Ubuntu-18.04 DNS 配置

安装个 ubuntu-18.04，按正常程序为系统配置个DNS

cat /etc/network/interfaces
 <省略若干行>
iface enp0s25 inet static
	dns-nameservers 223.5.5.5 223.6.6.6

嗯？无法解析域名，查看系统 DNS 解析文件

cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
 <省略若干行>

nameserver 127.0.0.53

发现文件内容并没有改动，好吗？又换新套路了呗。不过根据文件的注解已经告诉我们了，该发行版本的DNS缺省情况下使用systemd-resolved这个服务来控制了。

操作如下：

$ sudo vim /etc/systemd/resolved.conf
 <省略若干行>

[Resolve]
DNS=223.5.5.5 223.6.6.6
 <省略若干行>

重启服务

$ sudo systemd restart systemd-resolved

查看DNS配置信息

$ sudo systemd-resolve --status
Global
         DNS Servers: 223.5.5.5
                      223.6.6.6
 <省略若干行>
Link 2 (enp0s25)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

开启 DNSSEC

使用下列命令来查看系统的DNS状态(是否开启 DNSSEC)

systemd-resolve --status | grep DNSSEC
          DNSSEC NTA: XX
      DNSSEC setting: no
    DNSSEC supported: no

可以看出，缺省情况DNSSEC下并没有开启。

使用以下方式开启

grep DNSSEC /etc/systemd/resolved.conf 
#DNSSEC=

打开文件，将上述显示的行更改为DNSSEC=yes并重新启动systemd-resolv服务即可。

systemctl restart systemd-resolved
systemd-resolve --status | grep DNSSEC
          DNSSEC NTA: XX
      DNSSEC setting: yes
    DNSSEC supported: yes

dig www.dnssec-failed.org | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50750