systemd-resolved block a domain name











up vote
5
down vote

favorite
1












Using systemd-resolved how do I block, route, or resolve, a domain name to a black hole, or a nowhere address. Bonus points for subdomains as well.



I tried a single domain in /etc/hosts:



127.0.0.1 google.com

::1 google.com


I also tried /etc/systemd/network/100-blocked.network:



[Match]

Name=wlp113s0



[Network]

Description="Just block the domain, and sub domains"

DNS=127.0.0.255

DNS=::1



[Resolve]

Domains=google.com


sudo systemd-resolve --status:



Link 3 (wlp113s0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

         DNS Servers: 127.0.0.255

                      ::1

                      2001:4888:3a:ff00:304:d::

                      2001:4888:39:ff00:308:d::


for example using dnsmasq i was able to do:



server=192.168.43.1

address=/google.com/0.0.0.0

# a very long list of "address=/domain/0"


related:




  • Resolving pseudo domain name to private IP

  • How to configure systemd-resolved and systemd-networkd to use local DNS server for resolving local domains and remote DNS server for remote domains?

  • How to troubleshoot DNS with systemd-resolved?






systemd dns dnsmasq systemd-networkd systemd-resolved







share|improve this question
























  • The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
    – Pierre-Alain TORET
    Nov 8 at 15:50










  • @Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
    – Filipe Brandenburger
    Nov 9 at 3:32






  • 1




    My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
    – Pierre-Alain TORET
    Nov 9 at 9:42












  • @Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
    – jmunsch
    Nov 9 at 15:58















up vote
5
down vote

favorite
1












Using systemd-resolved how do I block, route, or resolve, a domain name to a black hole, or a nowhere address. Bonus points for subdomains as well.



I tried a single domain in /etc/hosts:



127.0.0.1 google.com

::1 google.com


I also tried /etc/systemd/network/100-blocked.network:



[Match]

Name=wlp113s0



[Network]

Description="Just block the domain, and sub domains"

DNS=127.0.0.255

DNS=::1



[Resolve]

Domains=google.com


sudo systemd-resolve --status:



Link 3 (wlp113s0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

         DNS Servers: 127.0.0.255

                      ::1

                      2001:4888:3a:ff00:304:d::

                      2001:4888:39:ff00:308:d::


for example using dnsmasq i was able to do:



server=192.168.43.1

address=/google.com/0.0.0.0

# a very long list of "address=/domain/0"


related:




  • Resolving pseudo domain name to private IP

  • How to configure systemd-resolved and systemd-networkd to use local DNS server for resolving local domains and remote DNS server for remote domains?

  • How to troubleshoot DNS with systemd-resolved?






systemd dns dnsmasq systemd-networkd systemd-resolved







share|improve this question
























  • The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
    – Pierre-Alain TORET
    Nov 8 at 15:50










  • @Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
    – Filipe Brandenburger
    Nov 9 at 3:32






  • 1




    My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
    – Pierre-Alain TORET
    Nov 9 at 9:42












  • @Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
    – jmunsch
    Nov 9 at 15:58













up vote
5
down vote

favorite
1









up vote
5
down vote

favorite
1






1





Using systemd-resolved how do I block, route, or resolve, a domain name to a black hole, or a nowhere address. Bonus points for subdomains as well.



I tried a single domain in /etc/hosts:



127.0.0.1 google.com

::1 google.com


I also tried /etc/systemd/network/100-blocked.network:



[Match]

Name=wlp113s0



[Network]

Description="Just block the domain, and sub domains"

DNS=127.0.0.255

DNS=::1



[Resolve]

Domains=google.com


sudo systemd-resolve --status:



Link 3 (wlp113s0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

         DNS Servers: 127.0.0.255

                      ::1

                      2001:4888:3a:ff00:304:d::

                      2001:4888:39:ff00:308:d::


for example using dnsmasq i was able to do:



server=192.168.43.1

address=/google.com/0.0.0.0

# a very long list of "address=/domain/0"


related:




  • Resolving pseudo domain name to private IP

  • How to configure systemd-resolved and systemd-networkd to use local DNS server for resolving local domains and remote DNS server for remote domains?

