Linux DNS settings is a total mess

A10, 6 months ago

Very much agreed 👍 I realized when using the dnscrypt to set the DNS settings. There is resolv.conf which used to be the final authority regarding your DNS. Now I don’t know anymore

saltedpenguin, 6 months ago

it still is, just make it read only.

kittykabal, 6 months ago

not reliable, even if it should be. i've seen updates replace the file in a way that clears the read-only flag. same with other clever tricks like making it a symlink.

davefischer, 6 months ago

Yup. Tried that, doesn’t work.

gooeyglob, 6 months ago

chattr +i

;)

Mikelius, 6 months ago

This isn’t really a “Linux” problem. Calling it a Linux problem implies all distros do the same thing out of the box because it’s a part of the core system. Systemd has a file, /etc/systemd/resolved.conf which has one line DNS= that you can add the servers you want. It’s as simple as that. If you’re using Dnsmasq for DNS instead, you’d edit the Dnsmasq file. If you’re not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the /etc/reeolv.conf directly without worry of it being overwritten.

While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.

I read many replies to your post as “DNS software shouldn’t be allowed to change DNS settings” for the most part, and that doesn’t quite make sense to me. If it’s a problem, remove said software. Browsers are definitely annoying in the DNS front, I won’t disagree with that. Fortunately, they allow you to turn that off though.

SneakyThunder, 6 months ago

I just edit resolv.conf directly, and then do chattr +i /etc/resolv.conf to make it persistent

pascal, 6 months ago

Systemd likes to ruin all the easy stuff with overcomplicated bloated programms.

veniasilente, 6 months ago

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

Because it’s systemd. You take it or you take it. Brought to you by the same people who brought PulseAudio and GNOME 3.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots)

True, but at least by this point it is documented everywhere (at least on Arch and Debian) and if you want to play around with resolv.conf their go-to interface is to install resolvconf and edit only the base or head files.

How do you think it should be fixed?

IMO people should just install and learn to use dnsmasq / bind9. They’re there precisely to cover most cases (including forwarding local DNS queries to DoH, or having your own intranet, etc).

ScottE, 6 months ago

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

Nor should there be. That’s what the configuration files are for, and the utility to edit them is the editor of your choice.

WindowsEnjoyer, 6 months ago

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

No. The average user would use NetworkManager GUI integrated into DE.

mfat, 6 months ago

Network Manager doesn’t support DOH.

NanoooK, 6 months ago

The average user barely know what is DNS, so DoH…

netchami, 6 months ago

Android supports DoT, and it can be easily configured by the user. They call it ‘Private DNS’ though, in order to not confuse users with terminology like ‘DNS-over-TLS’. Also most browsers support DoH, Chromium just calls it ‘Secure DNS’, again, in order not to confuse users. NetworkManager could definitely implement DNSCrypt, DoT and DoH, maybe even DoQ and just call it ‘Encrypted DNS’ and add a toggle to choose the protocol.

Lemmchen, 6 months ago (edited 6 months ago)

It’s very easy when not using systemd-resolved.

Laser, 6 months ago

In defense of systemd-resolved, it’s meant for static configurations. I absolutely love it for my stationary machines for its simplicity and tooling. However, for machines that might need to change settings at one point - say notebooks - I’d never consider it. Same for systemd-networkd.

Joker, 6 months ago

I wouldn’t call it a mess. There’s a reason it’s not standard. It’s because Linux is about having choices. Linux users have such a variety of use cases and there are a zillion different kinds of hardware it runs on. There’s no one thing that works for everyone.

I think this flexibility is a big part of what makes Linux special but also what makes it difficult for newcomers. The documentation on all the various software is typically very good to excellent. The harder part is figuring out which choice to make in the first place.

I don’t really have any answers except to take it all in and be more willing to do some research than some other platforms may require.

System-wide DoH is sort of a power user thing to begin with so other platforms will likely be similar. I think you would probably be using some kind of app to do it on Windows or Mac.

By the way, you might want to take a look at stubby for your situation. I did something similar a few weeks back and that’s what I used. It’s runs a little local DNS proxy that forwards requests to your upstream servers. Then you would set your DNS server to 127.0.0.1 in NetworkManager or whatever you’re using. You have to change like 3 lines in the default stubby config a typical distro may provide to make it work.

blkpws, 6 months ago

Well, I’m not using systemd and Portmaster (safing.io free open source without the VPN tunnels) has a DNS control over any request your Linux do… I don’t think I have any issues here… hehe

craigevil, 6 months ago

No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.

plenipotentprotogod, 6 months ago

Slightly off topic, but as long as we’re ranting about DNS…

Proxmox handles DNS for each container as a setting in the hypervisor. It’s not a bad way of simplifying things, but if, hypothetically, you didn’t know about that, then you could find yourself in a situation where you spend an entire afternoon trying every single one of the million different ways to edit DNS in Linux and getting increasingly frustrated because the IP gets overwritten every time you restart the container no matter what you do, until eventually you figure out that the solution is just like three clicks and a text entry box in the Proxmox GUI!

