Domain name resolution
Name Service Switch
The Name Service Switch (NSS) facility is part of the GNU C Library ( ) and backs the API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in . The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:
- file: reads the
- dns: the glibc resolver which reads
Systemd provides three NSS services for hostname resolution:
- systemd-resolved - a caching DNS stub resolver, described in
/etc/hosts, described in Network configuration#Local hostname resolution
- provides hostname resolution without having to edit
- - provides hostname resolution for the names of local containers
Resolve a domain name using NSS
NSS databases can be queried with. A domain name can be resolved through NSS using:
$ getent hosts domain_name
/etc/hostsdirectly. See Network configuration#Local hostname resolution.
The glibc resolver reads
/etc/resolv.conf for every resolution to determine the nameservers and options to use.
lists nameservers together with some configuration options.
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (
#) are ignored.
Overwriting of /etc/resolv.conf
Network managers tend to overwrite
/etc/resolv.conf, for specifics see the corresponding section:
To prevent programs from overwriting
/etc/resolv.conf you can also write-protect it by setting the immutable file attribute:
# chattr +i /etc/resolv.conf
/etc/resolv.conf, you can use resolvconf.
Limit lookup time
If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in
Hostname lookup delayed with IPv6
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request. You can fix that by setting the following option in
Local domain names
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to
/etc/resolv.conf with the local domain such as:
That way you can refer to local hosts such as
mainmachine1.example.com as simply
mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.
The Glibc resolver provides only the most basic necessities, it does not cache queries nor provides any security features. If you require more functionality, use another resolver.
In the table below, the columns have the following meaning:
- Cache: caches the DNS queries to improve lookup times of subsequent identical requests.
- Recursor: can recursively query the domain name starting from the DNS root zone.
- resolvconf compatibility: can acquire name servers and search domains, to use for forwarding requests, from software that sets them using resolvconf.
- Validates DNSSEC: validates DNS query responses using DNSSEC.
- DNS over TLS: supports the DNS over TLS protocol.
- DNS over HTTPS: supports the experimental DNS over HTTPS protocol.
|Resolver||Cache||Recursor||resolvconf compatibility||Validates DNSSEC||DNS over TLS||DNS over HTTPS|
- Implements a DNSCrypt protocol client.
- From  Also, the only supported mode is "opportunistic", which makes DNS-over-TLS vulnerable to "downgrade" attacks. : Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.
- provides , which is a tool designed to retrieve information out of the DNS.
For example, to query a specific nameserver with drill for the TXT records of a domain:
$ drill @nameserver TXT domain
If you do not specify a DNS server drill uses the nameservers defined in
dnssec-tools. provides , , and a bunch of