  • How to troubleshoot DNS with systemd-resolved?






systemd dns dnsmasq systemd-networkd systemd-resolved







share|improve this question















Using systemd-resolved how do I block, route, or resolve, a domain name to a black hole, or a nowhere address. Bonus points for subdomains as well.



I tried a single domain in /etc/hosts:



127.0.0.1 google.com

::1 google.com


I also tried /etc/systemd/network/100-blocked.network:



[Match]

Name=wlp113s0



[Network]

Description="Just block the domain, and sub domains"

DNS=127.0.0.255

DNS=::1



[Resolve]

Domains=google.com


sudo systemd-resolve --status:



Link 3 (wlp113s0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

         DNS Servers: 127.0.0.255

                      ::1

                      2001:4888:3a:ff00:304:d::

                      2001:4888:39:ff00:308:d::


for example using dnsmasq i was able to do:



server=192.168.43.1

address=/google.com/0.0.0.0

# a very long list of "address=/domain/0"


related:




  • Resolving pseudo domain name to private IP

  • How to configure systemd-resolved and systemd-networkd to use local DNS server for resolving local domains and remote DNS server for remote domains?

  • How to troubleshoot DNS with systemd-resolved?






systemd dns dnsmasq systemd-networkd systemd-resolved




systemd dns dnsmasq systemd-networkd systemd-resolved






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 7 at 15:48

























asked Nov 3 at 15:22









jmunsch

1,5691922




1,5691922












  • The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
    – Pierre-Alain TORET
    Nov 8 at 15:50










  • @Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
    – Filipe Brandenburger
    Nov 9 at 3:32






  • 1




    My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
    – Pierre-Alain TORET
    Nov 9 at 9:42












  • @Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
    – jmunsch
    Nov 9 at 15:58


















  • The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
    – Pierre-Alain TORET
    Nov 8 at 15:50










  • @Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
    – Filipe Brandenburger
    Nov 9 at 3:32






  • 1




    My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
    – Pierre-Alain TORET
    Nov 9 at 9:42












  • @Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
    – jmunsch
    Nov 9 at 15:58
















The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
– Pierre-Alain TORET
Nov 8 at 15:50




The /etc/hosts thing should still work. But I noticed that this works for some domains and not for others :/
– Pierre-Alain TORET
Nov 8 at 15:50












@Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
– Filipe Brandenburger
Nov 9 at 3:32




@Pierre-AlainTORET Can you give examples of domains that work and that don't? Would be interesting to look into the differences between those...
– Filipe Brandenburger
Nov 9 at 3:32




1




1




My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
– Pierre-Alain TORET
Nov 9 at 9:42






My bad, actually I get it working for all with ping, my test in Firefox wasn't good. Sorry. The thing is how do you use systemd-resolved ? What tool do you use to test ? And what is the result of all your tests ?
– Pierre-Alain TORET
Nov 9 at 9:42














@Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
– jmunsch
Nov 9 at 15:58




@Pierre-AlainTORET default settings of firefox with caching disabled via dev tools. but sometimes curl, ping, dig
– jmunsch
Nov 9 at 15:58










2 Answers
2






active

oldest

votes

















up vote
1
down vote













Adding an entry to /etc/hosts is supposed to work and in my tests it worked as expected. My tests are on Fedora Rawhide, with version systemd-239-9.git9f3aed1.fc30.x86_64, so that's a pretty recent snapshot of systemd, maybe older versions will not work the same as expected...




Before adding the entry to /etc/hosts:



1) resolvectl query:



$ resolvectl query google.com

google.com: 172.217.6.78



-- Information acquired via protocol DNS in 1.4ms.

-- Data is authenticated: no


2) ping:



$ ping -c1 google.com

PING google.com (172.217.6.78) 56(84) bytes of data.

64 bytes from sfo07s17-in-f78.1e100.net (172.217.6.78): icmp_seq=1 ttl=54 time=12.4 ms



--- google.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 12.435/12.435/12.435/0.000 ms


3) curl:



$ curl http://google.com

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>.

</BODY></HTML>



After adding the entry, in which case /etc/hosts looks like this:



$ cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6



127.0.0.1 google.com

::1 google.com


Tests showed the blocking is working:



1) resolvectl query:



$ resolvectl query google.com

google.com: 127.0.0.1

            ::1



-- Information acquired via protocol DNS in 1.8ms.

