2 files changed, 46 insertions, 32 deletions

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 09a192c933..3aa9c3acb1 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -72,40 +72,40 @@
 
       <varlistentry>
         <term><varname>DNS=</varname></term>
-        <listitem><para>A space-separated list of IPv4 and IPv6
-        addresses to be used as system DNS servers. DNS requests are
-        sent to one of the listed DNS servers in parallel to any
-        per-interface DNS servers acquired from
-        <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
-        For compatibility reasons, if this setting is not specified,
-        the DNS servers listed in
-        <filename>/etc/resolv.conf</filename> are used instead, if
-        that file exists and any servers are configured in it. This
-        setting defaults to the empty list.</para></listitem>
+        <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers. DNS requests
+        are sent to one of the listed DNS servers in parallel to suitable per-link DNS servers acquired from
+        <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
+        set at runtime by external applications.  For compatibility reasons, if this setting is not specified, the DNS
+        servers listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any servers
+        are configured in it. This setting defaults to the empty list.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><varname>FallbackDNS=</varname></term>
-        <listitem><para>A space-separated list of IPv4 and IPv6
-        addresses to be used as the fallback DNS servers. Any
-        per-interface DNS servers obtained from
+        <listitem><para>A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any
+        per-link DNS servers obtained from
         <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        take precedence over this setting, as do any servers set via
-        <varname>DNS=</varname> above or
-        <filename>/etc/resolv.conf</filename>. This setting is hence
-        only used if no other DNS server information is known. If this
-        option is not given, a compiled-in list of DNS servers is used
-        instead.</para></listitem>
+        take precedence over this setting, as do any servers set via <varname>DNS=</varname> above or
+        <filename>/etc/resolv.conf</filename>. This setting is hence only used if no other DNS server information is
+        known. If this option is not given, a compiled-in list of DNS servers is used instead.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><varname>Domains=</varname></term>
-        <listitem><para>A space-separated list of search domains.  For
-        compatibility reasons, if this setting is not specified, the
-        search domains listed in <filename>/etc/resolv.conf</filename>
-        are used instead, if that file exists and any domains are
-        configured in it. This setting defaults to the empty
-        list.</para></listitem>
+        <listitem><para>A space-separated list of domains. These domains are used as search suffixes when resolving
+        single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified
+        domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name
+        with the suffix appended is found. For compatibility reasons, if this setting is not specified, the search
+        domains listed in <filename>/etc/resolv.conf</filename> are used instead, if that file exists and any domains
+        are configured in it. This setting defaults to the empty list.</para>
+
+        <para>Specified domain names may optionally be prefixed with <literal>~</literal>. In this case they do not
+        define a search path, but preferably direct DNS queries for the indicated domains to the DNS servers configured
+        with the system <varname>DNS=</varname> setting (see above), in case additional, suitable per-link DNS servers
+        are known. If no per-link DNS servers are known using the <literal>~</literal> syntax has no effect. Use the
+        construct <literal>~.</literal> (which is composed of <literal>~</literal> to indicate a routing domain and
+        <literal>.</literal> to indicate the DNS root domain that is the implied suffix of all DNS domains) to use the
+        system DNS server defined with <varname>DNS=</varname> preferably for all domains.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -119,8 +119,8 @@
         <literal>resolve</literal>, only resolution support is enabled,
         but responding is disabled. Note that
         <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        also maintains per-interface LLMNR settings. LLMNR will be
-        enabled on an interface only if the per-interface and the
+        also maintains per-link LLMNR settings. LLMNR will be
+        enabled on a link only if the per-link and the
         global setting is on.</para></listitem>
       </varlistentry>
 
@@ -181,9 +181,9 @@
 
         <para>In addition to this global DNSSEC setting
         <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        also maintains per-interface DNSSEC settings. For system DNS
+        also maintains per-link DNSSEC settings. For system DNS
         servers (see above), only the global DNSSEC setting is in
-        effect. For per-interface DNS servers the per-interface
+        effect. For per-link DNS servers the per-link
         setting is in effect, unless it is unset in which case the
         global setting is used instead.</para>
 
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index 88df7534c4..6d8c35164e 100644
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -80,20 +80,34 @@ int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, con
 
 int manager_add_search_domain_by_string(Manager *m, const char *domain) {
         DnsSearchDomain *d;
+        bool route_only;
         int r;
 
         assert(m);
         assert(domain);
 
+        route_only = *domain == '~';
+        if (route_only)
+                domain++;
+
+        if (dns_name_is_root(domain) || streq(domain, "*")) {
+                route_only = true;
+                domain = ".";
+        }
+
         r = dns_search_domain_find(m->search_domains, domain, &d);
         if (r < 0)
                 return r;
-        if (r > 0) {
+        if (r > 0)
                 dns_search_domain_move_back_and_unmark(d);
-                return 0;
+        else {
+                r = dns_search_domain_new(m, &d, DNS_SEARCH_DOMAIN_SYSTEM, NULL, domain);
+                if (r < 0)
+                        return r;
         }
 
-        return dns_search_domain_new(m, NULL, DNS_SEARCH_DOMAIN_SYSTEM, NULL, domain);
+        d->route_only = route_only;
+        return 0;
 }
 
 int manager_parse_search_domains_and_warn(Manager *m, const char *string) {