Configure systemd-resolved to use a specific DNS nameserver for a given domain

Configure systemd-resolved to use a specific DNS nameserver for a given domain.md

Configure systemd-resolved to use a specific DNS nameserver for a given domain

Use case

Given

• I use a VPN to connect to my work network
• I'm on a Linux computer that uses systemd-resolved
• I have a work domain called example.com
• example.com is hosted by both public and private DNS nameservers
• Both public and private nameservers claim to be authoritative for example.com
• There are no public hosts in example.com
• The public resolvers for example.com resolve all queries to a parked hosting webpage
• The private resolvers for example.com contain all correct DNS records for private hosts

I need to

• Resolve private hosts in example.com when connected to VPN

(Note that this should also work for pointing DNS-blocked domains at different, non-blocked nameservers)

Solution

systemd-resolved now has the ability to specify nameservers for specific domains. Until recently this was not the case, systemd-resolved leaned on NetworkManager, which used dnsmasq for this purpose.

If you were already doing something like this to accomplish this task, first undo all of that. We're not going to use NetworkManager/dnsmasq.

In your systemd-resolved config, which for me is at /etc/systemd/resolved.conf (Fedora), make sure you have this (assuming example.com private nameservers are 10.0.0.1 and 10.0.0.2)

[Resolve]
DNS=10.0.0.1 10.0.0.2
Domains=~example.com

Note the tilde, that makes systemd-resolved do something special. According to the man page:

Specified domain names may optionally be prefixed with "~". In this case they do not define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured with the system DNS= setting (see above), in case additional, suitable per-link DNS servers are known.

Restart systemd-resolved and you should be in business.

Other domains use default resolvers.

But setting DNS=10.0.0.1 10.0.0.2 is a global configuration, its true for all queries.

We can check this by doing some tcpdumping and running drill queries.

Here is my config:

[Resolve]
DNS=10.253.253.253
Domains=~tp.private ~telecomplus.internal

And resolvectl shows:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.253.253.253
         DNS Servers: 10.253.253.253
Fallback DNS Servers: 1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
          DNS Domain: ~telecomplus.internal ~tp.private

Now I fire off a drill query: $ drill mer-prd-rdsh14.tp.private

And see it come though on my wireguard interface:

$ sudo tcpdump -n -i wg5 -v dst 10.253.253.253
tcpdump: listening on wg5, link-type RAW (Raw IP), snapshot length 262144 bytes
14:02:38.696029 IP (tos 0x0, ttl 64, id 58942, offset 0, flags [DF], proto UDP (17), length 71)
    10.90.208.3.51989 > 10.253.253.253.53: 25402+ A? mer-prd-rdsh14.tp.private. (43)

Now I query some other domain: $ drill porkiepie.com

And the query still goes to my globally set resolver: 10.253.253.253

14:03:04.832655 IP (tos 0x0, ttl 64, id 63171, offset 0, flags [none], proto UDP (17), length 70)
    10.90.208.3.53537 > 10.253.253.253.53: 37446+ [1au] A? porkiepie.com. (42)

If I drop my routes to 10.253.253.253, and try to query: $ drill exmaple.com

14:16:49.444783 lo    In  IP (tos 0x0, ttl 64, id 25792, offset 0, flags [DF], proto UDP (17), length 57)
    127.0.0.1.43650 > 127.0.0.53.53: 25378+ A? exmaple.com. (29)
14:16:49.445140 wlan0 Out IP (tos 0x0, ttl 64, id 7787, offset 0, flags [none], proto UDP (17), length 57)
    192.168.1.76.50415 > 10.253.253.253.53: 36000+ A? exmaple.com. (29)
14:16:49.445208 wlan0 Out IP (tos 0x0, ttl 64, id 61977, offset 0, flags [none], proto UDP (17), length 68)
    192.168.1.76.43582 > 217.169.20.21.53: 48708+ [1au] A? exmaple.com. (40)
14:16:49.475123 wlan0 In  IP (tos 0x0, ttl 61, id 22812, offset 0, flags [none], proto UDP (17), length 100)
    217.169.20.21.53 > 192.168.1.76.43582: 48708 2/0/1 exmaple.com. A 104.18.145.11, exmaple.com. A 104.18.144.11 (72)
14:16:49.475337 lo    In  IP (tos 0x0, ttl 1, id 64858, offset 0, flags [DF], proto UDP (17), length 89)
    127.0.0.53.53 > 127.0.0.1.43650: 25378 2/0/0 exmaple.com. A 104.18.145.11, exmaple.com. A 104.18.144.11 (61)

We still try to resolve against 10.253.253.253, fail and try 217.169.20.21 which is the resolved I get from my home router for the wifi link:

Link 4 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 217.169.20.21
       DNS Servers: 217.169.20.21 217.169.20.20 2001:8b0::2021 2001:8b0::2020

Yeah I don't see how this will work which is quite unfortunate -.-

You want a systemd-networkd.service, like this:

[Match]
Name=wg5

[Network]
DNS=10.253.253.253
Domains=~telecomplus.internal ~tp.private

You still need to tie this config to an interface, but interface doesn't need to exist for the service to be "active".

@george-angel can you elaborate on how to set this up and why it works? What does wg5 stand for? I'm using NetworkManager and a dummy interface in the meantime which seems to work fine for my use case. It is important to me that only the matching requests are sent to that DNS server, when I tried the suggested setup with resolved.conf I could resolve the needed Domains but only because all DNS requests were sent to the specific DNS server. (It happily resolves everything but I don't want to use it for everything.)

The way it works with networkd - the specific resolver is tied to an interface, I don't really like it, but thats the way it is.

In my case wg5 is the interface name for the wireguard interface I create that routes my private subnets. I think you can replace that name with your "dummy" reference.

More info here: https://wiki.archlinux.org/title/systemd-networkd

sudo resolvectl dns eth0 8.8.8.8 8.8.4.4
resolvectl dns eth0

thanks, you save my day ;)