-- Data is authenticated: yes


2) ping:



$ ping -c1 google.com

PING google.com(localhost (::1)) 56 data bytes

64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.613 ms



--- google.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms


3) curl:



$ curl http://google.com

curl: (7) Failed to connect to google.com port 80: Connection refused


So the block seems to be working.




I expected this would work, since this was brought up recently in an issue filed against systemd. Issue #9718 talked about adding millions of entries to /etc/hosts, which has one usecase and that's blacklisting domains, such as here.



Please note that there are quite a few moving parts here, so it's important to consider those while troubleshooting this.



My /etc/systemd/resolved.conf has no overridden configuration, all entries are commented out, network setup is using systemd-networkd with DHCP and no overrides either.



Output of resolvectl status includes:



Global

       LLMNR setting: yes

MulticastDNS setting: yes

  DNSOverTLS setting: no

      DNSSEC setting: allow-downgrade

    DNSSEC supported: no

Fallback DNS Servers: 8.8.8.8

                      8.8.4.4

                      2001:4860:4860::8888

                      2001:4860:4860::8844



Link 2 (ens33)

      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6

       LLMNR setting: yes

MulticastDNS setting: no

  DNSOverTLS setting: no

      DNSSEC setting: allow-downgrade

    DNSSEC supported: no


Configuration of /etc/resolv.conf is using the stub resolver:



$ ls -l /etc/resolv.conf

lrwxrwxrwx. 1 root root 39 Nov  7 22:08 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

$ grep '^[^#]' /etc/resolv.conf

nameserver 127.0.0.53


And nsswitch.conf is configured to use nss-resolve(8) according to the recommendation from its man page:



$ grep ^hosts: /etc/nsswitch.conf

hosts:      files resolve [!UNAVAIL=return] dns myhostname


If you still can't make it work, you might want to check these settings in your system and confirm they are all configured correctly. Or, at least, post your current configuration here (together with Linux distro and systemd version) to help diagnose why it might not be working for you.






share|improve this answer




























    up vote
    0
    down vote













    I guess for this purpose you could modify your /etc/nsswitch.conf. Param. host in this file shows you sources which systemd-resolved uses for getting host by name. So you could modify it like this: hosts: files [!NOTFOUND=return] dns.




    files - Local files, such as /etc/hosts and /etc/passwd



    dns - Internet Domain Name System




    In this case, systemd-resolved at first will be use /etc/hosts for getting host by name. Part !NOTFOUND=return means if name hasn't been found in /etc/hosts systemd-resolved will try to resolve it with dns.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














       

      draft saved


      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479600%2fsystemd-resolved-block-a-domain-name%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      1
      down vote













      Adding an entry to /etc/hosts is supposed to work and in my tests it worked as expected. My tests are on Fedora Rawhide, with version systemd-239-9.git9f3aed1.fc30.x86_64, so that's a pretty recent snapshot of systemd, maybe older versions will not work the same as expected...




      Before adding the entry to /etc/hosts:



      1) resolvectl query:



      $ resolvectl query google.com
      
google.com: 172.217.6.78
      

      
-- Information acquired via protocol DNS in 1.4ms.
      
-- Data is authenticated: no


      2) ping:



      $ ping -c1 google.com
      
PING google.com (172.217.6.78) 56(84) bytes of data.
      
64 bytes from sfo07s17-in-f78.1e100.net (172.217.6.78): icmp_seq=1 ttl=54 time=12.4 ms
      

      
--- google.com ping statistics ---
      
1 packets transmitted, 1 received, 0% packet loss, time 0ms
      
rtt min/avg/max/mdev = 12.435/12.435/12.435/0.000 ms


      3) curl:



      $ curl http://google.com
      
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
      
<TITLE>301 Moved</TITLE></HEAD><BODY>
      
<H1>301 Moved</H1>
      
The document has moved
      
<A HREF="http://www.google.com/">here</A>.
      
</BODY></HTML>



      After adding the entry, in which case /etc/hosts looks like this:



      $ cat /etc/hosts
      
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
      
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
      

      
127.0.0.1 google.com
      
::1 google.com


      Tests showed the blocking is working:



      1) resolvectl query:



      $ resolvectl query google.com
      
google.com: 127.0.0.1
      
            ::1
      

      
-- Information acquired via protocol DNS in 1.8ms.
      
