24

I am working on a project that involves an IOT device (the now deprecated Intel Galileo). I am looking at hardening these devices and I noticed that the systemd-resolved service is listening on all interfaces (0.0.0.0). 

root@hostname:~# netstat -altnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      240/systemd-resolve

After reading the freedesktop.org description of the service here, it states that,

systemd-resolved is a system service that provides network name resolution to local applications.

I ran a test where I ran ping to google.com where the systemd-resolved was running. I then disabled the service and sent a ping to yahoo.com. There was no packet loss for either request.

My question(s) are as follows:

  1. What is this service doing?

  2. If it is providing name resolution to local applications, why does it listen on the 0.0.0.0 interface?

  3. Is this a security concern?

  4. What are the potential impacts of disabling this service?

Thanks in advance for any information / help. Apologies if I have not complied with question format, first time post. Please edit as required.

Binar Web
  • 103
  • 1
  • 5
jeeves
  • 351
  • 1
  • 2
  • 7
  • There is currently a security issue with systemd-resolver and so I would keep up to date with patches for this service and in the mean time disable it is possible. Best option would be to create a test rig and test that everything works as expected. Systemd-resolver is designed for systemd inter process communication but many of the legacy applications haven't been written for systemd and so won't reference systemd-resolver. – Raman Sailopal Jul 03 '17 at 20:55
  • 1
    Thanks for the reply @Raman. We are in the process of testing disabling. I was aware of an exploit issued on Ubuntu wrt to systemd-resolved. Thanks again – jeeves Jul 06 '17 at 10:35

1 Answers1

30

systemd-resolved is needed by systemd. Unless you're installing an alternative DNS resolver, you should keep it.

It's important to note that it is actually listening for UDP packets on 127.0.0.53:53 to do DNS resolution for you:

# netstat -npa | grep systemd-resolve
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      205/systemd-resolve
tcp6       0      0 :::5355                 :::*                    LISTEN      205/systemd-resolve
udp        0      0 127.0.0.53:53           0.0.0.0:*                           205/systemd-resolve
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           205/systemd-resolve
udp6       0      0 :::5355                 :::*                                205/systemd-resolve

The port 5355 sockets are to implement Link-Local Multicast Name Resolution (LLMNR) which is a feature only useful in LANs.

To disable it, edit /etc/systemd/resolved.conf and change the line

#LLMNR=yes

to

LLMNR=no

and then restart the service with service systemd-resolved restart and check again:

# netstat -npa | grep systemd-resolve
udp        0      0 127.0.0.53:53           0.0.0.0:*                           404/systemd-resolve
Lexi
  • 416
  • 5
  • 5