I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.

Modern browsers use their buit-in DNS settings which adds to the confusion.

I think this is one area that Linux needs more work and more standardization.

How do you think it should be fixed?

  • lemmyvore
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Can’t, it’s hardcoded by too many programs out there. resolv.conf is still the place to get DNS configuration, but it was hijacked by various “helping” tools so you can’t edit it manually anymore. Why they couldn’t stick to adding /etc/resolv.d/*.conf files like to many other /etc/ stuff, I’ll never know.

    • JWBananas@startrek.website
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      You basically just made the case for exactly why.

      Programs should be using the system resolver, not parsing that file.

      The system resolver should have predictable behavior. But if other programs are doing their own DNS resolution (or otherwise predicating their functionality) based directly on the contents of resolv.conf then their behavior will not always be consistent with the system resolver (or with how the sysadmin intended things to function).

      And that can break things in subtle, unpredictable ways, which is always a headache.

      Thus, on some modern systems, resolv.conf simply declares the local systemd-resolved instance (i.e. 127.0.0.1) and nothing else.

      A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace. Want to ensure DNS lookups for specific apps occur only through your VPN-specific DNS servers but all other apps only use the normal system resolvers (i.e. no leaking from either side of the divide)? Want to also ensure DNS lookups for those specific apps fail when the VPN is down (again, as opposed to leaking)? systemd-resolved has your back.

      And before anyone asks, yes, I am aware there are other, more crude and convoluted ways to do that with e.g. iptables (just like you can use crude, inconsistent init.d spaghetti scripts to manage services). It’s just one single real-world example.

      A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.

      The point is to configure everything using consistent, predictable configuration files and syntax, and to ensure consistent, predictable behavior.

      But if you ultimately still want resolv.conf.d back, then your distro of choice undoubtedly provides a way to do so.

      • lemmyvore
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Programs should be using the system resolver, not parsing that file.

        What’s a “system resolver”? We’re talking about DNS servers. You’re either running one locally or not. Either way, you need a way for everybody to know what DNS servers to use, regardless of whether you run one on the machine. That’s where resolv.conf comes in.

        And that can break things in subtle, unpredictable ways, which is always a headache.

        Let’s see some examples.

        A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.

        Good, because that has nothing to do with DNS, it’s a matter of routing. They’re orthogonal issues.