Re: [gentoo-user] Systemd to manage (DNS) security?

Tue, 07 Jun 2016 02:54:07 -0700 

On Mon, Jun 6, 2016 at 8:19 PM, Rich Freeman <[email protected]> wrote:
> On Mon, Jun 6, 2016 at 12:29 PM, James <[email protected]> wrote:
>>
>> https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html
>
> That's pretty old news. In any case, you certainly don't need to use
> systemd as your DNS resolver if you don't want to.
>
> Systemd also doesn't touch /etc/resolv.conf contrary to what that
> email states. It only touches /run/systemd/resolve/resolv.conf which
> does absolutely nothing on its own unless you choose to symlink
> /etc/resolv.conf to it. The obvious options using systemd and
> resolv.conf are:
>
> 1. Don't use it at all - just put whatever you want in
> /etc/resolv.conf and it works like you'd expect it to.
>
> 2. Have systemd-networkd populate /run/systemd/resolve/resolv.conf
> with whatever DNS servers were discovered using DHCP and then symlink
> that to /etc/resolv.conf so that your system uses it. This is
> basically the behavior you typically expect from the likes of dhcpcd
> and such but instead of tampering with a file in /etc it just messes
> with a transient file in /run.

It's resolved that populates "/run/systemd/resolve/resolv.conf".

In the past, if you used "DNS=..." in a .network unit, networkd would
populate "/etc/resolv.conf".

>From an old man page of systemd.network:

DNS=
           A DNS server address, which must be in the format described in
           inet_pton(3). This option may be specified more than once.

>From a new man page of systemd.network:

DNS=
           A DNS server address, which must be in the format described in
           inet_pton(3). This option may be specified more than once. This
           setting is read by systemd-resolved.service(8).


> 3. Run systemd-resolved as a caching forwarding-only DNS server and
> have that end up in /run/systemd/resolve/resolv.conf.

IIUC, resolved'll be a dns server if you have nss-resolve installed
(which, looking at the systemd ebuild, seems to be included by default
because there isn't a use flag for it and there's no script removing
it) and if you change "hosts: files dns" to "hosts: files resolve" in
"/etc/nsswitch.conf". Otherwise, resolved is basically an openresolv
replacement.

Reply via email to