5long

joined 1 year ago
[–] 5long@lemmy.run 10 points 1 year ago* (last edited 1 year ago)

Modern browsers use their buit-in DNS settings which adds to the confusion.

There's no way of stopping any application sending DNS queries on its own unless you really want to lock down everything with a heavy hand (firewall, container, apparmor / selinux). As long as there's a toggle to turn it off, I'm okay with that.

How do you think it should be fixed?

The Tailscale folks speak of systemd-resolved positively and it works well for my own use case.

Right now I use both systemd-resolved & systemd-networkd on my laptop with a dnsproxy service to query outside DNS servers with DNS-over-HTTPS. systemd-resolved is responsible for handling queries from applications, caching and per-domain DNS routing (~home.arpa for virtual machines and ~lan for machines in my home network).

There is one little caveat: when I have to connect to a free Wi-Fi which requires authorizing via a captive portal implemented by traffic hijacking, I'll have to enable DNSDefaultRoute= in the Wi-Fi network config file, tell systemd-networkd to reload, finish the authorization in a browser page, revert the previous change, reload systemd-networkd again. It's a lot of steps but I can automate most of them with a script for now.

Long term wise, hopefully systemd-resolved will support DNS-over-HTTPS (and DNS-over-QUIC) then I can stop running dnsproxy.

Edit: link to some blog post