-- Data is authenticated: yes


      2) ping:



      $ ping -c1 google.com
      
PING google.com(localhost (::1)) 56 data bytes
      
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.613 ms
      

      
--- google.com ping statistics ---
      
1 packets transmitted, 1 received, 0% packet loss, time 0ms
      
rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms


      3) curl:



      $ curl http://google.com
      
curl: (7) Failed to connect to google.com port 80: Connection refused


      So the block seems to be working.




      I expected this would work, since this was brought up recently in an issue filed against systemd. Issue #9718 talked about adding millions of entries to /etc/hosts, which has one usecase and that's blacklisting domains, such as here.



      Please note that there are quite a few moving parts here, so it's important to consider those while troubleshooting this.



      My /etc/systemd/resolved.conf has no overridden configuration, all entries are commented out, network setup is using systemd-networkd with DHCP and no overrides either.



      Output of resolvectl status includes:



      Global
      
       LLMNR setting: yes
      
MulticastDNS setting: yes
      
  DNSOverTLS setting: no
      
      DNSSEC setting: allow-downgrade
      
    DNSSEC supported: no
      
Fallback DNS Servers: 8.8.8.8
      
                      8.8.4.4
      
                      2001:4860:4860::8888
      
                      2001:4860:4860::8844
      

      
Link 2 (ens33)
      
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
      
       LLMNR setting: yes
      
MulticastDNS setting: no
      
  DNSOverTLS setting: no
      
      DNSSEC setting: allow-downgrade
      
    DNSSEC supported: no


      Configuration of /etc/resolv.conf is using the stub resolver:



      $ ls -l /etc/resolv.conf
      
lrwxrwxrwx. 1 root root 39 Nov  7 22:08 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
      
$ grep '^[^#]' /etc/resolv.conf
      
nameserver 127.0.0.53


      And nsswitch.conf is configured to use nss-resolve(8) according to the recommendation from its man page:



      $ grep ^hosts: /etc/nsswitch.conf
      
hosts:      files resolve [!UNAVAIL=return] dns myhostname


      If you still can't make it work, you might want to check these settings in your system and confirm they are all configured correctly. Or, at least, post your current configuration here (together with Linux distro and systemd version) to help diagnose why it might not be working for you.






      share|improve this answer

























        up vote
        1
        down vote













        Adding an entry to /etc/hosts is supposed to work and in my tests it worked as expected. My tests are on Fedora Rawhide, with version systemd-239-9.git9f3aed1.fc30.x86_64, so that's a pretty recent snapshot of systemd, maybe older versions will not work the same as expected...




        Before adding the entry to /etc/hosts:



        1) resolvectl query:



        $ resolvectl query google.com
        
google.com: 172.217.6.78
        

        
-- Information acquired via protocol DNS in 1.4ms.
        
-- Data is authenticated: no


        2) ping:



        $ ping -c1 google.com
        
PING google.com (172.217.6.78) 56(84) bytes of data.
        
64 bytes from sfo07s17-in-f78.1e100.net (172.217.6.78): icmp_seq=1 ttl=54 time=12.4 ms
        

        
--- google.com ping statistics ---
        
1 packets transmitted, 1 received, 0% packet loss, time 0ms
        
rtt min/avg/max/mdev = 12.435/12.435/12.435/0.000 ms


        3) curl:



        $ curl http://google.com
        
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
        
<TITLE>301 Moved</TITLE></HEAD><BODY>
        
<H1>301 Moved</H1>
        
The document has moved
        
<A HREF="http://www.google.com/">here</A>.
        
</BODY></HTML>



        After adding the entry, in which case /etc/hosts looks like this:



        $ cat /etc/hosts
        
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
        
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
        

        
127.0.0.1 google.com
        
::1 google.com


        Tests showed the blocking is working:



        1) resolvectl query:



        $ resolvectl query google.com
        
google.com: 127.0.0.1
        
            ::1
        

        
-- Information acquired via protocol DNS in 1.8ms.
        
