From cf20f4462ad09ad513a0a860534c6279bcbb3d26 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sat, 20 May 2023 11:53:34 +0200 Subject: [PATCH] chore: use manually configured dns servers in systemd-resolved --- knowledge base/systemd.md | 42 ++++++++++++++++++++++++++++++++++++- knowledge base/turris os.md | 19 +++++++++++++++-- 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/knowledge base/systemd.md b/knowledge base/systemd.md index abab0a8..7908e06 100644 --- a/knowledge base/systemd.md +++ b/knowledge base/systemd.md @@ -110,6 +110,9 @@ journalctl --disk-usage sudo journalctl --vacuum-size='1G' sudo journalctl --vacuum-time='1years' +# Show the current time settings. +timedatectl + # List available timezones. timedatectl list-timezones @@ -134,7 +137,7 @@ sudo timedatectl set-ntp false # Check the time and timezones state. timedatectl status -# Show the current hostname state. +# Show the current hostname settings. hostnamectl hostnamectl --pretty status hostnamectl --static status @@ -142,6 +145,20 @@ hostnamectl --static status # Set hostnames. hostnamectl set-hostname 'static_hostname' --static hostnamectl set-hostname 'pretty_hostname' --pretty + +# Show the current DNS resolution settings. +resolvectl status +resolvectl status 'eth0' + +# Get an address-ip resolution and viceversa. +resolvectl query 'www.0pointer.net' +resolvectl query '85.214.157.71' + +# Retrieve PGP keys. +resolvectl openpgp 'zbyszek@fedoraproject.org' + +# Restart the DNS resolver. +sudo systemctl restart 'systemd-resolved.service' ``` ## User services @@ -208,6 +225,29 @@ Storage=persistent sudo service 'network-manager' restart ``` +### Ignore the DNS servers list given by the DHCP server + +Set the following lines in any network-specific file for which you want to ignore DNS servers from DHCP (like `/etc/systemd/network/eth0.network`), or in the global settings (`/etc/systemd/resolved.conf` or any file in `/etc/systemd/resolved.conf.d/`): + +```ini +[DHCP] +UseDNS=false +``` + +Restarting the `systemd-resolved` service seems to not be enough. Restarting the host changed the settings. + +### Manually set DNS servers + +Set the following lines in the global settings (`/etc/systemd/resolved.conf` or any file in `/etc/systemd/resolved.conf.d/`), or in any network-specific file you want to set DNS servers for (like `/etc/systemd/network/eth0.network`): + +```ini +[Resolve] +DNS=192.168.1.1 # Local router +FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Cloudflare +``` + +Restart the `systemd-resolved` service to apply the new settings. + ## Sources - [How to disable systemd-resolved in Ubuntu] diff --git a/knowledge base/turris os.md b/knowledge base/turris os.md index bc4e0c2..44e4999 100644 --- a/knowledge base/turris os.md +++ b/knowledge base/turris os.md @@ -329,7 +329,7 @@ Install and configure Pi-hole in the container: hostnamectl set-hostname 'pi-hole' # Install pi-hole. -DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl' +DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl' 'unattended-upgrades' curl -sSL 'https://install.pi-hole.net' | bash # Follow the guided procedure. @@ -339,6 +339,20 @@ curl -sSL 'https://install.pi-hole.net' | bash # Update pi-hole as a whole, if needed. /etc/.pihole/pihole -up + +# Set the router as the primary DNS server. +sed -E -i.bak 's|^#?\s*DNS\s*=\s*.*$|DNS=192.168.1.1|' '/etc/systemd/resolved.conf' + +# Set Cloudflare as the fallback DNS server. +# Optional. +sed -E -i.bak 's|^#?\s*FallbackDNS\s*=\s*.*$|FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Cloudflare|' '/etc/systemd/resolved.conf' + +# Set the interface to ignore DNS lists given by the DHCP server. +cp '/etc/systemd/network/eth0.network' '/etc/systemd/network/eth0.network.bak' +cat >> '/etc/systemd/network/eth0.network' < @@ -349,7 +363,7 @@ Then, in Turris OS: # Keep the router as secondary. uci set dhcp.lan.dhcp_option='6,192.168.111.2,192.168.111.1' -# The dns server address in the IPv6 RA should be the container's ULA address +# The DNS server address in the IPv6 RA should be the container's ULA address # since the global routable IPv6 address tend to change daily. uci add_list dhcp.lan.dns="$(lxc-info --name pi-hole | grep -E 'IP.* f[cd]' | sed 's/IP: *//')" @@ -366,6 +380,7 @@ Suggestions: - [SSH]: - Change the SSH port from the default `22` value. - Restrict login to specific IP addresses. + - Restrict authentication options to keys. ## The SFP+ caged module