There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

[help] systemd-resolved how to keep DNS server order?

I have a pi hole in my network and I set it as my primary DNS server with my router (a Mikrotik) as secondary. DHCP sets the DNS servers as pihole, mikrotik in this exact order and I want to keep it that way. I know systemd-resolved uses some algorithm to set the fastest dns as current server, but I don’t want/need that. Is there some way to do configure it to just let it be?

I’m running Fedora 40.

nelsnelson ,
@nelsnelson@hexbear.net avatar

Via ChatGPT 4 (accuracy unverified):

Yes, you can configure systemd-resolved to use the DNS servers in the order provided without dynamically switching based on speed. Here’s how you can do it:

  1. Edit the resolved configuration file:

    Open the resolved.conf file in a text editor:

    
<span style="color:#323232;">sudo nano /etc/systemd/resolved.conf
</span>

  2. Modify or add the following line:

    
<span style="color:#323232;">DNS</span><span style="font-weight:bold;color:#a71d5d;">=</span><span style="color:#183691;">`</span><span style="color:#323232;">IP_of_pihole</span><span style="color:#183691;">` </span><span style="color:#323232;">`IP_of_mikrotik`
</span><span style="color:#323232;">DNSStubListener</span><span style="font-weight:bold;color:#a71d5d;">=</span><span style="color:#183691;">no
</span><span style="color:#323232;">FallbackDNS</span><span style="font-weight:bold;color:#a71d5d;">=
</span>

    Replace IP_of_pihole and IP_of_mikrotik with your actual DNS IP addresses. This tells systemd-resolved to only use the DNS servers in the order you’ve specified.

  3. Prevent automatic DNS changes by network manager:

    If you’re using NetworkManager, create a drop-in configuration to prevent it from overriding DNS settings:

    
<span style="color:#323232;">sudo mkdir -p /etc/NetworkManager/conf.d/
</span><span style="color:#323232;">sudo nano /etc/NetworkManager/conf.d/dns.conf
</span>

    Add the following content:

    
<span style="color:#323232;">[main]
</span><span style="color:#323232;">dns</span><span style="font-weight:bold;color:#a71d5d;">=</span><span style="color:#183691;">none
</span>

  4. Restart services:

    After making these changes, restart systemd-resolved and NetworkManager:

    
<span style="color:#323232;">sudo systemctl restart systemd-resolved
</span><span style="color:#323232;">sudo systemctl restart NetworkManager
</span>

This should ensure that your system uses the DNS servers in the order provided without any automatic switching.

skullgiver ,
@skullgiver@popplesburger.hilciferous.nl avatar

You don’t. There’s a feature request for adding the ability to always try the primary DNS server first but it’s still open.

When you configure multiple DNS servers in systemd-resolved, the resolver will assume all servers are equally valid and produce the same records. This is unlike Windows, which will always try the primary and the randomly try the secondary/tertiary/etc., or dnsmasq which should try the servers in order.

systemd-resolved will rotate through DNS servers, sticking with the one that works when the current server dies. It’s not necessarily about speed, but rather about availability. If all DNS servers fail, it’ll fall back to whatever fallback DNS server was compiled in by your distro (I believe Google’s 8.8.8.8 is compiled in by default but you’ll have to check the Fedora sources to see if they’re configuring systemd for that).

You can install a DNS resolver that does take the “try every server in the list” approach after removing/disabling systemd-resolved. Make sure to update your resolvconf files to point to said server.

However, I do wonder if your Pi-Hole-then-microtik approach actually works on all devices. If your computer validates DNSSEC records, the fake results returned by Pihole will be discarded as broken, and your computer will probably try to resolve the domain on your router, undoing the blocking Pihole is trying to do. You’ll need to disable DNSSEC verification for this approach to work if you’re also including a non-blocking DNS server into the chain.

lurch ,

i think you should just set the pi, then have the pi configured to internally use the other for things it doesn’t block.

atzanteol ,

You can’t. Well, you shouldn’t rely on queries going out in any particular order. All of your DNS servers should behave the same way as clients may fail from the first one to a secondary.

Why do you care which one is being used? What are you trying to do?

clmbmb OP ,

I want to have ads blocked with pihole and at the same time to have local DNS served by the router. I know pihole does local DNS, but RouterOS (mikrotik) is much better suited for that.

skullgiver ,
@skullgiver@popplesburger.hilciferous.nl avatar

If you set the Microtik as Pihole’s upstream server, you should get both Microtik’s local domains and ad blocking.

You may need to disable DNSSEC validation to get it to work if you use a real domain for local records, though.

clmbmb OP ,

Thank you. I’ll have it set like this.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •