<term><option>llmnr [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
<term><option>mdns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
<term><option>dnssec [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
+ <term><option>privatedns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
<term><option>nta [<replaceable>LINK</replaceable> [<replaceable>DOMAIN</replaceable>…]]</option></term>
<listitem><para>Get/set per-interface DNS configuration. These commands may be used to configure various DNS
through external means. The <option>dns</option> command expects IPv4 or IPv6 address specifications of DNS
servers to use. The <option>domain</option> command expects valid DNS domains, possibly prefixed with
<literal>~</literal>, and configures a per-interface search or route-only domain. The <option>llmnr</option>,
- <option>mdns</option> and <option>dnssec</option> commands may be used to configure the per-interface LLMNR,
- MulticastDNS and DNSSEC settings. Finally, <option>nta</option> command may be used to configure additional
- per-interface DNSSEC NTA domains. For details about these settings, their possible values and their effect,
- see the corresponding options in
+ <option>mdns</option>, <option>dnssec</option> and <option>privatedns</option> commands may be used to configure
+ the per-interface LLMNR, MulticastDNS, DNSSEC and PrivateDNS settings. Finally, <option>nta</option> command
+ may be used to configure additional per-interface DNSSEC NTA domains. For details about these settings, their
+ possible values and their effect, see the corresponding options in
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
</listitem>
</varlistentry>
<listitem><para>Revert the per-interface DNS configuration. If the DNS configuration is reverted all
per-interface DNS setting are reset to their defaults, undoing all effects of <option>dns</option>,
<option>domain</option>, <option>llmnr</option>, <option>mdns</option>, <option>dnssec</option>,
- <option>nta=</option>. Note that when a network interface disappears all configuration is lost automatically,
- an explicit reverting is not necessary in that case.</para></listitem>
+ <option>privatedns</option>, <option>nta=</option>. Note that when a network interface disappears all
+ configuration is lost automatically, an explicit reverting is not necessary in that case.</para></listitem>
</varlistentry>
</variablelist>
</varlistentry>
<varlistentry>
+ <term><varname>PrivateDNS=</varname></term>
+ <listitem>
+ <para>Takes false or
+ <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>
+ DNS request are attempted to send encrypted with DNS-over-TLS.
+ If the DNS server does not support TLS, DNS-over-TLS is disabled.
+ Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+ attacks, where an attacker might be able to trigger a downgrade
+ to non-encrypted mode by synthesizing a response that suggests
+ DNS-over-TLS was not supported. If set to false, DNS lookups
+ are send over UDP.</para>
+
+ <para>Note that DNS-over-TLS requires additional data to be
+ send for setting up an encrypted connection, and thus results
+ in a small DNS look-up time penalty.</para>
+
+ <para>Note as the resolver is not capable of authenticating
+ the server, it is vulnerable for "man-in-the-middle" attacks.</para>
+
+ <para>In addition to this global PrivateDNS setting
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ also maintains per-link PrivateDNS settings. For system DNS
+ servers (see above), only the global PrivateDNS setting is in
+ effect. For per-link DNS servers the per-link
+ setting is in effect, unless it is unset in which case the
+ global setting is used instead.</para>
+
+ <para>Defaults to off.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>Cache=</varname></term>
<listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
</listitem>
</varlistentry>
<varlistentry>
+ <term><varname>PrivateDNS=</varname></term>
+ <listitem>
+ <para>Takes false or
+ <literal>opportunistic</literal>. When set to <literal>opportunistic</literal>, enables
+ <ulink
+ url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink>
+ support on the link. This option defines a
+ per-interface setting for
+ <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
+ global <varname>PrivateDNS=</varname> option. Defaults to
+ false. This setting is read by
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><varname>DNSSEC=</varname></term>
<listitem>
<para>A boolean or
projects / platform / upstream / systemd.git / commitdiff