DNS Configuration

By default, DNS resolution on Container Linux is handled through /etc/resolv.conf, which is a symlink to /run/systemd/resolve/resolv.conf. This file is managed by systemd-resolved. Normally, systemd-resolved gets DNS IP addresses from systemd-networkd, either via DHCP or static configuration. DNS IP addresses can also be set via systemd-resolved's resolved.conf. See Network configuration with networkd for more information on systemd-networkd.

Using a local DNS cache

systemd-resolved includes a caching DNS resolver. To use it for DNS resolution and caching, you must enable it via nsswitch.conf by adding resolve to the hosts section.

Here is an example Container Linux Config snippet to do that:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

    - path: /etc/nsswitch.conf
      filesystem: root
      mode: 0644
        inline: |
          # /etc/nsswitch.conf:

          passwd:      files usrfiles
          shadow:      files usrfiles
          group:       files usrfiles

          hosts:       files usrfiles resolve dns
          networks:    files usrfiles dns

          services:    files usrfiles
          protocols:   files usrfiles
          rpc:         files usrfiles

          ethers:      files
          netmasks:    files
          netgroup:    files
          bootparams:  files
          automount:   files
          aliases:     files
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
  "ignition": {
    "version": "2.0.0",
    "config": {}
  "storage": {
    "files": [
        "filesystem": "root",
        "path": "/etc/nsswitch.conf",
        "contents": {
          "source": "data:,%23%20%2Fetc%2Fnsswitch.conf%3A%0A%0Apasswd%3A%20%20%20%20%20%20files%20usrfiles%0Ashadow%3A%20%20%20%20%20%20files%20usrfiles%0Agroup%3A%20%20%20%20%20%20%20files%20usrfiles%0A%0Ahosts%3A%20%20%20%20%20%20%20files%20usrfiles%20resolve%20dns%0Anetworks%3A%20%20%20%20files%20usrfiles%20dns%0A%0Aservices%3A%20%20%20%20files%20usrfiles%0Aprotocols%3A%20%20%20files%20usrfiles%0Arpc%3A%20%20%20%20%20%20%20%20%20files%20usrfiles%0A%0Aethers%3A%20%20%20%20%20%20files%0Anetmasks%3A%20%20%20%20files%0Anetgroup%3A%20%20%20%20files%0Abootparams%3A%20%20files%0Aautomount%3A%20%20%20files%0Aaliases%3A%20%20%20%20%20files",
          "verification": {}
        "mode": 420,
        "user": {},
        "group": {}
  "systemd": {},
  "networkd": {},
  "passwd": {}

Only nss-aware applications can take advantage of the systemd-resolved cache. Notably, this means that statically linked Go programs and programs running within Docker/rkt will use /etc/resolv.conf only, and will not use the systemd-resolve cache.