Since Debian 13 ”Trixie”, the resolv.conf is generated by the systemd-resolved, the systemd Resolver Daemon.

To get an overview over the currently configured resolvers we run the resolvectl command:

root@machine:~# resolvectl
Global
         Protocols: +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
       DNS Servers: 127.0.0.1 ::1

Link 2 (eth0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 127.0.0.1
       DNS Servers: 127.0.0.1 ::1
     Default Route: yes

The section Global refers to a configuration which is used if no other configuration is provided. The section eth0 refers to a configuration used for that particular interface.

Now we configure our resolver for eth0:

# Fill with public resolvers (Tier 2 server) or 127.0.0.1 and ::1 if your machine is a resolver itself
resolvectl dns eth0 <OpenNIC Resolver IP address> [<OpenNIC Resolver IP address> ...]
resolvectl dnssec eth0 yes
resolvectl dnsovertls eth0 yes
resolvectl domain eth0 ""

For DNSSEC to work we have to give systemd a little help, since the root zone is not signed with IANA keys.

mkdir -p /etc/dnssec-trust-anchors.d/

Get the DS record for the DNSKEY for the “.” root zone:

dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/dnssec-trust-anchors.d/opennic.positive

Now restart the resolver:

systemctl restart systemd-resolved.service

After this, we can resolve a query with DNSSEC and DoT:

root@korridor:~# resolvectl query cloudflare.com
cloudflare.com: 104.16.132.229                 -- link: eth0
                104.16.133.229                 -- link: eth0
                2606:4700::6810:84e5           -- link: eth0
                2606:4700::6810:85e5           -- link: eth0

-- Information acquired via protocol DNS in 3.3ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: network