Skip to content

Instantly share code, notes, and snippets.

  • Star 56 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save brasey/fa2277a6d7242cdf4e4b7c720d42b567 to your computer and use it in GitHub Desktop.
Configure systemd-resolved to use a specific DNS nameserver for a given domain

Configure systemd-resolved to use a specific DNS nameserver for a given domain

Use case


  • I use a VPN to connect to my work network
  • I'm on a Linux computer that uses systemd-resolved
  • I have a work domain called
  • is hosted by both public and private DNS nameservers
  • Both public and private nameservers claim to be authoritative for
  • There are no public hosts in
  • The public resolvers for resolve all queries to a parked hosting webpage
  • The private resolvers for contain all correct DNS records for private hosts

I need to

  • Resolve private hosts in when connected to VPN

(Note that this should also work for pointing DNS-blocked domains at different, non-blocked nameservers)


systemd-resolved now has the ability to specify nameservers for specific domains. Until recently this was not the case, systemd-resolved leaned on NetworkManager, which used dnsmasq for this purpose.

If you were already doing something like this to accomplish this task, first undo all of that. We're not going to use NetworkManager/dnsmasq.

In your systemd-resolved config, which for me is at /etc/systemd/resolved.conf (Fedora), make sure you have this (assuming private nameservers are and


Note the tilde, that makes systemd-resolved do something special. According to the man page:

Specified domain names may optionally be prefixed with "~". In this case they do not define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured with the system DNS= setting (see above), in case additional, suitable per-link DNS servers are known.

Restart systemd-resolved and you should be in business.

Copy link

The way it works with networkd - the specific resolver is tied to an interface, I don't really like it, but thats the way it is.

In my case wg5 is the interface name for the wireguard interface I create that routes my private subnets. I think you can replace that name with your "dummy" reference.

More info here:

Copy link

leiless commented Dec 30, 2022

sudo resolvectl dns eth0
resolvectl dns eth0

Copy link

thanks, you save my day ;)

Copy link

I am really surprised it works that way, is that intentional ? You explicitly specify a DNS server and instruct systemd-resolved to use that server for a certain domain only. The output of resolvectl does not even displays DefaultRoute so I am really trying to understand why would the DNS server receive all queries

Copy link

I think because DNS in [Resolve] is global config. Even if you specify some Domains there, what is it supposed to use for everything else?

The config its related to:[Network] - which makes sense there, but makes it less obvious when used in global context, like in /etc/systemd/resolved.conf .

It makes more sense if any of your "per link" config has Domains=~., in which case the more specific Domains config in /etc/systemd/resolved.conf would work as intended.

Copy link

sudo resolvectl dns ens3
solved the issue, but after restart dns list disappears again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment