Domain name resolution: Difference between revisions
m (→Third-party DNS servers: fix section levels) |
(fix #Resolvers section links) |
||
Line 42: | Line 42: | ||
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign ({{ic|#}}) are ignored. | Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign ({{ic|#}}) are ignored. | ||
{{Note|The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See [[# | {{Note|The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See [[#DNS servers]] for more information.}} | ||
=== Overwriting of /etc/resolv.conf === | === Overwriting of /etc/resolv.conf === | ||
Line 96: | Line 96: | ||
The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses [[Wikipedia:Man-in-the-middle attack|manipulated]]. Furthermore, DNS servers can conduct [[Wikipedia:DNS hijacking|DNS hijacking]]. | The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses [[Wikipedia:Man-in-the-middle attack|manipulated]]. Furthermore, DNS servers can conduct [[Wikipedia:DNS hijacking|DNS hijacking]]. | ||
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS servers|third-parties]]. Alternatively you can run your own [[# | You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS servers|third-parties]]. Alternatively you can run your own [[#DNS servers|recursive name server]], which however takes more effort. If you use a [[DHCP]] client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the upstream server and your [[#DNS servers|resolver]] support the protocol. To verify that responses are actually from [[Wikipedia:Authoritative name server|authoritative name servers]], you can validate [[DNSSEC]], provided that both the upstream server(s) and your [[#DNS servers|resolver]] support it. | ||
Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh] | Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh] |
Revision as of 17:10, 9 January 2019
In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.
Name Service Switch
The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:
- file: reads the
/etc/hosts
file, see hosts(5) - dns: the glibc resolver which reads
/etc/resolv.conf
, see resolv.conf(5)
Systemd provides three NSS services for hostname resolution:
- nss-resolve(8) - a caching DNS stub resolver, described in systemd-resolved
- nss-myhostname(8) - provides hostname resolution without having to edit
/etc/hosts
, described in Network configuration#Local hostname resolution - nss-mymachines(8) - provides hostname resolution for the names of local systemd-machined(8) containers
Resolve a domain name using NSS
NSS databases can be queried with getent(1). A domain name can be resolved through NSS using:
$ getent hosts domain_name
/etc/resolv.conf
and/or /etc/hosts
directly. See Network configuration#Local hostname resolution.Glibc resolver
The glibc resolver reads /etc/resolv.conf
for every resolution to determine the nameservers and options to use.
resolv.conf(5) lists nameservers together with some configuration options.
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#
) are ignored.
Overwriting of /etc/resolv.conf
Network managers tend to overwrite /etc/resolv.conf
, for specifics see the corresponding section:
To prevent programs from overwriting /etc/resolv.conf
you can also write-protect it by setting the immutable file attribute:
# chattr +i /etc/resolv.conf
/etc/resolv.conf
, you can use resolvconf.Limit lookup time
If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf
.
options timeout:1
Hostname lookup delayed with IPv6
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf
:
options single-request
Local domain names
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to /etc/resolv.conf
with the local domain such as:
domain example.com
That way you can refer to local hosts such as mainmachine1.example.com
as simply mainmachine1
when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.
Lookup utilities
To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.
For example, to query a specific nameserver with drill for the TXT records of a domain:
$ drill @nameserver TXT domain
If you do not specify a DNS server drill uses the nameservers defined in /etc/resolv.conf
.
- bind-tools provides dig(1), host(1), nslookup(1) and a bunch of
dnssec-
tools.
Privacy and security
The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore, DNS servers can conduct DNS hijacking.
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and third-parties. Alternatively you can run your own recursive name server, which however takes more effort. If you use a DHCP client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS, DNS over HTTPS or DNSCrypt, provided that both the upstream server and your resolver support the protocol. To verify that responses are actually from authoritative name servers, you can validate DNSSEC, provided that both the upstream server(s) and your resolver support it.
Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[2]
Third-party DNS servers
There are various third-party DNS services available, some of which also have dedicated software:
- dingo — A DNS client for Google DNS over HTTPS
- opennic-up — Automates the renewal of the DNS servers with the most responsive OpenNIC servers
Resolver performance
The Glibc resolver does not cache queries. If you want local caching use systemd-resolved or set up a local caching DNS server and use 127.0.0.1
as your name server.
- The drill or dig lookup utilities report the query time.
- A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.
- If it takes too long to switch to the next DNS server you can try decreasing the timeout.
DNS servers
DNS servers can be authoritative and recursive. If they are neither, they are called stub resolvers and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to Wikipedia.
Name | Package | Authoritative / Recursive |
Cache | resolvconf | Validates DNSSEC |
DNS over TLS |
DNS over HTTPS |
---|---|---|---|---|---|---|---|
dnscrypt-proxy1 | dnscrypt-proxy | No | Yes | No | No | No | Yes |
Rescached | rescached-gitAUR | No | Yes | Yes | No | No | Limited2 |
Stubby | stubby | No | No | No | Yes | Yes | No |
systemd-resolved | systemd | No | Yes | Yes | Yes | Insecure3 | No |
dnsmasq | dnsmasq | Partial4 | Yes | Yes | Yes | No | No |
BIND | bind | Yes | Yes | Yes | Yes | ? | ? |
Knot Resolver | knot-resolverAUR | Yes | Yes | No | Yes | Yes | No |
MaraDNS | maradnsAUR | Yes | Yes | No | No | No | No |
pdnsd | pdnsd | Yes | Permanent | Yes | No | No | No |
PowerDNS Recursor | powerdns-recursor | Yes | Yes | No | Yes | ? | ? |
Unbound | unbound | Yes | Yes | Yes | Yes | Yes | No |
- Implements a DNSCrypt protocol client.
- Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[3]
- From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[4] Also, the only supported mode is "opportunistic", which makes DNS-over-TLS vulnerable to "downgrade" attacks.[5]
- From Wikipedia: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
Authoritative-only servers
Name | Package | DNSSEC | Geographic balancing |
---|---|---|---|
gdnsd | gdnsd | No | Yes |
Knot DNS | knot | Yes | No |
NSD | nsd | No | No |
PowerDNS | powerdns | Yes | Yes |
See also
- Linux Network Administrators Guide
- Debian Handbook
- RFC:7706 - Decreasing Access Time to Root Servers by Running One on Loopback