-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDNS.mw
More file actions
121 lines (89 loc) · 4.34 KB
/
DNS.mw
File metadata and controls
121 lines (89 loc) · 4.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
{{Header}}
{{title|title=
DNS
}}
{{#seo:
|description=DNS
|image=DNS-Social-Illustration.png
}}
<div class="mininav">
* [[Networking]]
* [[DNS]]
* [[DNS Security]]
</div>
[[File:DNS-Social-Illustration.png|thumb|400px|alt=Illustrative Simplified Image|Illustrative Simplified Image]]
{{intro|
DNS
}}
= Default DNS Configuration =
{{Github_link|
https://github.com/Kicksecure/kicksecure-network-conf
}}
= Linux Default DNS Mechanism =
On Linux, DNS libraries read the <code>/etc/resolv.conf</code> file. A DNS-resolving client such as Unbound is optional and not strictly required for basic DNS resolution.
== /etc/resolv.conf ==
* '''Purpose''': The <code>/etc/resolv.conf</code> file is a standard configuration file in Linux systems used by DNS resolver libraries (like <code>glibc</code>) to determine how to perform DNS resolution.
* '''Contents''': It typically contains information such as:
** <code>nameserver</code> directives specifying the IP addresses of DNS servers.
** <code>search</code> domains and <code>options</code> for resolving queries.
== DNS Resolver Libraries ==
* These libraries are part of most Linux systems and use <code>/etc/resolv.conf</code> to send DNS queries to the specified nameservers.
* The libraries themselves handle basic DNS resolution without needing an external DNS resolver client.
== DNS Resolver Clients ==
E.g., <code>unbound</code>, <code>systemd-resolved</code>.
* '''Optional''': External DNS resolving software like <code>unbound</code> or <code>systemd-resolved</code> is not strictly required for basic DNS resolution.
* '''Purpose''': These tools provide additional functionality, such as caching, advanced DNSSEC validation, or recursive DNS resolution.
* '''Integration''': When such a resolver is used, <code>/etc/resolv.conf</code> might point to <code>127.0.0.1</code> (localhost), as the local resolver handles DNS queries before forwarding them.
== DNS Connection illustrative simplified ==
'''Image:''' ''DNS Connection (illustrative simplified image)''
[[File:DNS-Security-Ilustrative.png|alt=DNS Connection illustrative simplified image|DNS Connection illustrative simplified image]]
== Summary ==
* Basic DNS resolution on Linux relies on resolver libraries using <code>/etc/resolv.conf</code>.
* External DNS resolving clients like <code>unbound</code> are optional and primarily used to enhance DNS functionality. They are not required for basic operations if a valid nameserver is defined in <code>/etc/resolv.conf</code>.
= Disable DNS =
== Disable System DNS ==
System DNS only. Not all DNS. See next chapter for all DNS.
'''1.''' Prerequisite knowledge:
* [[write_protection|write protection]]
'''2.''' Backup the DNS configuration file <code>/etc/resolv.conf</code>.
<u>Optional.</u> Might make re-enabling DNS later easier. Might be difficult or impossible for many users without this step.
{{CodeSelect|code=
sudo cp /etc/resolv.conf ~/resolv.conf
}}
'''3.''' Clear DNS configuration file.
{{CodeSelect|code=
sudo overwrite /etc/resolv.conf ""
}}
'''4.''' Enable write protection.
<u>Optional.</u> Useful to avoid future operating system updates overwriting the file such as when a distribution or derivative (such as Debian, Qubes Debian or Kicksecure) stat shipping a DNS configuration file. Note, if that was ever the case the upgrade of the package will fail and the user will be notified through the usual package manager (apt-get) output. This might happen if/when Kicksecure implements [[DNS Security]]. Forum discussion: [https://forums.whonix.org/t/use-dnscrypt-by-default-in-kicksecure-not-whonix/8117 use DNSCrypt by default in Kicksecure]
{{CodeSelect|code=
sudo chattr +i /etc/resolv.conf
}}
'''5.''' Done.
System DNS has been disabled.
== Disable All DNS ==
{{quotation
|quote=Many applications do actually not use system DNS but their own internal DNS implementation.
|context = [[DNS_Security#Potential_Obstacles|DNS Security, chapter Potential Obstacles]]
}}
= Enabling systemd-resolved =
Only for users that have a specific reason to want to use <code>systemd-resolved</code>.
[[Untested]]!
{{Testers-only}}
{{AdvancedUsersOnly}}
Optional!
{{CodeSelect|code=
sudo touch /etc/dns-enable
}}
{{CodeSelect|code=
sudo apt install systemd-resolved
}}
{{CodeSelect|code=
sudo systemctl enable systemd-resolved
}}
{{CodeSelect|code=
sudo systemctl start systemd-resolved
}}
<references />
{{Footer}}
[[Category:Documentation]]