Hey everyone! I'm having some strange problems with systemd-resolved. When I enable `DNSOverTLS=yes`, it completely breaks the resolution of my local zone, `int.example.com`, which is actually signed with DNSSEC. Just to give you some insights, I've checked my version of systemd (it's 255), and my resolved.conf settings are pointing to my internal DNS server. Interestingly, everything works fine when I ping devices outside of my local network, but as soon as I try to ping internal hosts like `host1` or `host2.int.example.com`, I get a "Name or service not known" error. However, querying directly with dig works just fine over TLS. What could be causing this?
2 Answers
Not sure if this will solve your issue, but have you checked if your DNSSEC is correctly signed by a cert that's recognized by systemd-resolved? Sometimes, it requires you to manually import your root CA public key for everything to work smoothly. It might be worth a try!
It sounds like there might be a compatibility issue between DNSSEC and DNS over TLS in systemd-resolved. A lot of folks have had better luck using dnsmasq instead. You could give it a try; just install it from your package manager. Be careful with the default config since dnsmasq might not start if systemd-resolved is already running. You can use this config in `/etc/dnsmasq.conf`:
```
port=53
no-resolv
server=1.1.1.1
cache-size=1000
```
Then remember to disable and stop systemd-resolved before you restart dnsmasq. It might solve your DNS woes!
I added +dnssec to my queries, and it confirmed that the DNSSEC is valid. Still no luck with local resolution, though.