I think the answer might be "carefully".
systemd has borged local name resolution. On recent (≥16.10) versions of Ubuntu, you will have a cacheing resolver listening on 127.0.0.53. And you will not have DNSSEC by default.
The configuration can be found in /etc/systemd/resolved.conf. Defaults are compiled in, and are for Google name servers. Specific resolvers can be configured, but I have
no clue not rigorously tested to see what happens if/when resolvers are statically configured
and resolver info arrives via DHCP(v4/v6) as well as IPv6 RA.
gapinski@ubuntu-1704-server:~$ cat /etc/systemd/resolved.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#DNSSEC=no
#Cache=yes
#DNSStubListener=udp
gapinski@ubuntu-1704-server:~$
The command systemd-resolve --status can be used to find out what the system has decided to use.
systemd-resolved is
supposed to use whatever it sees from DHCP(v4|v6) (or IPv6 RA, or static network configuration), but YMMV. There can be different DNS information on different interfaces, and I have no idea what gets used in such situations.
The
man page has some information, but one might consider it and its relatives demotivational.
I created two VMs to check both Ubuntu 17.04 Server and Desktop. I got slightly different results. The Server instance did not have IPv6 enabled, and systemd-resolved wasn't listening on IPv6 on the Desktop instance. I also see completely different (and puzzling) results (namely, the Google DNS servers in use) on other systems in mixed IPv4/IPv6 DHCPv4/DHCPv6/SLAAC networks. Even more puzzlement was gained when I installed BIND (collided with systemd-resolved interface use and default /etc/default/bind9 has RESOLVCONF=no, which causes bind9-resolvconf.service (yet another systemd-related "service") to
not change /etc/resolv.conf (I suspect manual editing of /etc/resolv.conf is best avoided).
gapinski@ubuntu-1704-server:~$ systemd-resolve --status
Global
DNS Servers: 192.168.137.2
DNS Domain: localdomain
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (ens33)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
gapinski@ubuntu-1704-server:~$
gapinski@ubuntu-1704-desktop:~$ systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (ens33)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.137.2
DNS Domain: localdomain
gapinski@ubuntu-1704-desktop:~$