Running systemd-resolved to cache DNS queries with NetworkManager.
Posted on :: 461 Words :: Tags: linux, network, dns, NetworkManager, systemd-resolved

Table of Contents

This post describes how to set up systemd-resolved to cache DNS queries with NetworkManager. This is useful for improving DNS query performance and reliability.

Configure NetworkManager

In /etc/NetworkManager/NetworkManager.conf under the [main] section, add the following line:

[main]
dns=systemd-resolved

This enables NetworkManager to configure the DNS Servers for the systemd-resolved service.

Reload the NetworkManager configuration to apply the changes:

nmcli general reload

Configure systemd-resolved

Install systemd-resolved if it is not already installed:

dnf install systemd-resolved

Edit the /etc/systemd/resolved.conf file to set the DNS servers and other options.

For example, to use Quad9 as global DNS servers and DNSSEC + DNSOverTLS, you can set the following. NetworkManager sets the resolvectl DNS Servers for each connection (seen with resolvectl status).

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=9.9.9.9#dns.quad9.net 2620:fe::fe#dns.quad9.net
FallbackDNS=149.112.112.112#dns.quad9.net 2620:fe::9#dns.quad9.net
#Domains=
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=no
#LLMNR=resolve
Cache=yes
#CacheFromLocalhost=no
DNSStubListener=yes
#DNSStubListenerExtra=
ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

Now you can enable & start the systemd-resolved service:

systemctl enable --now systemd-resolved
systemctl status systemd-resolved

Symlink the stub resolver config to /etc/resolv.conf:

mv /etc/resolv.conf /etc/resolv.conf.bak
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

# verify
cat /etc/resolv.conf

Verify DNS Resolution

Query the stub resolver:

dig google.com @127.0.0.53

Show the generated resolv.conf

cat /run/systemd/resolve/resolv.conf

Interface configurations:

resolvectl status

Live queries can be monitored with:

resolvectl monitor

Showing statistics:

resolvectl statistics

Remove the specific dns configuration from an NetworkManager connection:

nmcli connection <conn> modify ipv4.dns ""
nmcli connection <conn> modify ipv6.dns ""

View current entries in cache:

resolvectl show-cache