resolved and FallbackDNS

Fedora 33 will switch to systemd-resolved for name resolution.

Resolved has a bundled list of DNS used in case of network settings misconfiguration, i.e. the DHCP doesn’t provide the DNS address and probably other cases, for instance when you don’t intentionally set a DNS address in the network configuration.

These DNS are called FallbackDNS. You can see them with this command:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

$ systemd-resolve --status

Global
       LLMNR setting: resolve             
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844
...

As you can see, these addresses are the ones owned by Google and Cloudflare.

The fact has raised some concerns. The systemd developers as well as the Fedora maintainer seems unwilling to change this default behavior. After all these are the most reliable publicy accessible DNS addresses, and a fallback DNS is better than resolution errors.

In normal circumstances you will probably contact these fallback DNS only in some edge cases. Hovewer a DNS is always configured even if you intentionally leaved the corresponding field blank in the network configuration.

Anyway you would like to avoid the eventuality to contact Google and Cloudflare for all the valid reasons you could have, but that I will not discuss in this post.

How to change the bundled FallbackDNS addresses

It is pretty easy to change the default FallbackDNS values. Edit the resolved.conf file:

1

sudo $EDITOR /etc/systemd/resolved.conf

Uncomment and edit the FallbackDNS option.

1
2
3

...
FallbackDNS=
...

You can leave it empty. Or you can add some addresses you trust

1

FallbackDNS=91.239.100.100 84.200.69.80 84.200.70.40

Then restart the resolved service.

1

sudo systemctl restart systemd-resolved.service

Check the result:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ systemd-resolve --status
Global
       LLMNR setting: resolve       
MulticastDNS setting: no            
  DNSOverTLS setting: no            
      DNSSEC setting: no            
    DNSSEC supported: no            
Fallback DNS Servers: 91.239.100.100
                      84.200.69.80  
                      84.200.70.40  
...