DNS best practices using ziti-edge-tunnel

I believe this is a problem not caused by Ziti but I assume you have quite some experience with settings this up correctly.
We're struggling quite a bit with the correct DNS settings for Ziti on many machines, what exact DNS circumstances does Ziti need in order to work correctly?
Simply enabling systemd-resolved on many machines results in ziti-edge-tunnel injecting the DNS correctly, however not as the global DNS but only for the ziti0 interface which often results in Ziti lookups to be tried on public DNS before:
resolvectl status

Global
       LLMNR setting: yes
MulticastDNS setting: yes
  DNSOverTLS setting: no
      DNSSEC setting: allow-downgrade
    DNSSEC supported: no
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 67 (ziti0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 100.64.0.2
         DNS Servers: 100.64.0.2

Do you instead recommend using systemd-resolved in the foreign mode and manually adding the ziti DNS server before any other? Any help is highly appreciated.
Interestingly enough the Ziti DNS Server is added correctly on some machines with exactly the same systemd-resolved settings and the same content in /etc/resolv.conf

Hi,

systemd-resolved is the preferred DNS manager for ziti-edge-tunnel on Linux. As you have noticed, the DNS server is only added to the zitiN interface. This is intentional, and relies on the fact that systemd-resolved sends DNS queries to all configured DNS servers by default and returns the first result (or last failure) to the client. From the systemd-resolved doc:

If lookups are routed to multiple interfaces, the first successful response is returned (thus effectively merging the lookup zones on all matching interfaces). If the lookup failed on all interfaces, the last failing response is returned.

Routing of lookups is determined by the per-interface routing domains (search and route-only) and global search domains. ...

So we could add a list of "routing" domains to the DNS configuration for ziti0, and this would cause systemd-resolved to send only DNS queries for specific domains to ziti-edge-tunnel's DNS server, and no other. This would match the behavior that we set up with the desktop tunnelers (Ziti Desktop Edge for Windows, macOS, and iOS), and is something that's been bothering me for a while. The fact that you've noticed this and it's causing trouble has motivated me to write up an issue for it.

In the meantime you could try an experiment and add the domains from your service configurations manually with resolvectl domain to see if this achieves the behavior you're hoping for:

resolvectl domain ziti0 hostname1.domain1 hostname2.domain2

You can represent wildcard domains as routing domains by replacing *. with ~. So for example if you had a service that intercepted the "*.ziti" wildcard, this command would send all ".ziti" queries to ziti-edge-tunnel:

resolvectl domain ziti0 "~ziti"

Also note that resolvectl domain resets the routing domains to the provided list every time - it does not add the domains.