Configuring unicast DNS on Fedora 33 systemwide using systemd-resolved

pcfed · January 23, 2021, 12:53am

I have recently installed a Fedora 33 system on a private network and it needs to contact three specific DNS servers for internal-only DNS resolution. The DNS server addresses are configured, but the DNS servers don’t appear to support more than unicast UDP and DNS lookups have been spotty with long delays logging in via ssh.

I have been able to find the global default to disable LLMNR (LLMNR=false in /etc/systemd/resolved.conf), but the link-level setting is still present for ens192 -

[root@fedora33lab ~]# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (ens192)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.x.x.x
DNS Servers: 10.x.x.x 10.x.x.x 10.x.x.x
DNS Domain: example.com ~.

I have added llmnr=no to /etc/NetworkManager/system-connections/ens192.nmconnection file and rebooted but this does not seem to have affected the resovlectl status info -

[connection]
id=ens192
uuid=ed000000-0e0e-00fd-0cfc-00cc0bf0e00f
type=ethernet
autoconnect-priority=-999
interface-name=ens192
permissions=
llmnr=no

The goal would to define a standard template for environment-wide use where LLMNR would always be disabled for all interfaces on system-wide basis using a method that would be most likely to persist between Fedora version upgrades.

vgaetera · January 23, 2021, 12:56am

sudo nmcli connection modify id ens192 connection.llmnr no
sudo nmcli connection down id ens192
sudo nmcli connection up id ens192

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
LLMNR=no
EOF
sudo systemctl restart systemd-resolved.service

pcfed · January 23, 2021, 1:27am

Thank you, that has worked to change the setting for ens192 - DNS resolution is now instantaneous!

The nmcli command has changed the setting from llmnr=no to llmnr=0 in the ens192.nmconnection file - looks like I misread nm-settings-nmcli(8), and the Protocols line now reads as follows:

     Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Would there be a general way of setting this in one location instead of on a per-connection basis? The use case is server VMs that would be deployed using templates, so minimizing post-build configuration work and system-specific steps is ideal.

vgaetera · January 23, 2021, 2:17am

sudo tee /etc/NetworkManager/conf.d/00-custom.conf << EOF > /dev/null
[connection]
connection.llmnr=0
EOF
sudo systemctl restart NetworkManager.service

NetworkManager.conf: NetworkManager Reference Manual

pcfed · January 26, 2021, 4:59pm

Thank you very much! This is working now.

In my research, I was directed to an article that identifies LLMNR as a serious risk vector as well as being outmoded, so it looks as though it could be a better default to have it turned off -

Not sure if that would be worthy of a feature request, but using enterprise Linux, this is the kind of thing I would be directed to shut off for security reasons