Difference between revisions of "Domain name resolution"

From ArchWiki
Jump to navigation Jump to search
m (→‎Overwriting of /etc/resolv.conf: avoid repetition of "you")
(→‎Privacy and security: document use-application-dns.net)
 
(7 intermediate revisions by 2 users not shown)
Line 56: Line 56:
 
  # chattr +i /etc/resolv.conf
 
  # chattr +i /etc/resolv.conf
  
{{Tip|If you want multiple processes to write to {{ic|/etc/resolv.conf}}, you can use [[openresolv]].}}
+
{{Tip|If you want multiple processes to write to {{ic|/etc/resolv.conf}}, you can use [[resolvconf]].}}
  
 
=== Limit lookup time ===
 
=== Limit lookup time ===
Line 72: Line 72:
 
=== Local domain names ===
 
=== Local domain names ===
  
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to {{ic|/etc/resolv.conf}} with the local domain such as:
+
To be able to use the hostname of local machine names without the fully qualified domain name, add a line to {{ic|/etc/resolv.conf}} with the local domain such as:
 
+
  domain example.org
  domain example.com
+
That way you can refer to local hosts such as {{ic|mainmachine1.example.org}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the [[#Lookup utilities|drill]] command still requires the fully qualified domain names in order to perform lookups.
 
 
That way you can refer to local hosts such as {{ic|mainmachine1.example.com}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the [[#Lookup utilities|drill]] command still requires the fully qualified domain names in order to perform lookups.
 
  
 
== Lookup utilities ==
 
== Lookup utilities ==
Line 88: Line 86:
 
  $ drill @''nameserver'' TXT ''domain''
 
  $ drill @''nameserver'' TXT ''domain''
  
If a DNS server is not specified, ''drill'' uses the nameservers defined in {{ic|/etc/resolv.conf}}.
+
Unless a DNS server is specified, ''drill'' will use the nameservers defined in {{ic|/etc/resolv.conf}}.
  
 
* {{Pkg|bind-tools}} provides {{man|1|dig}}, {{man|1|host}}, {{man|1|nslookup}} and a bunch of {{ic|dnssec-}} tools.
 
* {{Pkg|bind-tools}} provides {{man|1|dig}}, {{man|1|host}}, {{man|1|nslookup}} and a bunch of {{ic|dnssec-}} tools.
Line 96: Line 94:
 
== Resolver performance ==
 
== Resolver performance ==
  
The Glibc resolver does not cache queries. To implement local caching, use [[systemd-resolved]] or set up a local caching [[#DNS servers]] and use {{ic|127.0.0.1}} as the name server.
+
The Glibc resolver does not cache queries. To implement local caching, use [[systemd-resolved]] or set up a local caching [[#DNS servers|DNS server]] and use it as the name server by setting {{ic|127.0.0.1}} and {{ic|::1}} as the name servers in {{ic|/etc/resolv.conf}} or in {{ic|/etc/resolvconf.conf}} if using [[openresolv]].
  
 
{{Tip|
 
{{Tip|
Line 109: Line 107:
 
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS services|third-parties]]. Alternatively you can run your own [[#DNS servers|recursive name server]], which however takes more effort. If you use a [[DHCP]] client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the upstream server and your [[#DNS servers|resolver]] support the protocol. To verify that responses are actually from [[Wikipedia:Authoritative name server|authoritative name servers]], you can validate [[DNSSEC]], provided that both the upstream server(s) and your [[#DNS servers|resolver]] support it.
 
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS services|third-parties]]. Alternatively you can run your own [[#DNS servers|recursive name server]], which however takes more effort. If you use a [[DHCP]] client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the upstream server and your [[#DNS servers|resolver]] support the protocol. To verify that responses are actually from [[Wikipedia:Authoritative name server|authoritative name servers]], you can validate [[DNSSEC]], provided that both the upstream server(s) and your [[#DNS servers|resolver]] support it.
  
Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh]
+
Be aware that client software, such as major web browsers, may also (start to) implement some of the encrypted DNS protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh] [https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https Mozilla has proposed] disabling application-level DNS if the system resolver cannot resolve the domain "[http://use-application-dns.net/ use-application-dns.net]". Currently this check is only implemented in [[Firefox]].
  
 
== Third-party DNS services ==
 
== Third-party DNS services ==
Line 166: Line 164:
  
 
# Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[https://github.com/shuLhan/rescached-go#integration-with-dns-over-https]
 
# Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[https://github.com/shuLhan/rescached-go#integration-with-dns-over-https]
# From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397] Also, the only supported mode is "opportunistic", which ''makes DNS-over-TLS vulnerable to "downgrade" attacks''.[https://github.com/systemd/systemd/issues/10755]
+
# From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397]
 
# From [[Wikipedia:Comparison of DNS server software#cite_note-masqauth-25|Wikipedia]]: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
 
# From [[Wikipedia:Comparison of DNS server software#cite_note-masqauth-25|Wikipedia]]: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
  
Line 207: Line 205:
 
* [[RFC:7706]] - Decreasing Access Time to Root Servers by Running One on Loopback
 
* [[RFC:7706]] - Decreasing Access Time to Root Servers by Running One on Loopback
 
* [http://linux-ip.net/pages/diagrams.html#domain-name-system-overview Domain name system overview] - Diagram about DNS
 
* [http://linux-ip.net/pages/diagrams.html#domain-name-system-overview Domain name system overview] - Diagram about DNS
 +
* [[Alternative DNS services]]

Latest revision as of 10:58, 15 September 2019

In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.

Name Service Switch

The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:

Systemd provides three NSS services for hostname resolution:

Resolve a domain name using NSS

NSS databases can be queried with getent(1). A domain name can be resolved through NSS using:

$ getent hosts domain_name
Note: While most programs resolve domain names using NSS, some may read /etc/resolv.conf and/or /etc/hosts directly. See Network configuration#Local hostname resolution.

Glibc resolver

The glibc resolver reads /etc/resolv.conf for every resolution to determine the nameservers and options to use.

resolv.conf(5) lists nameservers together with some configuration options. Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#) are ignored.

Note: The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. Glibc resolver also can not validate DNSSEC. A DNSSEC capable validator resolver is required for that one. See #DNS servers for more information.

Overwriting of /etc/resolv.conf

Network managers tend to overwrite /etc/resolv.conf, for specifics see the corresponding section:

To prevent programs from overwriting /etc/resolv.conf, it is also possible to write-protect it by setting the immutable file attribute:

# chattr +i /etc/resolv.conf
Tip: If you want multiple processes to write to /etc/resolv.conf, you can use resolvconf.

Limit lookup time

If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf.

options timeout:1

Hostname lookup delayed with IPv6

If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf:

options single-request

Local domain names

To be able to use the hostname of local machine names without the fully qualified domain name, add a line to /etc/resolv.conf with the local domain such as:

domain example.org

That way you can refer to local hosts such as mainmachine1.example.org as simply mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.

Lookup utilities

To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.

  • ldns provides drill(1), which is a tool designed to retrieve information out of the DNS.

For example, to query a specific nameserver with drill for the TXT records of a domain:

$ drill @nameserver TXT domain

Unless a DNS server is specified, drill will use the nameservers defined in /etc/resolv.conf.

Tip: Some DNS servers ship with their own DNS lookup utilities. E.g. knot has khost(1) and kdig(1), Unboundunbound-host(1).

Resolver performance

The Glibc resolver does not cache queries. To implement local caching, use systemd-resolved or set up a local caching DNS server and use it as the name server by setting 127.0.0.1 and ::1 as the name servers in /etc/resolv.conf or in /etc/resolvconf.conf if using openresolv.

Tip:
  • The drill or dig lookup utilities report the query time.
  • A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.
  • If it takes too long to switch to the next DNS server you can try decreasing the timeout.

