mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 01:55:32 +03:00
man: document DNS-over-TLS options
This commit is contained in:
parent
d050561ac3
commit
30e59c84d7
@ -257,6 +257,7 @@
|
||||
<term><option>llmnr [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
|
||||
<term><option>mdns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
|
||||
<term><option>dnssec [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
|
||||
<term><option>privatedns [<replaceable>LINK</replaceable> [<replaceable>MODE</replaceable>]]</option></term>
|
||||
<term><option>nta [<replaceable>LINK</replaceable> [<replaceable>DOMAIN</replaceable>…]]</option></term>
|
||||
|
||||
<listitem><para>Get/set per-interface DNS configuration. These commands may be used to configure various DNS
|
||||
@ -268,10 +269,10 @@
|
||||
through external means. The <option>dns</option> command expects IPv4 or IPv6 address specifications of DNS
|
||||
servers to use. The <option>domain</option> command expects valid DNS domains, possibly prefixed with
|
||||
<literal>~</literal>, and configures a per-interface search or route-only domain. The <option>llmnr</option>,
|
||||
<option>mdns</option> and <option>dnssec</option> commands may be used to configure the per-interface LLMNR,
|
||||
MulticastDNS and DNSSEC settings. Finally, <option>nta</option> command may be used to configure additional
|
||||
per-interface DNSSEC NTA domains. For details about these settings, their possible values and their effect,
|
||||
see the corresponding options in
|
||||
<option>mdns</option>, <option>dnssec</option> and <option>privatedns</option> commands may be used to configure
|
||||
the per-interface LLMNR, MulticastDNS, DNSSEC and PrivateDNS settings. Finally, <option>nta</option> command
|
||||
may be used to configure additional per-interface DNSSEC NTA domains. For details about these settings, their
|
||||
possible values and their effect, see the corresponding options in
|
||||
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -282,8 +283,8 @@
|
||||
<listitem><para>Revert the per-interface DNS configuration. If the DNS configuration is reverted all
|
||||
per-interface DNS setting are reset to their defaults, undoing all effects of <option>dns</option>,
|
||||
<option>domain</option>, <option>llmnr</option>, <option>mdns</option>, <option>dnssec</option>,
|
||||
<option>nta=</option>. Note that when a network interface disappears all configuration is lost automatically,
|
||||
an explicit reverting is not necessary in that case.</para></listitem>
|
||||
<option>privatedns</option>, <option>nta=</option>. Note that when a network interface disappears all
|
||||
configuration is lost automatically, an explicit reverting is not necessary in that case.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
@ -206,6 +206,38 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>PrivateDNS=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes false or
|
||||
<literal>opportunistic</literal>. When set to <literal>opportunistic</literal>
|
||||
DNS request are attempted to send encrypted with DNS-over-TLS.
|
||||
If the DNS server does not support TLS, DNS-over-TLS is disabled.
|
||||
Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
|
||||
attacks, where an attacker might be able to trigger a downgrade
|
||||
to non-encrypted mode by synthesizing a response that suggests
|
||||
DNS-over-TLS was not supported. If set to false, DNS lookups
|
||||
are send over UDP.</para>
|
||||
|
||||
<para>Note that DNS-over-TLS requires additional data to be
|
||||
send for setting up an encrypted connection, and thus results
|
||||
in a small DNS look-up time penalty.</para>
|
||||
|
||||
<para>Note as the resolver is not capable of authenticating
|
||||
the server, it is vulnerable for "man-in-the-middle" attacks.</para>
|
||||
|
||||
<para>In addition to this global PrivateDNS setting
|
||||
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
also maintains per-link PrivateDNS settings. For system DNS
|
||||
servers (see above), only the global PrivateDNS setting is in
|
||||
effect. For per-link DNS servers the per-link
|
||||
setting is in effect, unless it is unset in which case the
|
||||
global setting is used instead.</para>
|
||||
|
||||
<para>Defaults to off.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Cache=</varname></term>
|
||||
<listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
|
||||
|
@ -384,6 +384,21 @@
|
||||
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><varname>PrivateDNS=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes false or
|
||||
<literal>opportunistic</literal>. When set to <literal>opportunistic</literal>, enables
|
||||
<ulink
|
||||
url="https://tools.ietf.org/html/rfc7858">DNS-over-TLS</ulink>
|
||||
support on the link. This option defines a
|
||||
per-interface setting for
|
||||
<citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>'s
|
||||
global <varname>PrivateDNS=</varname> option. Defaults to
|
||||
false. This setting is read by
|
||||
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><varname>DNSSEC=</varname></term>
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user