What’s the difference between /run/systemd/resolve/stub-resolv.conf and /run/systemd/resolve/resolv.conf

resolv.confsystemd-resolved

For configuring custom DNS servers in a brand new Kubuntu 19.10 laptop it wasn't enough with adding to /etc/systemd/resolved.conf:

DNS=77.88.8.7 77.88.8.3 #Yandex's DNS with no porn even on Google Images

I also had to change the symlink of /etc/resolv.conf

$ ls -l /etc/resolv.conf 
lrwxrwxrwx 1 root root 37 oct 26 01:48 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
$ sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

/run/systemd/resolve/stub-resolv.conf only has the ISP's given DNSs, while the custom DNSs are only in /run/systemd/resolve/resolv.conf.

When looking at:

man systemd-resolved.service

it says that the recommended file is /run/systemd/resolve/stub-resolv.conf, but I don't get their differences (that understandable and simple explanation should be the accepted answer). If so, how could I set the system to use the globally configured DNSs using that file and not the other?

Note: On laptop, with plenty of WiFi connections, it's not viable to configure a per-connection DNS, like suggested in many sites that says how to achieve this I just described

Additional info for curious:

/run/systemd/resolve/$ diff stub-resolv.conf resolv.conf 
3,8c3,4
< # This is a dynamic resolv.conf file for connecting local clients to the
< # internal DNS stub resolver of systemd-resolved. This file lists all
< # configured search domains.
< #
< # Run "resolvectl status" to see details about the uplink DNS servers
< # currently in use.
---
> # This is a dynamic resolv.conf file for connecting local clients directly to
> # all known uplink DNS servers. This file lists all configured search domains.
17,18c13,17
< nameserver 127.0.0.53
< options edns0
---
> nameserver 77.88.8.7
> nameserver 77.88.8.3
> nameserver 200.49.130.40
> # Too many DNS servers configured, the following entries may be ignored.
> nameserver 200.42.4.207

Best Answer

Using resolv.conf instead of stub-resolv.conf will bypass a lot of systemd-resolved configuration, such as DNS answer caching, per-interface DNS configuration, DNSSec enforcement, etc.

Explanations:

When using stub-resolv.conf, applications will make DNS requests to the DNS stub resolver provided by systemd on address 127.0.0.53. This stub resolver will proxy the DNS requests to the upstream DNS resolvers configured in systemd-resolved, applying whatever logic it wants to those requests and answers, like caching them.

When using resolv.conf, applications will directly make DNS requests to the "real" (aka. upstream) DNS resolvers configured in systemd-resolved. In this case, systemd-resolved only acts as a "resolv.conf manager", not as a DNS resolver itself.

Source: systemd-resolved manpage

Related Solutions

OpenVPN, resolvconf, and DNS domain resolution

You can set up a local caching server that will watch your /etc/resolv.conf, as it's changed by resolvconf scripts, and try get its answers from all nameservers listed there.

On many systems it'll be enough to install the dnsmasq package, in addition to resolvconf.

The defaults should "just work" provided that no-resolv and no-poll directives are absent from /etc/dnsmasq.conf and lo interface is at the top of /etc/resolvconf/interface-order. If an upstream nameserver returns some arbitrary IPs for unresolvable addresses, strict-order in dnsmasq.conf can help. Your /etc/resolv.conf should only show nameserver 127.0.0.1.

If you prefer a fixed setup or connect to multiple unrelated networks and want to avoid leaking your private network names too all nameservers you should configure dnsmasq to query specific servers based on domain:

# /etc/dnsmasq.conf

# site1 servers
nameserver=/site1.internal.domain/172.16.1.101
nameserver=/site1.internal.domain/172.16.1.102

# site2 servers
nameserver=/site2.internal.domain/192.168.1.5

# default OpenNIC (optional, unless 'no-resolv' is set). 
server=51.15.98.97
server=172.104.136.243

For more info on dnsmasq options see here: http://oss.segetech.com/intra/srv/dnsmasq.conf

Debian – What does “search localdomain” do in resolv.conf

man resolv.conf:

search

Search list for host-name lookup.

The search list is normally determined from the local domain name; by default, it contains only the local domain name. This may be changed by listing the desired domain search path following the search keyword with spaces or tabs separating the names. Resolver queries having fewer than ndots dots (default is 1) in them will be attempted using each component of the search path in turn until a match is found. (...)

localdomain here is your domain. When you make a DNS query with no dot (actually with fewer dots than the configuration value ndots), this domain is automatically added to your query. I.E. if you look up for foo, the actual DNS lookup will be for foo.localdomain.

Best Answer

Related Solutions

OpenVPN, resolvconf, and DNS domain resolution

Debian – What does “search localdomain” do in resolv.conf

Related Question