Domain name resolution: Difference between revisions
m (→Resolvers: expand expansion template) |
(→Resolvers: add footnote explaining why systemd-resolved's DNS over TLS is insecure) |
||
| Line 81: | Line 81: | ||
== Resolvers == | == Resolvers == | ||
{{Expansion|Fill in the unknowns. | {{Expansion|Fill in the unknowns.}} | ||
The Glibc resolver provides only the most basic necessities, it does not cache queries or provide any security or privacy features. If you desire more functionality use another resolver. | The Glibc resolver provides only the most basic necessities, it does not cache queries or provide any security or privacy features. If you desire more functionality use another resolver. | ||
| Line 125: | Line 125: | ||
|- | |- | ||
!style="white-space: nowrap;"| [[systemd-resolved]] | !style="white-space: nowrap;"| [[systemd-resolved]] | ||
| {{Yes}} || {{No}} || {{G|[[systemd-resolvconf]]}} || {{Yes}} || {{Y| | | {{Yes}} || {{No}} || {{G|[[systemd-resolvconf]]}} || {{Yes}} || {{Y|Insecure}}<sup>1</sup> || {{R|No [https://github.com/systemd/systemd/issues/8639]}} || | ||
|- | |- | ||
! [[Unbound]] | ! [[Unbound]] | ||
| {{Yes}} || {{Yes}} || {{G|[[openresolv]] subscriber}} || {{Yes}} || {{Yes}} || ? || | | {{Yes}} || {{Yes}} || {{G|[[openresolv]] subscriber}} || {{Yes}} || {{Yes}} || ? || | ||
|} | |} | ||
# From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397] | |||
== Privacy == | == Privacy == | ||
Revision as of 15:17, 12 August 2018
In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.
Name Service Switch
- "NSS" redirects here. For Mozilla cryptographic libraries, see Network Security Services.
The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:
file: reads the/etc/hostsfile, see hosts(5)dns: the glibc resolver which reads/etc/resolv.conf, see resolv.conf(5)
Systemd provides three NSS services for hostname resolution:
- nss-resolve(8) - a caching DNS stub resolver, described in systemd-resolved
- nss-myhostname(8) - provides hostname resolution without having to edit
/etc/hosts, described in Network configuration#Local hostname resolution - nss-mymachines(8) - provides hostname resolution for the names of local systemd-machined(8) containers
Check if you can resolve domain names
NSS databases can be queried with getent(1). You can resolve a domain name through NSS using:
$ getent hosts domain_name
/etc/resolv.conf and/or /etc/hosts directly. See Network configuration#Local hostname resolution.Glibc resolver
The glibc resolver reads /etc/resolv.conf for every resolution to determine the nameservers and options to use.
resolv.conf(5) lists nameservers together with some configuration options. Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign are ignored.
Overwriting of resolv.conf
Network managers tend to overwrite /etc/resolv.conf, for specifics see the corresponding section:
To prevent programs from overwriting /etc/resolv.conf you can also write-protect it by setting the immutable file attribute.
/etc/resolv.conf, you can use openresolv.Limit lookup time
If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf.
options timeout:1
Hostname lookup delayed with IPv6
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request (source).
You can fix that by setting the following option in /etc/resolv.conf:
options single-request
Local domain names
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to /etc/resolv.conf with the local domain such as:
domain example.com
That way you can refer to local hosts such as mainmachine1.example.com as simply mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.
Resolvers
The Glibc resolver provides only the most basic necessities, it does not cache queries or provide any security or privacy features. If you desire more functionality use another resolver.
- The drill or dig lookup utilities report the query time.
- A router usually sets its own caching resolver as the network's DNS server thus proving DNS cache for the whole network.
- If it takes too long to switch to the next DNS server you can try decreasing the timeout.
The columns have the following meaning:
- Cache: caches the DNS queries to improve lookup times of subsequent identical requests.
- Recursor: can recursively query the domain name starting from the DNS root zone.
- resolvconf compatibility: can acquire name servers and search domains, to use for forwarding requests, from software that sets them using resolvconf.
- Validates DNSSEC: validates DNS query responses using DNSSEC.
- DNS over TLS: supports the DNS over TLS protocol for encrypted communicating with the DNS server.
- DNS over HTTPS: supports the DNS over HTTPS protocol for encrypted communicating with the DNS server.
| Resolver | Cache | Recursor | resolvconf compatibility | Validates DNSSEC | DNS over TLS | DNS over HTTPS | Notes |
|---|---|---|---|---|---|---|---|
| glibc | No | No | No | No | No | No | |
| BIND | Yes | Yes | openresolv subscriber | Yes | ? | ? | |
| dnscrypt-proxy | Yes | No | No | No | No | Yes | Implements the DNSCrypt protocol. |
| dnsmasq | Yes | No | openresolv subscriber | Yes | No | No | |
| Knot Resolver | Yes | Yes | No | Yes | Yes | No [1] | |
| pdnsd | Yes | Yes | openresolv subscriber | No | No | No | |
| Stubby | No | No | No | Yes | Yes | ? | |
| systemd-resolved | Yes | No | systemd-resolvconf | Yes | Insecure1 | No [2] | |
| Unbound | Yes | Yes | openresolv subscriber | Yes | Yes | ? |
- From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[3]
Privacy
Most DNS servers keep a log of IP addresses and sites visited on a more or less temporary basis. The data collected can be used to perform various statistical studies. Personally-identifying information have value and can also be rented or sold to third parties. Alternative DNS services provides a list of popular services, check their privacy policy for information about how user data is handled.
Lookup utilities
To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.
For example, to query a specific nameserver with drill for the TXT records of a domain:
$ drill @nameserver TXT domain
If you do not specify a DNS server drill uses the nameservers defined in /etc/resolv.conf.
- bind-tools provides dig(1), host(1), nslookup(1) and a bunch of
dnssec-tools.