I am using systemd-resolved
on Ubuntu 24 LTS to manage DNS resolution. My goal is to implement split-DNS with the following behavior:
- Single-label names should be resolved by a local
dnsmasq
server at192.168.2.254
via theenp8s0
link. - Fully Qualified Domain Names (FQDNs) ending in
.example.lan
should also be resolved by the localdnsmasq
server via theenp8s0
link. - All other FQDNs should be resolved using the DNS server configured on the
enp1s0
link (provided by my VPS provider).
Current Configuration:
I’ve made the following changes to achieve this setup:
-
In
/etc/systemd/resolved.conf
:[Resolve] # Enable single-labels to be forwarded to remote DNS servers ResolveUnicastSingleLabel=yes
-
Modified Netplan configuration:
- Set
DefaultRoute
for only theenp1s0
VPS-facing link - Added DNS server
192.168.2.254
and search domainexample.lan
toenp8s0
- Set
Here’s the current output of resolvectl status
:
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp1s0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 10.10.10.10
DNS Servers: 10.10.10.10
Link 3 (enp8s0)
Current Scopes: DNS
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.2.254
DNS Servers: 192.168.2.254
DNS Domain: example.lan
Current Behavior:
- Queries for FQDNs ending in
.example.lan
are correctly sent only to theenp8s0
DNS server on192.168.2.254
. - Queries for all other FQDNs (not ending in
.example.lan
) are correctly sent only to theenp1s0
DNS server. - Single-label queries are being sent to DNS servers on both
enp8s0
andenp1s0
interfaces in parallel.
Expected Behavior:
Single-label queries should only be sent to the DNS server on enp8s0
(192.168.2.254
), as it’s the only link that has the search domain examples.lan
configured.
According to the systemd-resolved
man page:
If a name to look up matches (that is: is equal to or has as suffix)
any of the configured routing domains (search or route-only) of any
link, or the globally configured DNS settings, “best matching” routing
domain is determined: the matching one with the most labels. The query
is then sent to all DNS servers of any links or the globally
configured DNS servers associated with this “best matching” routing
domain.
Question:
Why are single-label queries being sent to both DNS servers, even though enp8s0
is the only link with a search domain configured, and thus has the most labels?
Is this a bug in version 255 of systemd-resolved
? If not, how can I ensure that single-label queries are only sent to the DNS server on enp8s0
and still meet my other 2 requirements?