How to Permanently Configure Custom DNS (1.1.1.1/8.8.8.8) on Debian 12 with systemd-resolved


2 views

Debian 12 introduced significant changes to DNS management by making systemd-resolved the default resolver. This replaces the traditional /etc/resolv.conf editing approach used in previous versions. The warning message you see indicates that manual edits will be overwritten by systemd.

To configure Cloudflare's 1.1.1.1 or Google's 8.8.8.8 as your DNS resolver, use these steps:

# First check current DNS status
resolvectl status

# Set global DNS servers (replace with your preferred DNS)
sudo resolvectl dns eth0 1.1.1.1 1.0.0.1

# For IPv6 (optional)
sudo resolvectl dns eth0 2606:4700:4700::1111 2606:4700:4700::1001

To persist these changes across reboots, modify the NetworkManager configuration:

# Edit NetworkManager config
sudo nano /etc/NetworkManager/conf.d/dns.conf

# Add these lines:
[main]
dns=systemd-resolved

Then create a systemd-resolved config file:

sudo nano /etc/systemd/resolved.conf

# Add/modify these lines:
[Resolve]
DNS=1.1.1.1 1.0.0.1
FallbackDNS=8.8.8.8 8.8.4.4
Domains=~
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

If you prefer the old method (not recommended), you can disable systemd-resolved:

sudo systemctl disable --now systemd-resolved
sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf

# Add your DNS servers
nameserver 1.1.1.1
nameserver 8.8.8.8

# Make the file immutable
sudo chattr +i /etc/resolv.conf

After making changes, verify with these commands:

# Check active DNS servers
resolvectl status

# Test DNS resolution
dig example.com
nslookup example.com

# Check DNS traffic
sudo tcpdump -i eth0 -n port 53

If you encounter problems:

  • Restart services: sudo systemctl restart systemd-resolved NetworkManager
  • Check logs: journalctl -u systemd-resolved
  • Clear cache: sudo resolvectl flush-caches

Debian 12 marks a significant transition from traditional /etc/resolv.conf management to systemd-resolved as the default DNS resolver. The warning message you encountered isn't just a suggestion - it reflects fundamental architectural changes.

Previously, you could directly modify /etc/resolv.conf because:

1. The file was static
2. NetworkManager/resolvconf wrote directly to it
3. Services read it directly

Now, systemd-resolved acts as a DNS stub resolver that:

- Manages multiple DNS sources
- Provides DNSSEC validation
- Caches DNS queries
- Handles per-interface DNS configurations

Here are three proper ways to configure DNS in Debian 12:

Method 1: Using resolvectl (Recommended)

For Cloudflare's 1.1.1.1:

sudo resolvectl dns eth0 1.1.1.1 1.0.0.1
sudo resolvectl domain eth0 ~.
sudo resolvectl default-route eth0 true

Method 2: NetworkManager Configuration

Edit /etc/NetworkManager/conf.d/dns.conf:

[main]
dns=default
systemd-resolved=false

Then create /etc/resolv.conf manually:

nameserver 1.1.1.1
nameserver 1.0.0.1
options edns0 trust-ad

Method 3: Systemd-Resolved Global Configuration

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=1.1.1.1 1.0.0.1
Domains=~.
DNSOverTLS=opportunistic
Cache=yes

Then restart the service:

sudo systemctl restart systemd-resolved

Check your current configuration:

resolvectl status
dig example.com +short
systemd-resolve --status

If you encounter issues, check the journal:

journalctl -u systemd-resolved -f

If you must use traditional /etc/resolv.conf, disable systemd-resolved:

sudo systemctl disable --now systemd-resolved
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Then edit the file normally. However, this isn't recommended as you'll lose DNSSEC and other modern features.