[kwlug-disc] Systemd resolv issue ...
Chris Irwin
chris at chrisirwin.ca
Wed Feb 11 16:21:48 EST 2026
On Wed, Feb 11, 2026 at 03:20:21PM -0500, Khalid Baheyeldin wrote:
>My understanding is that DNS, only for that interface will be the 10.10.0.1
You've got a chicken vs egg situation by assuming DNS requests will be
routed based on IP address, as it's the DNS result that determines the
IP, not the request.
systemd-resolved's choice of which DNS server to use is based on domain
names, rather than IP addresses.
Here's an example with my laptop, connected to my home wifi (wlp1s0),
which has a search domain (chrisirwin.ca) and an external VPN (tun0).
The VPN, once connected, is my default route. So all DNS requests will
go to it's DNS servers.
However, my local wifi knows connceted to the domain chrisirwin.ca, so
if I do a lookup for example.chrisirwin.ca, that request will go to my
internal DNS, instead of leaking through the VPN.
$ resolvectl
Global
Protocols: LLMNR=resolve +mDNS DNSOverTLS=opportunistic DNSSEC=no/unsupported
resolv.conf mode: stub
Fallback DNS Servers: 149.112.121.20 149.112.122.20 2620:10a:80bb::20 2620:10a:80bc::20
Link 2 (wlp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute LLMNR=resolve +mDNS DNSOverTLS=opportunistic DNSSEC=no/unsupported
Current DNS Server: 10.10.10.1
DNS Servers: 10.10.10.1
DNS Domain: chrisirwin.ca
Default Route: no
Link 7 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute LLMNR=resolve +mDNS DNSOverTLS=opportunistic DNSSEC=no/unsupported
Current DNS Server: 10.0.0.243
DNS Servers: 10.0.0.243
Default Route: yes
This works similarly for split-route VPNs (ex: for work), so
work-related DNS requests won't leak to the Internet.
Looking at your earlier resolvectl output, both interfaces have
+DefaultRoute, which strikes me as odd...
--
Chris Irwin
email: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list