{{Header}}
{{title|title=
DNS
}}
{{#seo:
|description=DNS
}}
<div class="mininav">
* [[Networking]]
* [[DNS]]
* [[DNS Security]]
</div>
{{intro|
DNS
}}
= Default DNS Configuration =
[https://github.com/Kicksecure/kicksecure-network-conf kicksecure-network-conf]

= Linux Default DNS Mechanism =
On Linux, DNS libraries read the <code>/etc/resolv.conf</code> file. A DNS-resolving client such as Unbound is optional and not strictly required for basic DNS resolution.

== /etc/resolv.conf ==
* '''Purpose''': The <code>/etc/resolv.conf</code> file is a standard configuration file in Linux systems used by DNS resolver libraries (like <code>glibc</code>) to determine how to perform DNS resolution.
* '''Contents''': It typically contains information such as:
** <code>nameserver</code> directives specifying the IP addresses of DNS servers.
** <code>search</code> domains and <code>options</code> for resolving queries.

== DNS Resolver Libraries ==
* These libraries are part of most Linux systems and use <code>/etc/resolv.conf</code> to send DNS queries to the specified nameservers.
* The libraries themselves handle basic DNS resolution without needing an external DNS resolver client.

== DNS Resolver Clients ==
E.g., <code>unbound</code>, <code>systemd-resolved</code>.

* '''Optional''': External DNS resolving software like <code>unbound</code> or <code>systemd-resolved</code> is not strictly required for basic DNS resolution.
* '''Purpose''': These tools provide additional functionality, such as caching, advanced DNSSEC validation, or recursive DNS resolution.
* '''Integration''': When such a resolver is used, <code>/etc/resolv.conf</code> might point to <code>127.0.0.1</code> (localhost), as the local resolver handles DNS queries before forwarding them.

== Summary ==
* Basic DNS resolution on Linux relies on resolver libraries using <code>/etc/resolv.conf</code>.
* External DNS resolving clients like <code>unbound</code> are optional and primarily used to enhance DNS functionality. They are not required for basic operations if a valid nameserver is defined in <code>/etc/resolv.conf</code>.

= Disable DNS =
== Disable System DNS ==
System DNS only. Not all DNS. See next chapter for all DNS.

'''1.''' Prerequisite knowledge:

* [[write_protection|write protection]]

'''2.''' Backup the DNS configuration file <code>/etc/resolv.conf</code>.

<u>Optional.</u> Might make re-enabling DNS later easier. Might be difficult or impossible for many users without this step.

{{CodeSelect|code=
sudo cp /etc/resolv.conf ~/resolv.conf
}}

'''3.''' Clear DNS configuration file.

{{CodeSelect|code=
sudo overwrite /etc/resolv.conf ""
}}

'''4.''' Enable write protection.

<u>Optional.</u> Useful to avoid future operating system updates overwriting the file such as when a distribution or derivative (such as Debian, Qubes Debian or Kicksecure) stat shipping a DNS configuration file. Note, if that was ever the case the upgrade of the package will fail and the user will be notified through the usual package manager (apt-get) output. This might happen if/when Kicksecure implements [[DNS Security]]. Forum discussion: [https://forums.whonix.org/t/use-dnscrypt-by-default-in-kicksecure-not-whonix/8117 use DNSCrypt by default in Kicksecure]

{{CodeSelect|code=
sudo chattr +i /etc/resolv.conf
}}

'''5.''' Done.

System DNS has been disabled.

== Disable All DNS ==
{{quotation
|quote=Many applications do actually not use system DNS but their own internal DNS implementation.
|context = [[DNS_Security#Potential_Obstacles|DNS Security, chapter Potential Obstacles]]
}}

= Enabling systemd-resolved =
Only for users that have a specific reason to want to use <code>systemd-resolved</code>.

[[Untested]]!

{{Testers-only}}
{{AdvancedUsersOnly}}

Optional!

{{CodeSelect|code=
sudo touch /etc/dns-enable
}}

{{CodeSelect|code=
sudo apt install systemd-resolved
}}

{{CodeSelect|code=
sudo systemctl enable systemd-resolved
}}

{{CodeSelect|code=
sudo systemctl start systemd-resolved
}}

{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]