Skip to content

feat(resolved): disable LLMNR resolution by default#1267

Merged
RoyalOughtness merged 1 commit intosecureblue:livefrom
alexvojproc:live
Aug 18, 2025
Merged

feat(resolved): disable LLMNR resolution by default#1267
RoyalOughtness merged 1 commit intosecureblue:livefrom
alexvojproc:live

Conversation

@alexvojproc
Copy link
Copy Markdown
Collaborator

@alexvojproc alexvojproc commented Aug 18, 2025

Link-local multicast name resolution (LLMNR) is a deprecated mDNS-like Microsoft protocol used in Windows that is being phased out. systemd-resolved resolves LLMNR names by default, but the service allows spoofed responses and is trivial to poison.

There's an upstream PR to disable it by default that hasn't seen much action, so it might make sense to do it here. It probably isn't worth a ujust toggle given how rarely it's used.

Old behaviour:

$ resolvectl status
[...] Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=yes/supported

New behaviour:

$ resolvectl status
[...] Link 2 (enp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported

@RoyalOughtness RoyalOughtness merged commit 1a639dd into secureblue:live Aug 18, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HastD HastD HastD approved these changes

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexvojproc @HastD @RoyalOughtness