dns-over-https icon indicating copy to clipboard operation
dns-over-https copied to clipboard
verified publisher icon m13253

[Question] Is possible to use doh-client with systemd-resolved?

Open EliasTheGrandMasterOfMistakes opened this issue 1 year ago • 5 comments

Has a way to use doh-client without disabling systemd-resolved?

EliasTheGrandMasterOfMistakes avatar Dec 27 '24 21:12 EliasTheGrandMasterOfMistakes

The reason is systemd-resolved is occupying the DNS related ports.

One good news is systemd-resolved supports DoT out of the box. I am not sure whether anyone can persuade its developers to support DoH within itself as well.

m13253 avatar Dec 30 '24 01:12 m13253

The reason is systemd-resolved is occupying the DNS related ports.

One good news is systemd-resolved supports DoT out of the box. I am not sure whether anyone can persuade its developers to support DoH within itself as well.

thank you, in this case i can just disable systemd-resolved and use doh-client as replacement? or exist a way to change doh-clients server port and make systemd-resolved use localhost as dns with port used by doh-client?

EliasTheGrandMasterOfMistakes avatar Jan 03 '25 17:01 EliasTheGrandMasterOfMistakes

thank you, in this case i can just disable systemd-resolved and use doh-client as replacement?

Yes.

or exist a way to change doh-clients server port and make systemd-resolved use localhost as dns with port used by doh-client?

On doh-client side, yes you can. On systemd-resolved side, I don’t know if you can specify a port number. You can try if it works.

m13253 avatar Jan 07 '25 19:01 m13253

I'm using systemd-resolved with doh-client as upstream:

# /etc/systemd/resolved.conf.d/upstream-doh-client.conf
[Resolve]
DNS=127.0.0.1:5380 [::1]:5380
DNSOverTLS=no
Domains=~.

And make sure to not listen on port 53 with doh-client:

#/etc/dns-over-https/doh-client.conf
listen = [
    "127.0.0.1:5380",
    "[::1]:5380",
]
...

With this, systemd-resolved uses doh-client as upstream.

If you want to be able to use systemd-resolved's cache, set

Cache=yes
CacheFromLocalhost=yes

Otherwise, it would not cache the results.

bermeitinger-b avatar Feb 03 '25 10:02 bermeitinger-b

You could also disable systemd-resolved's stub resolver - as you will not use it, why pay for it.

In /etc/systemd/resolved.conf adjust these two options:

  • DNS=::1 - use a locally running resolver (it will look on port 53 by default and dns-over-https runs on port 53 by default)
  • DNSStubListener=no - disable the stub, lest dns-over-https will terminate itself, when the stub occupies port 53

I think this is the more straightforward solution over running two resolvers but only using one.

While there, you might probably also want to set DNSSEC=yes, if all servers you selected in /etc/dns-over-https/doh-client.conf support it, lest systemd-resolved may not ask dns-over-https to verify it.

Zsar avatar Jul 10 '25 17:07 Zsar