systemd-resolved — LLMpedia

systemd-resolved
Name	systemd-resolved
Developer	Lennart Poettering / systemd project
Released	2013
Operating system	Linux
License	LGPL

Contents

Overview
Features and Functionality
Configuration and Usage
Integration with systemd and Network Services
Security and Privacy Considerations
Performance and Troubleshooting
Compatibility and Adoption

systemd-resolved systemd-resolved is a network name resolution service component of the systemd ecosystem designed to provide DNS, Multicast DNS, and LLMNR resolution for Linux systems. It offers a unified resolver API for applications via the D-Bus and the GNU C library's NSS interfaces to coordinate with network configuration tools such as NetworkManager, systemd-networkd, and netplan. The service aims to replace disparate resolvers used by distributions like Debian, Ubuntu, and Fedora while interacting with container frameworks such as Docker and Kubernetes.

Overview

systemd-resolved functions as a local caching stub resolver and lookup dispatcher, mediating between applications and upstream recursive resolvers such as BIND, Unbound, and public services like Google Public DNS and Cloudflare DNS. It implements name resolution protocols including conventional DNS defined by DNS standards from the IETF and link-local discovery protocols such as mDNS and LLMNR. As part of the systemd suite initiated by Lennart Poettering and collaborators, it integrates with modern init systems and network managers used across distributions including RHEL and openSUSE.

Features and Functionality

systemd-resolved provides per-link DNS configuration, DNS caching, DNSSEC validation support when paired with validators like Unbound, DNS-over-TLS transport compatibility for encrypted resolution against providers such as Cloudflare and Google Public DNS, and split-horizon resolution for multi-homed hosts often used in enterprise deployments such as Microsoft Active Directory environments. It supports DNS search domains, resource record types (A, AAAA, SRV, TXT) consistent with RFC 1035 and later IETF standards, and negative caching to reduce repeated failures. The software exposes a D-Bus API consumed by services like systemd-networkd and NetworkManager and works with NSS modules to answer glibc resolver queries, enabling compatibility with applications from Firefox to server daemons like sshd.

Configuration and Usage

Configuration can be performed via per-link settings managed by network stacks such as NetworkManager, static files used by systemd-networkd, or distribution-level tools like netplan on Ubuntu. Administrators may tune caching, DNS server priorities, and fallback servers through D-Bus, command-line utilities, or drop-in configuration snippets analogous to patterns used in systemd-journald. Common operational commands mirror patterns from systemctl and journalctl for service control and logging. Integration examples include binding system resolv.conf to the stub resolver socket at /run/systemd/resolve/stub-resolv.conf or generating compatibility files for legacy software expecting /etc/resolv.conf entries as practiced on Debian and Ubuntu systems.

Integration with systemd and Network Services

systemd-resolved is tightly integrated with other systemd components: it cooperates with systemd-networkd to receive per-interface DNS settings, registers on the D-Bus bus used across systemd services, and is managed by systemctl. It interoperates with desktop network management stacks like NetworkManager and cloud-init mechanisms used in EC2 and OpenStack images to ensure consistent DNS policy in virtualized environments. The resolver design follows conventions from the freedesktop.org ecosystem and complements init and service supervision models exemplified by systemd-journald and systemd-timesyncd.

Security and Privacy Considerations

systemd-resolved supports privacy-enhancing transports such as DNS-over-TLS and can be configured to prefer authenticated DNSSEC validation when used with validators like Unbound or BIND configured for validation. Its caching behavior has implications for privacy and leak prevention in multi-tenant scenarios such as containers orchestrated by Kubernetes and Docker; administrators often pair it with network policies enforced by tools like iptables or nftables to restrict outbound DNS. Threat models involving DNS spoofing and man-in-the-middle attacks are mitigated by secure transports and DNSSEC, but operational pitfalls exist when mixers of resolvers such as systemd-resolved and legacy stub resolvers coexist across distributions like Arch Linux and Fedora.

Performance and Troubleshooting

systemd-resolved aims to reduce latency via local caching and parallel queries to multiple DNS servers, similar in intent to caching resolvers like dnsmasq. Troubleshooting typically involves observing logs via journalctl and inspecting DNS statistics exposed over D-Bus or by querying the stub resolver socket with utilities such as dig and resolvectl. Performance issues can stem from misconfigured /etc/resolv.conf symlinks, conflicting NSS module ordering in glibc, or slow upstream resolvers provided by ISPs such as Comcast or AT&T, and are resolved by adjusting timeouts, reordering DNS servers, or enabling DNS-over-TLS to providers like Cloudflare.

Compatibility and Adoption

Adoption of systemd-resolved varies across distributions: Ubuntu and Fedora include it in standard deployments, while distributions such as Debian and openSUSE offer it as an option or configure alternatives like dnsmasq and Unbound for specific use cases. In container and orchestration stacks like Kubernetes and Docker, behavior depends on image base and host resolver configuration; some orchestration platforms recommend bypassing local stub resolvers in favor of cluster DNS services such as CoreDNS or kube-dns. Enterprise environments integrating with Microsoft Active Directory or large ISP infrastructures may prefer tailored resolver setups using BIND or Unbound for advanced policy control and caching.

Category:Internet protocols