
All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.
Not necessarily. Firefox ships with its own DoH enabled out of the box, which uses Cloudflare servers.
Then Firefox is broken in this context. It should respect the user's system DNS settings.
Edit: You are wrong. The correct answer is somewhere along the lines of borderline confusing and you don't have to worry about it if everything is working. In my case, it used my DNS provider set by systemd-resolved and not cloudflare but YMMV.
This is what the default menu for Firefox DNS settings say:
Enable secure DNS using:
...
Firefox decides when to use secure DNS to protect your privacy.
Use secure DNS in regions where it’s available
Use your default DNS resolver if there is a problem with the secure DNS provider
Use a local provider, if possible
....
Turn off when VPN, parental control, or enterprise policies are active
Turn off when a network tells Firefox it shouldn’t use secure DNS
Your suggested solution would leak DNS for everything except thr browser. That's a broken implementation
Your suggested solution would leak DNS for everything except thr browser
How so?
It's very easy when not using systemd-resolved.
In defense of systemd-resolved, it's meant for static configurations. I absolutely love it for my stationary machines for its simplicity and tooling. However, for machines that might need to change settings at one point - say notebooks - I'd never consider it. Same for systemd-networkd.
Modern browsers use their buit-in DNS settings which adds to the confusion.
There's no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there's a toggle to turn it off, I'm okay with that.
How do you think it should be fixed?
The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.
Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (~home.arpa for virtual machines and ~lan for machines in my home network).
There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I'll have to enable DNSDefaultRoute= in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It's a lot of steps but I can automate most of them with a script for now.
Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.
Edit: link to some blog post
I just edit resolv.conf directly, and then do chattr +i /etc/resolv.conf to make it persistent
Systemd likes to ruin all the easy stuff with overcomplicated bloated programms.
No software should EVER touch any DNS related configuration or file and no application should bring it’s own system for DNS request. Everything regarding DNS without any exception should be done by the application that sets up and handle the network connection.
This isn't really a "Linux" problem. Calling it a Linux problem implies all distros do the same thing out of the box because it's a part of the core system. Systemd has a file, /etc/systemd/resolved.conf which has one line DNS= that you can add the servers you want. It's as simple as that. If you're using Dnsmasq for DNS instead, you'd edit the Dnsmasq file. If you're not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the /etc/reeolv.conf directly without worry of it being overwritten.
While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.
I read many replies to your post as "DNS software shouldn't be allowed to change DNS settings" for the most part, and that doesn't quite make sense to me. If it's a problem, remove said software. Browsers are definitely annoying in the DNS front, I won't disagree with that. Fortunately, they allow you to turn that off though.
No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.
You haven't used Ubuntu Server... The resolv.conf is managed by the network manager (NetworkManager if I recall correctly). But if you configure the DNS in NM it won't survive the reboot because there is another layer on top, cloudinit.
This is terrible. At least they should deprecate that file.
Can't, it's hardcoded by too many programs out there. resolv.conf is still the place to get DNS configuration, but it was hijacked by various "helping" tools so you can't edit it manually anymore. Why they couldn't stick to adding /etc/resolv.d/*.conf files like to many other /etc/ stuff, I'll never know.
Cloud-init is fairly well documented:
But if you do not need it (and if you're configuring DNS by hand, it doesn't sound like you do), you can disable it entirely:
https://cloudinit.readthedocs.io/en/latest/howto/disable_cloud_init.html
resolv.conf itself should be managed by systemd-resolved on any modern Ubuntu Server release. And that service will use the DNS settings provided by netplan.
With cloud-init disabled, you should have the freedom to create/edit configuration files in /etc/netplan and apply changes with netplan apply.
Very much agreed 👍 I realized when using the dnscrypt to set the DNS settings. There is resolv.conf which used to be the final authority regarding your DNS. Now I don't know anymore
it still is, just make it read only.
not reliable, even if it should be. i've seen updates replace the file in a way that clears the read-only flag. same with other clever tricks like making it a symlink.
Yup. Tried that, doesn't work.
chattr +i
;)
Just between yesterday and today I was struggling with this, to get DoH or DoT working, but Network Manager would override /etc/resolv.conf. At least I figured out how to stop NM from modifying the DNS.
I tried my putting my dns settings in /etc/systemd/resolv.conf, as suggested by Nextdns setup page, but that didn't seem to work, at least on Tumbleweed. On my Debian laptop running as a headless server, the /etc/systemd/resolv.conf does work.
I'm currently with Stubby, and it's working at least, but I would've liked to figure out the systemd-resolved way on Tumbleweed.
Did you try dnscrypt-proxy?
Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.
Because it's systemd. You take it or you take it. Brought to you by the same people who brought PulseAudio and GNOME 3.
The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots)
True, but at least by this point it is documented everywhere (at least on Arch and Debian) and if you want to play around with resolv.conf their go-to interface is to install resolvconf and edit only the base or head files.
How do you think it should be fixed?
IMO people should just install and learn to use dnsmasq / bind9. They're there precisely to cover most cases (including forwarding local DNS queries to DoH, or having your own intranet, etc).
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0