I recently tried to enable system-wide DNS over https on Fedora. To do so I had to to some research and found out how comfusing it is for the average user (and even experienced users) to change the settings. In fact there are multiple backends messing with system DNS at the same time.

Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

Based on documentation of systemd-resolved, the standard way of adding custom DNS servers is putting so-called ‘drop-in’ files in /etc/systemd/resolved.conf.d directory, especially when you want to use DNS-over-TLS or DNS-over-https.

Modern browsers use their buit-in DNS settings which adds to the confusion.

I think this is one area that Linux needs more work and more standardization.

How do you think it should be fixed?

  • WindowsEnjoyer@sh.itjust.works
    link
    fedilink
    arrow-up
    55
    ·
    1 year ago

    The average user would still try to change DNS settings by editing /etc/relov.conf (which is overwritten and will not survive reboots) or changing settings in Network Manager.

    No. The average user would use NetworkManager GUI integrated into DE.

        • Free Palestine 🇵🇸@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Android supports DoT, and it can be easily configured by the user. They call it ‘Private DNS’ though, in order to not confuse users with terminology like ‘DNS-over-TLS’. Also most browsers support DoH, Chromium just calls it ‘Secure DNS’, again, in order not to confuse users. NetworkManager could definitely implement DNSCrypt, DoT and DoH, maybe even DoQ and just call it ‘Encrypted DNS’ and add a toggle to choose the protocol.

  • Molecular0079@lemmy.world
    link
    fedilink
    English
    arrow-up
    44
    arrow-down
    1
    ·
    1 year ago

    changing settings in Network Manager.

    What’s wrong with this method? I feel like this is the main one and it works well for me. Even if you were using systemd-resolved, I believe it still works.

  • bobs_monkey@lemm.ee
    link
    fedilink
    arrow-up
    30
    ·
    1 year ago

    I typically leave my DNS config to my router and PiHole. I run a VPN server to my home network so I have the same setup no matter where I am. I’ll agree, it used to be that /etc/resolv.conf was the go to, but systemd had been interesting to say the least.

    I also found this if it helps you any.

    • redd@discuss.tchncs.de
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Problems:

      • you need an additional solution for Wifi captives portals, at least there is a gap in your solution for this situation
      • intercontinental travelling might not be fun
  • plenipotentprotogod@lemmy.world
    link
    fedilink
    arrow-up
    19
    ·
    1 year ago

    Slightly off topic, but as long as we’re ranting about DNS…

    Proxmox handles DNS for each container as a setting in the hypervisor. It’s not a bad way of simplifying things, but if, hypothetically, you didn’t know about that, then you could find yourself in a situation where you spend an entire afternoon trying every single one of the million different ways to edit DNS in Linux and getting increasingly frustrated because the IP gets overwritten every time you restart the container no matter what you do, until eventually you figure out that the solution is just like three clicks and a text entry box in the Proxmox GUI!

    …Hypothetically, of course.

  • samsy@feddit.de
    link
    fedilink
    arrow-up
    20
    arrow-down
    1
    ·
    1 year ago

    I don’t touch my fedora DNS settings because my openwrt router handles DoT for the entire network.

    • redd@discuss.tchncs.de
      link
      fedilink
      arrow-up
      13
      ·
      1 year ago

      That doesn’t help outside of home. When we are in an untrusted network then the DNS mess makes us vulnerable for spoofing attacks.

      • krolden@lemmy.ml
        link
        fedilink
        arrow-up
        11
        arrow-down
        1
        ·
        1 year ago

        Wireguard to home or a vps running a pihole. Block all dns other than over wireguard.

      • samsy@feddit.de
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago
        1. Wireguard
        2. I run my own DoT/DoH server and able to connect it from everywhere. This makes option 1 mostly obsolete.

        PS. And yes, I fucking love to solve captchas. No, I am not a Robot.

      • octatron@lmy.drundo.com.au
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Could also look at tailscale, set it up on you home PCs and mobile devices, set the magic DNS to a home server or vps running pihole. If you don’t like the aspect of tailscale being controlled by a third party you could self host that part using headscale on docker as well

  • _cnt0@feddit.de
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    1 year ago

    My two cents: Yes, it’s bad. The biggest hurdle to people not “intimately familiar” with their distro is A) what it’s using for DNS configuration and B) realizing that there are so many different ways in different distributions, and sometimes within one distribution, that you have to be very careful what googled results you follow. That many browsers do their own thing doesn’t help. I think the best way to solve it would be some desktop level abstraction like PackageKit where it doesn’t really matter what services does the resolving under the hood.

