This is the systemd DNS service that Poettering & co. recommended to use...
https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/
Some others considerations about resolvd from Andrew Ayer's blog:
https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/
Some others considerations about resolvd from Andrew Ayer's blog:
DNS is a complicated, security-sensitive protocol. In August 2014, Lennart Poettering declared that "systemd-resolved is now a pretty complete caching DNS and LLMNR stub resolver." In reality, systemd-resolved failed to implement any of the documented best practices to protect against DNS cache poisoning. It was vulnerable to Dan Kaminsky's cache poisoning attack which was fixed in every other DNS server during a massive coordinated response in 2008 (and which had been fixed in djbdns in 1999). Although systemd doesn't force you to use systemd-resolved, it exposes a non-standard interface over DBUS which they encourage applications to use instead of the standard DNS protocol over port 53. If applications follow this recommendation, it will become impossible to replace systemd-resolved with a more secure DNS resolver, unless that DNS resolver opts to emulate systemd's non-standard DBUS API.