Change dns server for incus-os

07359 · February 15, 2026, 7:05pm

Hello,

When incus-os boots and checks for secure boot key updates, the request to images.linuxcontainers.org gets a timeout.
My dns server (pihole) that gets advertised by the routers dhcp is running inside an incus-os instance and that obviously only boots up after incus-os has started.

So I want to set a different dns server for incus-os than the dhcp assigned one:

Is $ incus network edit incusbr0 and then adding dns.nameservers: 9.9.9.9 under config not the correct way? Does that only advertise that dns server to instances that use the incusbr0 network? If so, how can I change the dns server that incus-os uses?

07359 · February 15, 2026, 7:41pm

I’m sorry, I may have overlooked it at first, but I think I just found the solution in the documentation:

incus admin os system network edit and the adding:

dns:
nameservers:
- 9.9.9.9

That seemed to have worked. The error when booting incus-os is gone.

So I guess $ incus network edit incusbr0 and adding dns.nameserversis the dns server that the instances that use incusbr0gets assigned?

And adding the above lines via incus admin os system network edit changes the dns server for incus-os?

stgraber · February 16, 2026, 6:00am

Yeah, that controls what the DHCP server advertises to the instances.

stgraber · February 16, 2026, 6:00am

Correct, that one overrides the IncusOS system network configuration so that’s the one you want in this scenario.

07359 · February 16, 2026, 7:54am

Thank you very much!

neitsab · April 9, 2026, 12:24am

I am trying to configure NextDNS-supplied nameservers, using:

config:
  dns:
    domain: ""
    nameservers:
    - 46.89.24.0#server-profileid.dns.nextdns.io
    - 2a08:b9d1::#server-profileid.dns.nextdns.io
    - 46.89.25.0#server-profileid.dns.nextdns.io

as recommended in their setup docs for systemd-resolved (which works flawlessly on my laptop), but the IncusOS server requests never show up in the logs.

Is it possible the #server-profileid.dns.nextdns.io part is silently ignored/not passed to resolved, and I get name resolution from the generic IPs? How can I verify which nameservers are used by IncusOS?

Thanks

neitsab · April 17, 2026, 1:25pm

Update for those who’ll arrive here: I opened Add support for DNS over TLS · Issue #1039 · lxc/incus-os · GitHub, and the crux of the issue is the current inability to enable DNSoverTLS in systemd-resolved on IncusOS, leading to the SNI part not being sent.

The feature request has been accepted and awaits contributions