  • ScottE@lemm.ee
    link
    fedilink
    arrow-up
    24
    arrow-down
    9
    ·
    1 year ago

    Most major Linux distributions use systemd-resolved for DNS but there is no utility for changing its configuration.

    Nor should there be. That’s what the configuration files are for, and the utility to edit them is the editor of your choice.

  • hottari@lemmy.ml
    link
    fedilink
    arrow-up
    23
    arrow-down
    10
    ·
    1 year ago

    I don’t think systemd-resolved has support for DNS-over-HTTPS yet but it has support for DNS over TLS which I have used issue free for years now.

    All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

    DNS is not broken on Linux, your configuration is.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      All the browsers will use your system configured DNS if you do not touch the browser’s DNS settings.

      Not necessarily. Firefox ships with its own DoH enabled out of the box, which uses Cloudflare servers.

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Then Firefox is broken in this context. It should respect the user’s system DNS settings.

        Edit: You are wrong. The correct answer is somewhere along the lines of borderline confusing and you don’t have to worry about it if everything is working. In my case, it used my DNS provider set by systemd-resolved and not cloudflare but YMMV.

        This is what the default menu for Firefox DNS settings say:

        Enable secure DNS using:
        ...
        Firefox decides when to use secure DNS to protect your privacy.
        Use secure DNS in regions where it’s available
        Use your default DNS resolver if there is a problem with the secure DNS provider
        Use a local provider, if possible
        ....
        Turn off when VPN, parental control, or enterprise policies are active
        Turn off when a network tells Firefox it shouldn’t use secure DNS
        
        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          1 year ago

          Firefox DoH has been enabled by default for the US for a couple of years now.

          • hottari@lemmy.ml
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            The US is not the world!

            And neither Firefox nor its broken? DNS implementation have anything to do with the topic(Linux DNS)…

            • lemmyvore@feddit.nl
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              1 year ago

              You said all browsers would follow your system DNS, I just explained that’s not always the case.

              And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

              • hottari@lemmy.ml
                link
                fedilink
                arrow-up
                4
                ·
                1 year ago

                You said all browsers would follow your system DNS, I just explained that’s not always the case.

                Both Firefox & Chrome follow my system DNS at default settings. Just because Firefox forcefully enrolled US users to Cloudflare’s DOH doesn’t mean that DNS is broken for every one else.

                And there is actually a common problem with devices on the LAN that use DoH. You can block their access to the specific DNS servers they use, or block their access to the internet altogether, but you can’t force them to use your DNS settings.

                Again. Has nothing to do with the topic i.e Linux DNS. Applications can use their own custom DOH/DOQ resolvers to bypass system DNS, this has no bearing on the brokeness or not of systemd-resolved or any other system DNS resolver.

    • library_napper@monyet.cc
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      Your suggested solution would leak DNS for everything except thr browser. That’s a broken implementation

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Your suggested solution would leak DNS for everything except thr browser

        How so?

    • Laser@feddit.de
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      In defense of systemd-resolved, it’s meant for static configurations. I absolutely love it for my stationary machines for its simplicity and tooling. However, for machines that might need to change settings at one point - say notebooks - I’d never consider it. Same for systemd-networkd.

  • 5long@lemmy.run
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    Modern browsers use their buit-in DNS settings which adds to the confusion.

    There’s no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there’s a toggle to turn it off, I’m okay with that.

    How do you think it should be fixed?

    The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.

    Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (~home.arpa for virtual machines and ~lan for machines in my home network).

    There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I’ll have to enable DNSDefaultRoute= in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It’s a lot of steps but I can automate most of them with a script for now.

    Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.

    Edit: link to some blog post

    • pascal@lemm.ee
      link
      fedilink
      arrow-up
      7
      arrow-down
      4
      ·
      1 year ago

      Systemd likes to ruin all the easy stuff with overcomplicated bloated programms.

  • 𝘋𝘪𝘳𝘬@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    5
    ·
    1 year ago

    No software should EVER touch any DNS related configuration or file and no application should bring it’s own system for DNS request. Everything regarding DNS without any exception should be done by the application that sets up and handle the network connection.