-- Data is authenticated: yes


        2) ping:



        $ ping -c1 google.com
        
PING google.com(localhost (::1)) 56 data bytes
        
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.613 ms
        

        
--- google.com ping statistics ---
        
1 packets transmitted, 1 received, 0% packet loss, time 0ms
        
rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms


        3) curl:



        $ curl http://google.com
        
curl: (7) Failed to connect to google.com port 80: Connection refused


        So the block seems to be working.




        I expected this would work, since this was brought up recently in an issue filed against systemd. Issue #9718 talked about adding millions of entries to /etc/hosts, which has one usecase and that's blacklisting domains, such as here.



        Please note that there are quite a few moving parts here, so it's important to consider those while troubleshooting this.



        My /etc/systemd/resolved.conf has no overridden configuration, all entries are commented out, network setup is using systemd-networkd with DHCP and no overrides either.



        Output of resolvectl status includes:



        Global
        
       LLMNR setting: yes
        
MulticastDNS setting: yes
        
  DNSOverTLS setting: no
        
      DNSSEC setting: allow-downgrade
        
    DNSSEC supported: no
        
Fallback DNS Servers: 8.8.8.8
        
                      8.8.4.4
        
                      2001:4860:4860::8888
        
                      2001:4860:4860::8844
        

        
Link 2 (ens33)
        
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
        
       LLMNR setting: yes
        
MulticastDNS setting: no
        
  DNSOverTLS setting: no
        
      DNSSEC setting: allow-downgrade
        
    DNSSEC supported: no


        Configuration of /etc/resolv.conf is using the stub resolver:



        $ ls -l /etc/resolv.conf
        
lrwxrwxrwx. 1 root root 39 Nov  7 22:08 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
        
$ grep '^[^#]' /etc/resolv.conf
        
nameserver 127.0.0.53


        And nsswitch.conf is configured to use nss-resolve(8) according to the recommendation from its man page:



        $ grep ^hosts: /etc/nsswitch.conf
        
hosts:      files resolve [!UNAVAIL=return] dns myhostname


        If you still can't make it work, you might want to check these settings in your system and confirm they are all configured correctly. Or, at least, post your current configuration here (together with Linux distro and systemd version) to help diagnose why it might not be working for you.






        share|improve this answer























          up vote
          1
          down vote










          up vote
          1
          down vote









          Adding an entry to /etc/hosts is supposed to work and in my tests it worked as expected. My tests are on Fedora Rawhide, with version systemd-239-9.git9f3aed1.fc30.x86_64, so that's a pretty recent snapshot of systemd, maybe older versions will not work the same as expected...




          Before adding the entry to /etc/hosts:



          1) resolvectl query:



          $ resolvectl query google.com
          
google.com: 172.217.6.78
          

          
-- Information acquired via protocol DNS in 1.4ms.
          
-- Data is authenticated: no


          2) ping:



          $ ping -c1 google.com
          
PING google.com (172.217.6.78) 56(84) bytes of data.
          
64 bytes from sfo07s17-in-f78.1e100.net (172.217.6.78): icmp_seq=1 ttl=54 time=12.4 ms
          

          
--- google.com ping statistics ---
          
1 packets transmitted, 1 received, 0% packet loss, time 0ms
          
rtt min/avg/max/mdev = 12.435/12.435/12.435/0.000 ms


          3) curl:



          $ curl http://google.com
          
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
          
<TITLE>301 Moved</TITLE></HEAD><BODY>
          
<H1>301 Moved</H1>
          
The document has moved
          
<A HREF="http://www.google.com/">here</A>.
          
</BODY></HTML>



          After adding the entry, in which case /etc/hosts looks like this:



          $ cat /etc/hosts
          
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
          
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
          

          
127.0.0.1 google.com
          
::1 google.com


          Tests showed the blocking is working:



          1) resolvectl query:



          $ resolvectl query google.com
          
google.com: 127.0.0.1
          
            ::1
          

          
-- Information acquired via protocol DNS in 1.8ms.
          
-- Data is authenticated: yes


          2) ping:



          $ ping -c1 google.com
          
PING google.com(localhost (::1)) 56 data bytes
          
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.613 ms
          

          
--- google.com ping statistics ---
          
1 packets transmitted, 1 received, 0% packet loss, time 0ms
          
rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms


          3) curl:



          $ curl http://google.com
          
curl: (7) Failed to connect to google.com port 80: Connection refused


          So the block seems to be working.




