lift harden
Server hardening utilities for DNS resilience, security, and reliability.
lift harden
Apply security and reliability hardening to the server.
Subcommands
lift harden dns
Configure DNS resilience with fallback nameservers and automatic recovery. Sets up three layers of protection:
| Layer | What it does |
|---|---|
| Fallback DNS | Adds 1.1.1.1 and 8.8.8.8 as fallback nameservers to systemd-resolved |
| DNS Watchdog | Systemd timer checks DNS every 2 minutes, auto-restarts systemd-resolved on failure |
| DNS Caching | Enables response caching to reduce repeated lookups |
This command is idempotent — safe to run multiple times on the same server.
Options
| Flag | Description | Default |
|---|---|---|
--server <ip> | Target server IP address | From .lift.json |
--user <name> | SSH user | root |
--key <path> | SSH private key path | From .lift.json |
--output jsonl | Output as JSONL for scripting |
Example
$ lift harden dns --server 1.2.3.4
✓ [check] systemd-resolved is active
✓ [fallback] Fallback DNS configured
✓ [watchdog] DNS watchdog installed (checks every 2m)
✓ [restart] systemd-resolved restarted
✓ [verify] DNS resolution working
✓ DNS hardening complete
$ lift harden dns --json
{"type":"result","data":{"fallbackDns":"1.1.1.1,8.8.8.8","cache":"enabled","watchdog":"every 2m","status":"ok"}}
What gets installed
| File | Purpose |
|---|---|
/etc/systemd/resolved.conf | Modified: FallbackDNS and Cache settings |
/usr/local/bin/dns-watchdog.sh | Health check script |
/etc/systemd/system/dns-watchdog.service | Systemd oneshot service |
/etc/systemd/system/dns-watchdog.timer | Runs watchdog every 2 minutes |
Why this matters
Docker builds pull base images from Docker Hub, which requires DNS resolution. If systemd-resolved stalls (common on long-running servers due to memory pressure), all DNS queries fail and deployments break silently. This hardening ensures DNS recovery happens automatically.
Related
- lift doctor - Run server diagnostics
- lift status - Show container status