Friday, September 19, 2025

Debian 13: using systemd-resolved to replace old way to resolving dns

Install systemd-resolved 

# apt-get install  systemd-resolved

Enable it

# systemctl enable systemd-resolved

Old fashion /etc/resolv.conf 

# Generated by NetworkManager
nameserver 45.90.28.186
nameserver 8.8.8.8
nameserver 1.1.1.1

Change/Edit configuration file /etc/systemd/resolved.conf 

DNS=45.90.28.186 8.8.8.8 1.1.1.1
DNSOverTLS=yes

Optional

DNS=45.90.28.186 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2006:4700:4700::1111#cloudflare-dns.com 2606:4700:4700:1001#cloudflare-dns.com
DNSOverTLS=yes 

Enable systemd-resolved in Network Manager, edit /etc/NetworkManager/NetworkManager.conf 

[main]
plugins=ifupdown,keyfile
dns=systed-resovled

Restart Network Manager

# systemctl restart NetworkManager

Restart systemd-resolved

# systemctl restart systemd-resolved

Test it

# nslookup duckduckgo.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    duckduckgo.com
Address: 20.43.161.105

Done. This configuration can be used to protect your dns resolved from dns query hijacking. 

Handy diagnostics guide:  

Dig

# dig duckduckgo.com @1.1.1.1 +short
safe.duckduckgo.com.
202.169.44.80

Nslookup

# nslookup duckduckgo.com 8.8.8.8
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
duckduckgo.com    canonical name = safe.duckduckgo.com.
Name:    safe.duckduckgo.com
Address: 202.169.44.80
Name:    safe.duckduckgo.com
Address: 2404:8000:11:2::2 

Whois

# whois 202.168.44.80 
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '202.168.0.0 - 202.168.63.255'

% Abuse contact for '202.168.0.0 - 202.168.63.255' is 'hostmaster@tpgtelecom.com.au'

inetnum:        202.168.0.0 - 202.168.63.255
netname:        TPG-AU
descr:          TPG Internet Pty Ltd.
country:        AU
org:            ORG-TIPL2-AP
admin-c:        TH178-AP
tech-c:         TH178-AP
abuse-c:        AT937-AP
status:         ALLOCATED PORTABLE
remarks:        Australian Internet Service Provider (ISP)
remarks:        http://www.tpg.com.au

Curl

# curl -I https://www.duckduckgo.com
curl: (7) Failed to connect to www.duckduckgo.com port 443 after 4129 ms: Could not connect to server

Note: curl and whois showing duckduckgo.com directing to wrong address.