diff --git a/man/resolvectl.xml b/man/resolvectl.xml
index 7f981ac327..69c3c0f7ea 100644
--- a/man/resolvectl.xml
+++ b/man/resolvectl.xml
@@ -257,6 +257,7 @@
+ Get/set per-interface DNS configuration. These commands may be used to configure various DNS
@@ -268,10 +269,10 @@
through external means. The command expects IPv4 or IPv6 address specifications of DNS
servers to use. The command expects valid DNS domains, possibly prefixed with
~, and configures a per-interface search or route-only domain. The ,
- and commands may be used to configure the per-interface LLMNR,
- MulticastDNS and DNSSEC settings. Finally, command may be used to configure additional
- per-interface DNSSEC NTA domains. For details about these settings, their possible values and their effect,
- see the corresponding options in
+ , and commands may be used to configure
+ the per-interface LLMNR, MulticastDNS, DNSSEC and PrivateDNS settings. Finally, command
+ may be used to configure additional per-interface DNSSEC NTA domains. For details about these settings, their
+ possible values and their effect, see the corresponding options in
systemd.network5.
@@ -282,8 +283,8 @@
Revert the per-interface DNS configuration. If the DNS configuration is reverted all
per-interface DNS setting are reset to their defaults, undoing all effects of ,
, , , ,
- . Note that when a network interface disappears all configuration is lost automatically,
- an explicit reverting is not necessary in that case.
+ , . Note that when a network interface disappears all
+ configuration is lost automatically, an explicit reverting is not necessary in that case.
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index e87aa59bae..67cc409440 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -206,6 +206,38 @@
+
+ PrivateDNS=
+
+ Takes false or
+ opportunistic. When set to opportunistic
+ DNS request are attempted to send encrypted with DNS-over-TLS.
+ If the DNS server does not support TLS, DNS-over-TLS is disabled.
+ Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+ attacks, where an attacker might be able to trigger a downgrade
+ to non-encrypted mode by synthesizing a response that suggests
+ DNS-over-TLS was not supported. If set to false, DNS lookups
+ are send over UDP.
+
+ Note that DNS-over-TLS requires additional data to be
+ send for setting up an encrypted connection, and thus results
+ in a small DNS look-up time penalty.
+
+ Note as the resolver is not capable of authenticating
+ the server, it is vulnerable for "man-in-the-middle" attacks.
+
+ In addition to this global PrivateDNS setting
+ systemd-networkd.service8
+ also maintains per-link PrivateDNS settings. For system DNS
+ servers (see above), only the global PrivateDNS setting is in
+ effect. For per-link DNS servers the per-link
+ setting is in effect, unless it is unset in which case the
+ global setting is used instead.
+
+ Defaults to off.
+
+
+
Cache=Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d7bcf5a067..b43874b59c 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -384,6 +384,21 @@
systemd-resolved.service8.
+
+ PrivateDNS=
+
+ Takes false or
+ opportunistic. When set to opportunistic, enables
+ DNS-over-TLS
+ support on the link. This option defines a
+ per-interface setting for
+ resolved.conf5's
+ global PrivateDNS= option. Defaults to
+ false. This setting is read by
+ systemd-resolved.service8.
+
+ DNSSEC=