Enable the systemd-resolved stub resolver and make it available on the
hassio host network interface (172.30.32.1). This allows to use
systemd-resolved directly from all containers.
Note that this makes /etc/resolv.conf point to the stub resolver running
at 127.0.0.53 by default. This stub resolver isn't reachable from within
containers. However, Docker does regnize this situation [1] and falls back
to the alternate path at /run/systemd/resolve/resolv.conf, which is what
/etc/resolv.conf is today. So this should not affect the initial
/etc/resolv.conf in containers in practise.
This will however bind to port 53 and affect add-on potentially attempt
to use that port. Add-ons should not bind to 127.0.0.53 or the hassio
host network (172.30.32.1).
[1] https://github.com/moby/moby/blob/v28.0.4/libnetwork/internal/resolvconf/resolvconf_path.go#L51C32-L51C45
It seems that on certain setups the default DNS over TLS mode
"opportunistic" causes delays of ~10s when trying to resolve names. This
is probably caused by providers and/or firewall setups not properly rejecting
connections on port 853.
It seems that also other distributions (such as Arch Linux) still
disable DNS over TLS currently. Side step issues with DNS over TLS by
disabling it for now.
* Add resolved.conf to disable stub resolver and DNSSEC
There are Add-Ons which try to bind port 53 on all interfaces including
127.0.0.53. Disable the stub resolver to make them continue working. We
don't need the resolver currently anyway.
Also disable DNSSEC to make sure the baords can access a NTP time server
even when their time is incorrect (since DNSSEC validation may fail).
This is a known chicken-egg problem with systemd-resolved/systemd-timesyncd
and might be addressed in a future version, with what we can reenable
DNSSEC:
https://github.com/systemd/systemd/issues/5873
* Make sure resolve gets added only once to nsswitch.conf
Only add resolve to nsswitch.conf if not already present.
