DNS Resolution for Wireguard with `systemd-resolved`

TL;DR

[Interface]
# ...
PostUp = resolvectl dns %i 10.34.3.1; resolvectl domain %i "~hello"
PreDown = resolvectl revert %i

Introduction

I’ve written previously about setting up a DNS server to go along with my Wireguard VPN. Now, accessing these services behind my VPN becomes convenient, and all it takes is one command for me to get up and running. However, this requires using a Linux distribution with systemd-resolved as the local DNS resolver.

`systemd-resolved`

systemd-resolved is a systemd service that provides DNS resolution to local applications. It is part of systemd and is installed by default. Most¹ current Linux distributions with systemd do not have it enabled by default. This is unfortunate because I think resolved is a great piece of software and handles a lot of the issues found in the Linux name resolution space. If you’re not already using it, I recommend it!

`wg-quick`

Wireguard uses a configuration file² to understand how to connect peers together. There is a separate tool by the same author called wg-quick that allows us to set up a Wireguard interface easier. This tool gives us the ability to execute bash scripts through its PreUp, PostUp, PreDown, and PostDown directives.

Putting it together

We can use systemd-resolved to dynamically change interface settings through the resolvectl command. When we bring the wg0 interface up through wq-quick, the PostUp directive is also run. Let’s go over it:

resolvectl dns %i 10.34.3.1
resolvectl domain %i "~hello"

Tell systemd-resolved to use the DNS address specified for the %i interface (as expanded by wg-quick to the name of the Wireguard configuration file)
Set the domain for this interface to your ~<custom_domain>. The ~ is a special operator that tells systemd-resolved to direct all queries ending in that domain to use that DNS server. In this way we establish split DNS.

Now, we can run this one command and everything should come up appropriately:

sudo wg-quick up wg0

Since we’re already using systemd, I prefer to put all of this in a service file and control it via systemd directly. And there you have it.

I say most, because Fedora 33 and up use it as default. ↩︎
man wg ↩︎