How do I remove the default DNS fallback blob from systemd?

suber · 6 August 2024 17:26

Good day and/or evening.
Does anyone know how to completely remove or replace the Google and Cloudflare DNS fallback from systemd?
There is no fallback activated in the file:

/etc/systemd/resolved.conf

So why is it that after the command:
resolvectl status

“Current DNS Server” is what I entered curently as the active DNS myself via:
/etc/systemd/resolved.conf.d/upstream.conf

I haven’t defined a fallback myself yet because I understood that he would simply select another one from my upstream.conf
And now that he’s rubbed this blob in my face, I’m going to make it my own private matter and want to remove it completely before I define a fallback myself.

Does anyone have any idea how?

By the way, I set DNS and systemd-resolved to false in
/etc/NetworkManager/conf.d/nodns.conf


  GNU nano 8.1                       /etc/NetworkManager/conf.d/nodns.conf                                   
[main]
dns=none
systemd-resolved=false

This was advised to me in a DNS tutorial.

mithrial · 6 August 2024 19:07

You can add a drop-in (override) and set FallbackDNS= (empty).

suber · 6 August 2024 19:35

In which file?
Where is the configuration file for the fallback actually located? I would like to have it completely out or off.

anon33601770 · 6 August 2024 19:53

Those are compile time defaults.
It even says so in the file.
If you don’t change them, this is what will be.

remove the # in front of the line and put your own - or leave empty
(don’t know what will happen when empty - no fallback would be my guess)

mithrial · 6 August 2024 20:38

Here is the setting, if you want to compile systemd yourself:

github.com

systemd/systemd/blob/68511cebe58977ea68ae4f57c6462e979efd1cff/docs/DISTRO_PORTING.md?plain=1#L64


      
          
          If you prefer to use leap second steps, please register your own
          vendor pool at ntp.org and make it the built-in default by
          passing `-Dntp-servers=` to meson.
          Registering vendor pools is
          [free](http://www.pool.ntp.org/en/vendors.html).
          
          Use `-Dntp-servers=` to direct systemd-timesyncd to different fallback
          NTP servers.
          
          ## DNS Servers
          
          By default, systemd-resolved uses Cloudflare and Google Public DNS servers
          `1.1.1.1`, `8.8.8.8`, `1.0.0.1`, `8.8.4.4`, `2606:4700:4700::1111`, `2001:4860:4860::8888`, `2606:4700:4700::1001`, `2001:4860:4860::8844`
          as fallback, if no other DNS configuration is available.
          
          Use `-Ddns-servers=` to direct systemd-resolved to different fallback
          DNS servers.
          
          ## PAM

suber · 6 August 2024 23:27

I’ll find out. And then tell you how I did it.

cscs · 7 August 2024 00:18

I use the fallback (with systemd-resolved) as

/etc/systemd/resolved.conf.d/fallback_dns.conf

[Resolve]
FallbackDNS=1.1.1.1 1.0.0.1
Domains=~.

ben75 · 7 August 2024 02:33

Remove the # in the FallbackDNS line and delete the rest of the line after =

suber · 7 August 2024 11:32

I now understand a little more about resolved configuration.
When @anon33601770 pointed me to the description within
/etc/systemd/resolved.conf, I followed the description.
It says that you should create a resolved.conf in /etc/systemd/resolved.conf.d/.

So I created it and equipped it with the standard drop-ins and my own DNS servers.

  GNU nano 8.1                     /etc/systemd/resolved.conf.d/resolved.conf                                
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
#Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
#
#DNS=
FallbackDNS=empty
#Domains=
DNSSEC=yes
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0

I also activated a special DNS there to understand which configuration file Resolved prefers when it makes a DNS query.
Because in /etc/systemd/resolved.conf.d/ I still had my upstream.conf in which I also activated [resolve].

Now I know that systemd prefers /etc/systemd/resolved.conf.d/resolved.conf over the upstream.conf or other files stored there.

This now shows us resolvectl status

$ resolvectl status                                                                          ✔ 
Global
         Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: foreign
Current DNS Server: 78.46.244.143#dot-de.blahdns.com
       DNS Servers: 78.46.244.143#dot-de.blahdns.com 45.91.92.121#dot-ch.blahdns.com
                    185.95.218.42#dns.digitale-gesellschaft.ch 185.95.218.43#dns.digitale-gesellschaft.ch

Link 2 (enp4s0)
    Current Scopes: LLMNR/IPv4 mDNS/IPv4
         Protocols: -DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported

The upstream.conf is used as an additional source if [resolve] is active in it.
This brings me to the conclusion that in /etc/systemd/resolved.conf.d/ you can generally very easily create your own rules in your own files for different purposes. You can write everything in one file that you then call resolved.conf, or into multiple files without using a resolved.conf.

As long as [resolve] is enabled within the file and some rules, for example FallbackDNS=empty (overrides disabled systemd Blob FallbackDNS) or DNSOverTLS=yes, are enabled.
It also uses these to find itself.

Current DNS Server: is always what was defined in the resolved.conf.
DNS Servers: are all DNS servers from all files in which [resolve] was activated, and these are automatically used as a fallback!

Who should I tell about the solution now? Everyone helped a little. But @mithrial left the tip empty. I do it FallbackDNS=empty in my new /etc/systemd/resolved.conf.d/resolved.conf
Which was ultimately the most effective.

But @cscs showed me that you can simply write any file in there yourself. And activate it with [resolve].

linux-aarhus · 7 August 2024 11:40

Please do not provide screenshots of text - let alone screenshots of default configuration files.

Do not post images or screenshots as part of your topic. The forum is a technical forum not an image gallery.
– Forum Rules - Manjaro

Please remove all those unnecessary scrrenshots.

suber · 7 August 2024 11:45

I changed it.
@linux-aarhus I can remove the screenshots from my main post, but I no longer have the original errors, so I can no longer insert them as text.

mithrial · 7 August 2024 11:47

Just to clarify, the line should be

FallbackDNS=

(Not “empty” but literally empty)

suber · 7 August 2024 11:50

Yes, but both work. I see empty as a note.

ben75 · 7 August 2024 21:59

systemd sees “empty” as an invalid configuration option. Just leave it blank after FallbackDNS=

suber · 8 August 2024 00:33

It doesn’t hurt anyone. Ouch…
And I know that.

system · 11 August 2024 00:34

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.