resolvectl Commands Reference

Simple domain lookup

resolvectl query example.com

Performs DNS lookup showing A and AAAA records with resolver information.

Reverse DNS lookup

resolvectl query 8.8.8.8

Looks up hostname associated with an IP address using PTR records.

Legacy systemd-resolve syntax

systemd-resolve example.com

Older command, still works but deprecated. Use resolvectl instead.

MX records (mail servers)

resolvectl query --type=MX example.com

TXT records

resolvectl query --type=TXT example.com

Query TXT records for SPF, DKIM, DMARC, and domain verification.

NS records (nameservers)

resolvectl query --type=NS example.com

SOA records (zone authority)

resolvectl query --type=SOA example.com

SRV records (service location)

resolvectl query --type=SRV _imaps._tcp.example.com

CAA records (Certificate Authority Authorization)

resolvectl query --type=CAA example.com

Shows which Certificate Authorities are authorized to issue certificates.

TLSA records (DANE)

resolvectl query --type=TLSA _443._tcp.example.com

DANE TLSA records bind TLS certificates to DNS names via DNSSEC.

ACME DNS-01 challenge verification

resolvectl query --type=TXT _acme-challenge.example.com

Verify DNS-01 challenge TXT record for Let's Encrypt certificate issuance.

MTA-STS policy records

resolvectl query --type=TXT _mta-sts.example.com
resolvectl query --type=TXT _smtp._tls.example.com

Check MTA-STS configuration for email security.

Check DNSSEC validation status

resolvectl query example.com

Output includes DNSSEC validation status (authenticated/not authenticated).

Check global DNSSEC mode

resolvectl status | grep "DNSSEC"

Shows if DNSSEC validation is enabled globally (yes/no/allow-downgrade).

Enable DNSSEC for interface

resolvectl dnssec eth0 yes

Enable strict DNSSEC validation for specific network interface.

Disable DNSSEC for interface

resolvectl dnssec eth0 no

View resolver status

resolvectl status

Shows DNS servers, search domains, DNSSEC status, and DNS-over-TLS configuration for all interfaces.

View interface-specific status

resolvectl status eth0

View resolver statistics

resolvectl statistics

Shows cache statistics, query counts, and performance metrics.

Reset statistics

resolvectl reset-statistics

Flush DNS cache

resolvectl flush-caches

Clears all cached DNS responses. Useful after DNS changes or troubleshooting.

Verify cache flush

resolvectl flush-caches
resolvectl statistics

Flush cache and check statistics to confirm cache is cleared.

Enable DNS-over-TLS for interface

resolvectl dnsovertls eth0 yes

Enforce DNS-over-TLS for all queries on this interface.

Opportunistic DNS-over-TLS

resolvectl dnsovertls eth0 opportunistic

Use DNS-over-TLS if available, fallback to plain DNS if not.

Disable DNS-over-TLS

resolvectl dnsovertls eth0 no

Check DNS-over-TLS status

resolvectl status eth0 | grep "DNS over TLS"

Check systemd-resolved service status

systemctl status systemd-resolved

Verify the DNS resolution service is running properly.

Restart systemd-resolved

sudo systemctl restart systemd-resolved

Restart the resolver service after configuration changes.

Check resolv.conf symlink

ls -l /etc/resolv.conf

Should point to /run/systemd/resolve/stub-resolv.conf or /run/systemd/resolve/resolv.conf

View systemd-resolved logs

journalctl -u systemd-resolved -f

Follow resolver logs in real-time for debugging.

Monitor DNS queries

resolvectl monitor

Watch DNS queries and cache operations in real-time.

Test with specific protocol

# IPv4 only
resolvectl query --protocol=ipv4 example.com

# IPv6 only
resolvectl query --protocol=ipv6 example.com