    • Hawke@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      No software should EVER touch any DNS related configuration

      Uhh good luck with that. If it were stored on magnetic media I’d suggest “a magnet and a very steady hand” but that doesn’t work so much for SSDs.

  • Mikelius@lemmy.ml
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This isn’t really a “Linux” problem. Calling it a Linux problem implies all distros do the same thing out of the box because it’s a part of the core system. Systemd has a file, /etc/systemd/resolved.conf which has one line DNS= that you can add the servers you want. It’s as simple as that. If you’re using Dnsmasq for DNS instead, you’d edit the Dnsmasq file. If you’re not using my of those (i.e. you removed systemd-resolved, Dnsmasq, etc) then you can just edit the /etc/reeolv.conf directly without worry of it being overwritten.

    While many distros come with systemd out of the box, not all of them do. For example, I use Gentoo with rc and after editing my resolv.conf, never had to worry about it again unless I decided to install a custom DNS software on it later.

    I read many replies to your post as “DNS software shouldn’t be allowed to change DNS settings” for the most part, and that doesn’t quite make sense to me. If it’s a problem, remove said software. Browsers are definitely annoying in the DNS front, I won’t disagree with that. Fortunately, they allow you to turn that off though.

  • craigevil@lemmy.ml
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    No problems here using /etc/systemd/resolved.conf for NextDNS settings. I also set the dns settings for NextDNS in Firefox.

  • space@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    9
    arrow-down
    3
    ·
    1 year ago

    You haven’t used Ubuntu Server… The resolv.conf is managed by the network manager (NetworkManager if I recall correctly). But if you configure the DNS in NM it won’t survive the reboot because there is another layer on top, cloudinit.

    • mFat@lemdro.idOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      This is terrible. At least they should deprecate that file.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Can’t, it’s hardcoded by too many programs out there. resolv.conf is still the place to get DNS configuration, but it was hijacked by various “helping” tools so you can’t edit it manually anymore. Why they couldn’t stick to adding /etc/resolv.d/*.conf files like to many other /etc/ stuff, I’ll never know.

        • JWBananas@startrek.website
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You basically just made the case for exactly why.

          Programs should be using the system resolver, not parsing that file.

          The system resolver should have predictable behavior. But if other programs are doing their own DNS resolution (or otherwise predicating their functionality) based directly on the contents of resolv.conf then their behavior will not always be consistent with the system resolver (or with how the sysadmin intended things to function).

          And that can break things in subtle, unpredictable ways, which is always a headache.

          Thus, on some modern systems, resolv.conf simply declares the local systemd-resolved instance (i.e. 127.0.0.1) and nothing else.

          A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace. Want to ensure DNS lookups for specific apps occur only through your VPN-specific DNS servers but all other apps only use the normal system resolvers (i.e. no leaking from either side of the divide)? Want to also ensure DNS lookups for those specific apps fail when the VPN is down (again, as opposed to leaking)? systemd-resolved has your back.

          And before anyone asks, yes, I am aware there are other, more crude and convoluted ways to do that with e.g. iptables (just like you can use crude, inconsistent init.d spaghetti scripts to manage services). It’s just one single real-world example.

          A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.

          The point is to configure everything using consistent, predictable configuration files and syntax, and to ensure consistent, predictable behavior.

          But if you ultimately still want resolv.conf.d back, then your distro of choice undoubtedly provides a way to do so.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Programs should be using the system resolver, not parsing that file.

            What’s a “system resolver”? We’re talking about DNS servers. You’re either running one locally or not. Either way, you need a way for everybody to know what DNS servers to use, regardless of whether you run one on the machine. That’s where resolv.conf comes in.

            And that can break things in subtle, unpredictable ways, which is always a headache.

            Let’s see some examples.

            A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.

            Good, because that has nothing to do with DNS, it’s a matter of routing. They’re orthogonal issues.

    • JWBananas@startrek.website
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Cloud-init is fairly well documented:

      https://cloudinit.readthedocs.io/en/latest/reference/network-config-format-v2.html#nameservers-mapping

      But if you do not need it (and if you’re configuring DNS by hand, it doesn’t sound like you do), you can disable it entirely:

      https://cloudinit.readthedocs.io/en/latest/howto/disable_cloud_init.html

      resolv.conf itself should be managed by systemd-resolved on any modern Ubuntu Server release. And that service will use the DNS settings provided by netplan.

      With cloud-init disabled, you should have the freedom to create/edit configuration files in /etc/netplan and apply changes with netplan apply.