Privacy and security

The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore, DNS servers can conduct DNS hijacking.

You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and third-parties. Alternatively you can run your own recursive name server, which however takes more effort. If you use a DHCP client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS, DNS over HTTPS or DNSCrypt, provided that both the upstream server and your resolver support the protocol. To verify that responses are actually from authoritative name servers, you can validate DNSSEC, provided that both the upstream server(s) and your resolver support it.

Be aware that client software, such as major web browsers, may also (start to) implement some of the encrypted DNS protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[2] Mozilla has proposed disabling application-level DNS if the system resolver cannot resolve the domain "use-application-dns.net". Currently this check is only implemented in Firefox.

Third-party DNS services

Note: Before using a third-party DNS service, check its privacy policy for information on how user data is handled. User data has value and can be sold to other parties.

There are various third-party DNS services available, some of which also have dedicated software:

  • dingo — A DNS client for Google DNS over HTTPS
https://github.com/pforemski/dingo || dingo-gitAUR
  • opennic-up — Automates the renewal of the DNS servers with the most responsive OpenNIC servers
https://github.com/kewlfft/opennic-up || opennic-upAUR

DNS servers

DNS servers can be authoritative and recursive. If they are neither, they are called stub resolvers and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to Wikipedia:Comparison of DNS server software.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Fill in the unknowns. Add deadwoodAUR. (Discuss in Talk:Domain name resolution#)
Name Package Capabilities resolvconf Supported protocols
Authoritative Recursive Cache Validates
DNSSEC
DNS DNSCrypt DNS
over TLS
DNS
over HTTPS
dnscrypt-proxy dnscrypt-proxy No No Yes No No Server Resolver No Resolver
Rescached rescached-gitAUR No No Yes No Yes Yes No No Limited1
Stubby stubby No No No Yes No Server No Resolver No
systemd-resolved systemd No No Yes Yes Yes Resolver and limited server No Insecure resolver2 No
dnsmasq dnsmasq Partial3 No Yes Yes Yes Yes No No No
BIND bind Yes Yes Yes Yes Yes Yes No stunnel#DNS over TLS No
Knot Resolver knot-resolverAUR Yes Yes Yes Yes No Yes No Yes Server
MaraDNS maradnsAUR Yes Yes Yes No No Yes No No No
pdnsd pdnsd Yes Yes Permanent No Yes Yes No No No
PowerDNS Recursor powerdns-recursor Yes Yes Yes Yes No Yes No No No
Unbound unbound Yes Yes Yes Yes Yes Yes Server Yes No
  1. Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[3]
  2. From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[4]
  3. From Wikipedia: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.

Authoritative-only servers

Name Package DNSSEC Geographic
balancing
gdnsd gdnsd No Yes
Knot DNS knot Yes Yes
NSD nsd No No
PowerDNS powerdns Yes Yes

Conditional forwarding

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: Pointless section, there is no software list or instructions. (Discuss in Talk:Domain name resolution#Template remove of Conditional forwarding)

It is possible to use specific DNS resolvers when querying specific domain names. This is particularly useful when connecting to a VPN, so that queries to the VPN network are resolved by the VPN's DNS, while queries to the internet will still be resolved by your standard DNS resolver. It can also be used on local networks.

Merge-arrows-2.pngThis article or section is a candidate for merging with #Glibc resolver.Merge-arrows-2.png

Notes: Keep glibc resolver's limitations in one place. (Discuss in Talk:Domain name resolution#Mentionning glibc limitation)

To implement it, you need to use a local resolver because glibc does not support it.

In a dynamic environment (laptops and to some extents desktops), you need to configure your resolver based on the network(s) you are connected to. The best way to do that is to use openresolv because it supports multiple subscribers. Some network managers support it, either through openresolv, or by configuring the resolver directly.

Note: Although you could use other conditions for forwarding (for example, source IP address), "conditional forwarding" appears to be the name used for the "domain queried" condition.

See also