          I expected this would work, since this was brought up recently in an issue filed against systemd. Issue #9718 talked about adding millions of entries to /etc/hosts, which has one usecase and that's blacklisting domains, such as here.



          Please note that there are quite a few moving parts here, so it's important to consider those while troubleshooting this.



          My /etc/systemd/resolved.conf has no overridden configuration, all entries are commented out, network setup is using systemd-networkd with DHCP and no overrides either.



          Output of resolvectl status includes:



          Global
          
       LLMNR setting: yes
          
MulticastDNS setting: yes
          
  DNSOverTLS setting: no
          
      DNSSEC setting: allow-downgrade
          
    DNSSEC supported: no
          
Fallback DNS Servers: 8.8.8.8
          
                      8.8.4.4
          
                      2001:4860:4860::8888
          
                      2001:4860:4860::8844
          

          
Link 2 (ens33)
          
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
          
       LLMNR setting: yes
          
MulticastDNS setting: no
          
  DNSOverTLS setting: no
          
      DNSSEC setting: allow-downgrade
          
    DNSSEC supported: no


          Configuration of /etc/resolv.conf is using the stub resolver:



          $ ls -l /etc/resolv.conf
          
lrwxrwxrwx. 1 root root 39 Nov  7 22:08 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
          
$ grep '^[^#]' /etc/resolv.conf
          
nameserver 127.0.0.53


          And nsswitch.conf is configured to use nss-resolve(8) according to the recommendation from its man page:



          $ grep ^hosts: /etc/nsswitch.conf
          
hosts:      files resolve [!UNAVAIL=return] dns myhostname


          If you still can't make it work, you might want to check these settings in your system and confirm they are all configured correctly. Or, at least, post your current configuration here (together with Linux distro and systemd version) to help diagnose why it might not be working for you.






          share|improve this answer












          Adding an entry to /etc/hosts is supposed to work and in my tests it worked as expected. My tests are on Fedora Rawhide, with version systemd-239-9.git9f3aed1.fc30.x86_64, so that's a pretty recent snapshot of systemd, maybe older versions will not work the same as expected...




          Before adding the entry to /etc/hosts:



          1) resolvectl query:



          $ resolvectl query google.com
          
google.com: 172.217.6.78
          

          
-- Information acquired via protocol DNS in 1.4ms.
          
-- Data is authenticated: no


          2) ping:



          $ ping -c1 google.com
          
PING google.com (172.217.6.78) 56(84) bytes of data.
          
64 bytes from sfo07s17-in-f78.1e100.net (172.217.6.78): icmp_seq=1 ttl=54 time=12.4 ms
          

          
--- google.com ping statistics ---
          
1 packets transmitted, 1 received, 0% packet loss, time 0ms
          
rtt min/avg/max/mdev = 12.435/12.435/12.435/0.000 ms


          3) curl:



          $ curl http://google.com
          
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
          
<TITLE>301 Moved</TITLE></HEAD><BODY>
          
<H1>301 Moved</H1>
          
The document has moved
          
<A HREF="http://www.google.com/">here</A>.
          
</BODY></HTML>



          After adding the entry, in which case /etc/hosts looks like this:



          $ cat /etc/hosts
          
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
          
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
          

          
127.0.0.1 google.com
          
::1 google.com


          Tests showed the blocking is working:



          1) resolvectl query:



          $ resolvectl query google.com
          
google.com: 127.0.0.1
          
            ::1
          

          
-- Information acquired via protocol DNS in 1.8ms.
          
-- Data is authenticated: yes


          2) ping:



          $ ping -c1 google.com
          
PING google.com(localhost (::1)) 56 data bytes
          
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.613 ms
          

          
--- google.com ping statistics ---
          
1 packets transmitted, 1 received, 0% packet loss, time 0ms
          
rtt min/avg/max/mdev = 0.613/0.613/0.613/0.000 ms


          3) curl:



          $ curl http://google.com
          
curl: (7) Failed to connect to google.com port 80: Connection refused


          So the block seems to be working.




          I expected this would work, since this was brought up recently in an issue filed against systemd. Issue #9718 talked about adding millions of entries to /etc/hosts, which has one usecase and that's blacklisting domains, such as here.



