Festlegen globaler DNS- und MAC-Adresseinstellungen auf einer Debian-basierten Linux-Distribution mit systemd-resolved + NetworkManager

tag-icon tag-icon networking domain-name-system systemd networkmanager
Festlegen globaler DNS- und MAC-Adresseinstellungen auf einer Debian-basierten Linux-Distribution mit systemd-resolved + NetworkManager

Ich verwende eine Debian-basierte Linux-Distribution, genauer gesagt Pop!_OS 22.04 (Ubuntu jammy). Ich möchte benutzerdefinierte DNS- und MAC-Adresseinstellungen global festlegen, d. h., sie sollen automatisch auf alle Netzwerkverbindungen angewendet werden, neue und bereits vorhandene.

Konkret möchte ich folgende Einstellungen ändern:

  • DNSSEC aktivieren
  • DNS-over-TLS aktivieren
  • Meine DNS-Server ändern inAdGuard DNS
  • Aktivieren Sie die MAC-Adress-Randomisierung

Derzeit habe ich drei Dateien erstellt, diesollenNehmen Sie diese Änderungen vor.

/etc/systemd/resolved.conf.d/dns.conf:

DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

/etc/NetworkManager/dns.conf:

# specify dns servers
# ignore dhcp-provided

[ipv4]
dns=94.140.14.14;94.140.15.15;
ignore-auto-dns=true

[ipv6]
dns=2a10:50c0::ad1:ff;2a10:50c0::ad2:ff;
ignore-auto-dns=true

/etc/NetworkManager/mac.conf:

[device]
# randomize mac address when scanning for wifi networks
wifi.scan-rand-mac-address=yes

[connection]
# randomize mac address upon initial network connection
# retain generated mac address for all future reconnections
# (per-network)
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable

Nach dem Erstellen dieser Dateien und einem Neustart gibt es keinen Hinweis darauf, dass Änderungen an der Netzwerkverbindung vorgenommen wurden.

Die Testseite von AdGuard zeigt, dass sein DNS „nicht ausgeführt wird“.

$ nmcli dev show wlp0s20f3(WLAN-Karte):

GENERAL.DEVICE:                         wlp0s20f3
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         C6:F5:1A:8E:84:4D
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     NotYourWiFi
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveC>
IP4.ADDRESS[1]:                         192.168.0.153/24
IP4.GATEWAY:                            192.168.0.1
IP4.ROUTE[1]:                           dst = 192.168.0.0/24, nh = 0.0.0.0, mt >
IP4.ROUTE[2]:                           dst = 169.254.0.0/16, nh = 0.0.0.0, mt >
IP4.ROUTE[3]:                           dst = 0.0.0.0/0, nh = 192.168.0.1, mt =>
IP4.DNS[1]:                             192.168.0.1
IP4.DOMAIN[1]:                          mbfamily.localdomain
IP6.ADDRESS[1]:                         fe80::70e0:14db:aeb6:b6be/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024

$ resolvectl status:

Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp0s31f6)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp0s20f3)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1
        DNS Domain: mbfamily.localdomain

/etc/resolv.conf:

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search mbfamily.localdomain

/run/systemd/resolve/resolv.conf:

# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 192.168.0.1
search mbfamily.localdomain

$ systemd-analyze cat-config systemd/resolved.confzeigt, dassresolved.conf.d/dns.conf Istgelesen wird, jedoch:

# /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full co>
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4>
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.go>
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#d>
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

# /etc/systemd/resolved.conf.d/dns.conf
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

Antwort1

Dies ist meine systemd-aufgelöste Konfiguration für DNSSEC und sie funktioniert.

/etc/systemd/resolved.conf

DNS=9.9.9.9#dns9.quad9.net 2620:fe::fe#dns9.quad9.net 2620:fe::9#dns9.quad9.net
FallbackDNS=149.112.112.112#rpz-public-resolver1.rrdns.pch.net
Domains=home.arpa
DNSSEC=yes
DNSOverTLS=yes
MulticastDNS=no
LLMNR=no
Cache=yes
DNSStubListener=yes
ReadEtcHosts=yes
ResolveUnicastSingleLabel=no

Besonders wichtig ist, dass folgende Optionen deaktiviert sind, und zwar folgendermaßen:

MulticastDNS=no
LLMNR=no

Damit dies funktioniert, müssen Sie den Stub-Resolver von systemd-resolved oder den systemd-Socket verwenden.

cd /etc/ && ln -sf /run/systemd/resolve/stub-resolv.conf resolv.conf

verwandte Informationen