• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: August 4th, 2023

help-circle
  • Modern browsers use their buit-in DNS settings which adds to the confusion.

    There’s no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there’s a toggle to turn it off, I’m okay with that.

    How do you think it should be fixed?

    The Tailscale folks speak of systemd-resolved positively: and it works well for my own use case.

    Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (~home.arpa for virtual machines and ~lan for machines in my home network).

    There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I’ll have to enable DNSDefaultRoute= in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It’s a lot of steps but I can automate most of them with a script for now.

    Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.