Did you know you can use resolvectl (part of systemd-resolved) to make DNS queries? This is no hate on dig, since it offers many more features than resolvectl, but sometimes it could be handy to have an alternative.

Basics Link to heading

Running the basic resolvectl command (or its equivalent resolvectl status) prints global and per-interface settings of systemd-resolved, mostly protocols and DNS servers.

berkas1@desktop:~  $ resolvectl 
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 8.8.8.8
       DNS Servers: 8.8.8.8

Link 2 (enp5s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (enp0s25)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
       DNS Servers: 8.8.8.8 1.1.1.1

You can also show status of single interface by specifying interface name resolvectl status enp0s25.

resolvectl statistics could be interesting for DNS problem debugging. It shows if DNSSEC is supported, number of transactions and cache statistics - current cache size, hits and misses.

berkas1@desktop:~  $ resolvectl statistics 
DNSSEC supported by current servers: no

Transactions                
Current Transactions: 0
  Total Transactions: 980120
                            
Cache                       
  Current Cache Size: 172
          Cache Hits: 207393
        Cache Misses: 309010
                            
DNSSEC Verdicts             
              Secure: 0
            Insecure: 0
               Bogus: 0
       Indeterminate: 0

Note: you can reset statistics using command

resolvectl reset-statistics

Monitoring DNS queries will be available in systemd version 252 using resolvectl monitor and will probably support JSON output.

DNS Querying Link to heading

The argument for DNS resolving is query. Running simple command resolvectl query example.com resolves A and AAAA entries and prints them together with information on which network interface the resolving communicated with DNS server, query processing time, if data is authenticated or encrypted and source of the data. Beware of the source - it can be cache or network. Network interface is shown even when local cache was used:

berkas1@desktop:~  $ resolvectl query example.com
example.com: 2606:2800:220:1:248:1893:25c8:1946 -- link: enp0s25
             93.184.216.34                     -- link: enp0s25

-- Information acquired via protocol DNS in 2.1ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache

To bypass the cache you have to disable it using parameter --cache=no:

berkas1@desktop:~  $ resolvectl query --cache no example.com
example.com: 93.184.216.34                     -- link: enp0s25
             2606:2800:220:1:248:1893:25c8:1946 -- link: enp0s25

-- Information acquired via protocol DNS in 17.2ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

You can also disable the commentaries using --legen=no parameter. Also multiple domains can be queried using single command by just listing all of them:

berkas1@desktop:~  $ resolvectl query --cache no --legend no example.com devopsadvocate.com
example.com: 93.184.216.34                     -- link: enp0s25
             2606:2800:220:1:248:1893:25c8:1946 -- link: enp0s25
devopsadvocate.com: 2a06:98c1:3120::9          -- link: enp0s25
                    2a06:98c1:3121::9          -- link: enp0s25
                    188.114.97.9               -- link: enp0s25
                    188.114.96.9               -- link: enp0s25

To specify type of DNS resource use the --type a parameter. It accepts only one type per command (as of systemd 249). You can query multiple hostnames at the same time:

berkas1@desktop:~  $ resolvectl query --cache no  --legend no --type mx gmail.com example.com
gmail.com IN MX 40 alt4.gmail-smtp-in.l.google.com          -- link: enp0s25
gmail.com IN MX 5 gmail-smtp-in.l.google.com                -- link: enp0s25
gmail.com IN MX 20 alt2.gmail-smtp-in.l.google.com          -- link: enp0s25
gmail.com IN MX 30 alt3.gmail-smtp-in.l.google.com          -- link: enp0s25
gmail.com IN MX 10 alt1.gmail-smtp-in.l.google.com          -- link: enp0s25
example.com IN MX 0                                         -- link: enp0s25

To get PTR record, just query the IP address directly:

berkas1@desktop:~  $ resolvectl query 8.8.8.8
8.8.8.8: dns.google                            -- link: enp0s25

As always, you can check available functionality of resolvectl on you system in manpages:

man resolvectl