Enhanced DNS Configuration Options for systemd-resolved: Per-Domain DNS, DNS-over-TLS on a Per-Server Basis, and Detailed Query Reporting.

[daiaji]

Component

systemd-resolved

Is your feature request related to a problem? Please describe

The feature set of systemd-resolved in version 255 does not support specifying DNS servers for individual domains within the same network interface, nor does it allow for configuring DNS-over-TLS (DoT) on a per-server basis. Additionally, the resolvectl query command does not indicate which DNS server was used for a given query, only the network interface. This lack of granularity and transparency can impede the deployment of sophisticated DNS setups in complex network scenarios and when adhering to specific security protocols.

Describe the solution you'd like

I propose four enhancements to systemd-resolved to allow for more nuanced DNS configuration and to provide greater insight into DNS operations:

1. Per-Domain DNS Server Configuration: Enable the assignment of DNS servers to specific domains on a single network interface. This would facilitate targeted domain resolution through designated DNS servers.

   Example configuration for /etc/systemd/resolved.conf or the relevant .network files:

   [Resolve]
   DNS=192.168.1.1; 10.0.0.1
   Domains=~company.local 192.168.1.1; ~private.network 10.0.0.1
   

   In this example, queries for *.company.local would be directed to 192.168.1.1, and queries for *.private.network would use 10.0.0.1.

2. DNS-over-TLS Configuration on a Per-Server Basis: Facilitate the configuration of DNS-over-TLS for each DNS server independently, allowing the use of encrypted DNS queries with supporting servers while maintaining standard DNS for others.

   Example configuration for /etc/systemd/resolved.conf or the relevant .network files:

   [Resolve]
   DNS=tls://1.0.0.1; 8.8.8.8
   Domains=~secure.domain tls://1.0.0.1; ~insecure.domain 8.8.8.8
   

   Here, queries for *.secure.domain would be resolved using DoT with 1.0.0.1, while *.insecure.domain would be resolved using unencrypted DNS with 8.8.8.8.

3. Detailed Query Reporting for resolvectl query: Improve the resolvectl query command to include information about which DNS server resolved a query, in addition to the network interface.

   Desired output example:

   resolvectl query www.example.com
   www.example.com: 123.123.123.123                  -- link: br0
                                                 -- server: 192.168.1.1
                                                 (example.com)
   
   -- Information acquired via protocol DNS in 871.0ms.
   -- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
   -- Data from: cache network
   

   This output would confirm that the DNS server 192.168.1.1 resolved the query for www.example.com.

4. Exact Domain Forwarding: Allow for the direct forwarding of specific, exact, and complete domain names to designated DNS servers, rather than just domain suffixes. This feature would enable precise control over DNS resolution for particular fully qualified domain names (FQDNs).

   Example configuration for /etc/systemd/resolved.conf or the relevant .network files:

   [Resolve]
   DNS=192.168.1.1; 10.0.0.1
   Domains=~www.company.local 192.168.1.1; ~www.private.network 10.0.0.1
   

   In this example, only the exact queries for www.company.local would be directed to 192.168.1.1, and www.private.network would use 10.0.0.1.

Describe alternatives you've considered

How about directly porting other more powerful DNS servers? For example, mosdns, dnsmasq.

The systemd version you checked that didn't have the feature you are asking for

255

[rpigott]

This is basically a duplicate of #5573

[daiaji]

This is basically a duplicate of #5573

It seems to repeat the first part of the feature request, but it can also be seen as a supplement to the details.