…Hypothetically, of course.

krolden, 6 months ago

RTFM

pve.proxmox.com/wiki/Linux_Container#_guest_opera…

FrostyCaveman, 6 months ago

Wait, what? LOL didn’t know Proxmox had that!

Thanks, you’ve saved me from spending some afternoons. I don’t want to think about how much time I spent on DNS before this

Kekin, 6 months ago (edited 6 months ago)

Just between yesterday and today I was struggling with this, to get DoH or DoT working, but Network Manager would override /etc/resolv.conf. At least I figured out how to stop NM from modifying the DNS.

I tried my putting my dns settings in /etc/systemd/resolv.conf, as suggested by Nextdns setup page, but that didn’t seem to work, at least on Tumbleweed. On my Debian laptop running as a headless server, the /etc/systemd/resolv.conf does work.

I’m currently with Stubby, and it’s working at least, but I would’ve liked to figure out the systemd-resolved way on Tumbleweed.

mfat, 6 months ago

Did you try dnscrypt-proxy?

Kekin, 6 months ago

Not yet but I will check it out, thanks!

samsy, 6 months ago

I don’t touch my fedora DNS settings because my openwrt router handles DoT for the entire network.

mojo, 6 months ago

DoT and DoH are really the most important when you’re not at home.

Frederic, 6 months ago

I enabled a OpenVPN server on my router and my laptop and phone are always connected to it

mojo, 6 months ago

So do you just not leave the house then, I think you misread my comment or something

LinuxSBC, 6 months ago

Do you know what a VPN is?

redd, 6 months ago

That doesn’t help outside of home. When we are in an untrusted network then the DNS mess makes us vulnerable for spoofing attacks.

krolden, 6 months ago

Wireguard to home or a vps running a pihole. Block all dns other than over wireguard.

veronicaandrews, 6 months ago

Doesn’t this solution mess with captive portals?

krolden, 6 months ago

Ive never had an issue. You could always just disable it to load the captive portal then turn it back on after you’re connected.

samsy, 6 months ago

1. Wireguard
2. I run my own DoT/DoH server and able to connect it from everywhere. This makes option 1 mostly obsolete.

PS. And yes, I fucking love to solve captchas. No, I am not a Robot.

Ecology8622, 6 months ago

A bit confusing I agree. Just a little bit research.

hottari, 6 months ago

I don’t think systemd-resolved has support for DNS-over-HTTPS yet but it has support for DNS over TLS which I have used issue free for years now.

All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

DNS is not broken on Linux, your configuration is.

library_napper, 6 months ago

Your suggested solution would leak DNS for everything except thr browser. That’s a broken implementation

hottari, 6 months ago

Your suggested solution would leak DNS for everything except thr browser

How so?

lemmyvore, 6 months ago

All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

Not necessarily. Firefox ships with its own DoH enabled out of the box, which uses Cloudflare servers.

hottari, 6 months ago (edited 6 months ago)

Then Firefox is broken in this context. It should respect the user’s system DNS settings.

Edit: You are wrong. The correct answer is somewhere along the lines of borderline confusing and you don’t have to worry about it if everything is working. In my case, it used my DNS provider set by systemd-resolved and not cloudflare but YMMV.

This is what the default menu for Firefox DNS settings say:

<span style="color:#323232;">Enable secure DNS using:
</span><span style="color:#323232;">...
</span><span style="color:#323232;">Firefox decides when to use secure DNS to protect your privacy.
</span><span style="color:#323232;">Use secure DNS in regions where it’s available
</span><span style="color:#323232;">Use your default DNS resolver if there is a problem with the secure DNS provider
</span><span style="color:#323232;">Use a local provider, if possible
</span><span style="color:#323232;">....
</span><span style="color:#323232;">Turn off when VPN, parental control, or enterprise policies are active
</span><span style="color:#323232;">Turn off when a network tells Firefox it shouldn’t use secure DNS
</span>

lemmyvore, 6 months ago

Firefox DoH has been enabled by default for the US for a couple of years now.

hottari, 6 months ago

The US is not the world!

And neither Firefox nor its broken? DNS implementation have anything to do with the topic(Linux DNS)…

lemmyvore, 6 months ago

You said all browsers would follow your system DNS, I just explained that’s not always the case.

And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

hottari, 6 months ago

You said all browsers would follow your system DNS, I just explained that’s not always the case.

Both Firefox & Chrome follow my system DNS at default settings. Just because Firefox forcefully enrolled US users to Cloudflare’s DOH doesn’t mean that DNS is broken for every one else.

And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

Again. Has nothing to do with the topic i.e Linux DNS. Applications can use their own custom DOH/DOQ resolvers to bypass system DNS, this has no bearing on the brokeness or not of systemd-resolved or any other system DNS resolver.