          Please note that there are quite a few moving parts here, so it's important to consider those while troubleshooting this.



          My /etc/systemd/resolved.conf has no overridden configuration, all entries are commented out, network setup is using systemd-networkd with DHCP and no overrides either.



          Output of resolvectl status includes:



          Global
          
       LLMNR setting: yes
          
MulticastDNS setting: yes
          
  DNSOverTLS setting: no
          
      DNSSEC setting: allow-downgrade
          
    DNSSEC supported: no
          
Fallback DNS Servers: 8.8.8.8
          
                      8.8.4.4
          
                      2001:4860:4860::8888
          
                      2001:4860:4860::8844
          

          
Link 2 (ens33)
          
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
          
       LLMNR setting: yes
          
MulticastDNS setting: no
          
  DNSOverTLS setting: no
          
      DNSSEC setting: allow-downgrade
          
    DNSSEC supported: no


          Configuration of /etc/resolv.conf is using the stub resolver:



          $ ls -l /etc/resolv.conf
          
lrwxrwxrwx. 1 root root 39 Nov  7 22:08 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
          
$ grep '^[^#]' /etc/resolv.conf
          
nameserver 127.0.0.53


          And nsswitch.conf is configured to use nss-resolve(8) according to the recommendation from its man page:



          $ grep ^hosts: /etc/nsswitch.conf
          
hosts:      files resolve [!UNAVAIL=return] dns myhostname


          If you still can't make it work, you might want to check these settings in your system and confirm they are all configured correctly. Or, at least, post your current configuration here (together with Linux distro and systemd version) to help diagnose why it might not be working for you.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 14 at 10:19









          Filipe Brandenburger

          5,9041624




          5,9041624
























              up vote
              0
              down vote













              I guess for this purpose you could modify your /etc/nsswitch.conf. Param. host in this file shows you sources which systemd-resolved uses for getting host by name. So you could modify it like this: hosts: files [!NOTFOUND=return] dns.




              files - Local files, such as /etc/hosts and /etc/passwd



              dns - Internet Domain Name System




              In this case, systemd-resolved at first will be use /etc/hosts for getting host by name. Part !NOTFOUND=return means if name hasn't been found in /etc/hosts systemd-resolved will try to resolve it with dns.






              share|improve this answer

























                up vote
                0
                down vote













                I guess for this purpose you could modify your /etc/nsswitch.conf. Param. host in this file shows you sources which systemd-resolved uses for getting host by name. So you could modify it like this: hosts: files [!NOTFOUND=return] dns.




                files - Local files, such as /etc/hosts and /etc/passwd



                dns - Internet Domain Name System




                In this case, systemd-resolved at first will be use /etc/hosts for getting host by name. Part !NOTFOUND=return means if name hasn't been found in /etc/hosts systemd-resolved will try to resolve it with dns.






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  I guess for this purpose you could modify your /etc/nsswitch.conf. Param. host in this file shows you sources which systemd-resolved uses for getting host by name. So you could modify it like this: hosts: files [!NOTFOUND=return] dns.




                  files - Local files, such as /etc/hosts and /etc/passwd



                  dns - Internet Domain Name System




                  In this case, systemd-resolved at first will be use /etc/hosts for getting host by name. Part !NOTFOUND=return means if name hasn't been found in /etc/hosts systemd-resolved will try to resolve it with dns.






                  share|improve this answer












                  I guess for this purpose you could modify your /etc/nsswitch.conf. Param. host in this file shows you sources which systemd-resolved uses for getting host by name. So you could modify it like this: hosts: files [!NOTFOUND=return] dns.




                  files - Local files, such as /etc/hosts and /etc/passwd



                  dns - Internet Domain Name System




                  In this case, systemd-resolved at first will be use /etc/hosts for getting host by name. Part !NOTFOUND=return means if name hasn't been found in /etc/hosts systemd-resolved will try to resolve it with dns.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 10 at 0:45









                  metallic

                  1263




                  1263






























                       

                      draft saved


                      draft discarded



















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479600%2fsystemd-resolved-block-a-domain-name%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Morgemoulin

                      Image
                      Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré...
                      Read more

                      Scott Moir

                      Image
                      Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S...
                      Read more

                      Souastre

                      Image
                      Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe...
                      Read more