Domain name resolution: Difference between revisions

Revision as of 18:34, 1 January 2019

In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.

Name Service Switch

The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:

file: reads the /etc/hosts file, see hosts(5)
dns: the glibc resolver which reads /etc/resolv.conf, see resolv.conf(5)

Systemd provides three NSS services for hostname resolution:

nss-resolve(8) - a caching DNS stub resolver, described in systemd-resolved
nss-myhostname(8) - provides hostname resolution without having to edit /etc/hosts, described in Network configuration#Local hostname resolution
nss-mymachines(8) - provides hostname resolution for the names of local systemd-machined(8) containers

Resolve a domain name using NSS

NSS databases can be queried with getent(1). A domain name can be resolved through NSS using:

$ getent hosts domain_name

Note: While most programs resolve domain names using NSS, some may read /etc/resolv.conf and/or /etc/hosts directly. See Network configuration#Local hostname resolution.

Glibc resolver

The glibc resolver reads /etc/resolv.conf for every resolution to determine the nameservers and options to use.

resolv.conf(5) lists nameservers together with some configuration options. Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#) are ignored.

Note: The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See #Resolvers for more information.

Overwriting of /etc/resolv.conf

Network managers tend to overwrite /etc/resolv.conf, for specifics see the corresponding section:

To prevent programs from overwriting /etc/resolv.conf you can also write-protect it by setting the immutable file attribute:

# chattr +i /etc/resolv.conf

Tip: If you want multiple processes to write to /etc/resolv.conf, you can use resolvconf.

Limit lookup time

If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf.

options timeout:1

Hostname lookup delayed with IPv6

If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf:

options single-request

Local domain names

If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to /etc/resolv.conf with the local domain such as:

domain example.com

That way you can refer to local hosts such as mainmachine1.example.com as simply mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.

Resolvers

This article or section needs expansion.

Reason: Fill in the unknowns. Mention dingo, maybe below table because it only works with one provider and therefore doesn't really fit into the table. (Discuss in Talk:Domain name resolution)

The Glibc resolver provides only the most basic necessities, it does not cache queries nor provides any security features. If you require more functionality, use another resolver.

Tip:

The drill or dig lookup utilities report the query time.
A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.
If it takes too long to switch to the next DNS server you can try decreasing the timeout.

In the table below, the columns have the following meaning:

Cache: caches the DNS queries to improve lookup times of subsequent identical requests.
Recursor: can recursively query the domain name starting from the DNS root zone.
resolvconf compatibility: can acquire name servers and search domains, to use for forwarding requests, from software that sets them using resolvconf.
Validates DNSSEC: validates DNS query responses using DNSSEC.
DNS over TLS: supports forwarding using the DNS over TLS protocol.
DNS over HTTPS: supports forwarding using the DNS over HTTPS protocol.

Resolver	Cache	Recursor	resolvconf compatibility	Validates DNSSEC	DNS over TLS	DNS over HTTPS
glibc	No	No	openresolv	No	No	No
BIND	Yes	Yes	openresolv subscriber	Yes	?	?
dnscrypt-proxy¹	Yes	No	No	No	No	Yes
dnsmasq	Yes	No	openresolv subscriber	Yes	No	No
Knot Resolver	Yes	Yes	No	Yes	Yes	No
pdnsd	Yes	Yes	openresolv subscriber	No	No	No
powerdns-recursor	Yes	Yes	No	Yes	?	?
Rescached	Yes	No	openresolv subscriber²	No	No	Limited³
Stubby	No	No	No	Yes	Yes	No
systemd-resolved	Yes	No	systemd-resolvconf	Yes	Insecure⁴	No
Unbound	Yes	Yes	openresolv subscriber	Yes	Yes	No

Implements a DNSCrypt protocol client.
Can use the subscribers of dnsmasq, pdns and unbound.[2]
Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[3]
From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[4] Also, the only supported mode is "opportunistic", which makes DNS-over-TLS vulnerable to "downgrade" attacks.[5]

Privacy and security

This article or section needs expansion.

Reason: Merge relevant information from Alternative DNS services. (Discuss in Talk:Alternative DNS services#Future of the page)

The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication. Meaning, if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore DNS servers can conduct DNS hijacking.

You need to trust the DNS server, you use, to treat your queries confidentially. Before using a third party service, check its privacy policy for information on how user data is handled. User data has value and can be sold to third parties. If you do not trust the DNS service of your ISP, there are various alternative DNS services available, some of which also have dedicated clients. Alternatively you can run your own recursive name server.

To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS, DNS over HTTPS or DNSCrypt, provided that both the server and your resolver support the protocol.

To verify that responses are actually from authoritative name servers, you can validate DNSSEC, see #Resolvers for what resolvers support it.

Be aware client software, such as major web browsers, may also (start to) implement one of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[6]

Lookup utilities

To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.

ldns provides drill(1), which is a tool designed to retrieve information out of the DNS.

For example, to query a specific nameserver with drill for the TXT records of a domain:

$ drill @nameserver TXT domain

If you do not specify a DNS server drill uses the nameservers defined in /etc/resolv.conf.

bind-tools provides dig(1), host(1), nslookup(1) and a bunch of dnssec- tools.

@@ Line 142: / Line 142: @@
 # From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397] Also, the only supported mode is "opportunistic", which ''makes DNS-over-TLS vulnerable to "downgrade" attacks''.[https://github.com/systemd/systemd/issues/10755]
-== Privacy ==
+== Privacy and security ==
-{{Expansion|Section needs a rewrite, "Privacy" is not a good title when the set up recommends connecting to third-party DNS servers. Also merge relevant information from [[Alternative DNS services]].|Talk:Alternative DNS services#Future of the page}}
+{{Expansion|Merge relevant information from [[Alternative DNS services]].|Talk:Alternative DNS services#Future of the page}}
-DNS is not encrypted, so you may want to use a [[#Resolvers|resolver]] that supports an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]].
+The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication. Meaning, if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses [[Wikipedia:Man-in-the-middle attack|manipulated]]. Furthermore DNS servers can conduct [[Wikipedia:DNS hijacking|DNS hijacking]].
+You need to trust the DNS server, you use, to treat your queries confidentially. Before using a third party service, check its privacy policy for information on how user data is handled. User data has value and can be sold to third parties. If you do not trust the DNS service of your ISP, there are various [[alternative DNS services]] available, some of which also have dedicated clients. Alternatively you can run your own [[#Resolvers|recursive name server]].
+To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the server and your [[#Resolvers|resolver]] support the protocol.
+To verify that responses are actually from authoritative name servers, you can validate [[DNSSEC]], see [[#Resolvers]] for what resolvers support it.
 Be aware client software, such as major web browsers, may also (start to) implement one of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh]
-Most DNS servers keep a log of IP addresses and sites visited on a more or less temporary basis. The data collected can be used to perform various statistical studies. Personally-identifying information have value and can also be rented or sold to third parties. [[Alternative DNS services]] provides a list of popular services, check their privacy policy for information about how user data is handled.
 == Lookup utilities ==