Difference between revisions of "Domain name resolution"

From ArchWiki
Jump to navigation Jump to search
m (OpenNIC: wording change - minor)
m (fix section link)
 
(262 intermediate revisions by 18 users not shown)
Line 1: Line 1:
{{Lowercase title}}
 
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
 +
[[Category:Network configuration]]
 
[[de:Resolv.conf]]
 
[[de:Resolv.conf]]
[[es:Resolv.conf]]
+
[[es:Domain name resolution]]
 
[[fr:Resolv.conf]]
 
[[fr:Resolv.conf]]
 
[[it:Resolv.conf]]
 
[[it:Resolv.conf]]
 
[[ja:Resolv.conf]]
 
[[ja:Resolv.conf]]
 +
[[pt:Domain name resolution]]
 
[[zh-hans:Resolv.conf]]
 
[[zh-hans:Resolv.conf]]
 
{{Related articles start}}
 
{{Related articles start}}
{{Related|Improving performance#Network}}
+
{{Related|Network configuration}}
 
{{Related articles end}}
 
{{Related articles end}}
 +
In general, a [[Wikipedia:Domain name|domain name]] represents an IP address and is associated to it in the [[Wikipedia:Domain Name System|Domain Name System]] (DNS).
 +
This article explains how to configure domain name resolution and resolve domain names.
  
The configuration file for DNS resolvers is {{ic|/etc/resolv.conf}}. From {{man|5|resolv.conf}}:
+
== Name Service Switch ==
:The resolver is a set of routines in the C library that provide access to the Internet Domain Name System (DNS). The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. The file is designed to be human readable and contains a list of keywords with values that provide various types of resolver information.
 
  
:If this file does not exist, only the name server on the local machine will be queried; the domain name is determined from the hostname and the domain search path is constructed from the domain name.
+
The [[Wikipedia:Name Service Switch|Name Service Switch]] (NSS) facility is part of the GNU C Library ({{Pkg|glibc}}) and backs the {{man|3|getaddrinfo}} API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in {{man|5|nsswitch.conf}}. The database responsible for domain name resolution is the ''hosts'' database, for which glibc offers the following services:
  
== DNS in Linux ==
+
* ''file'': reads the {{ic|/etc/hosts}} file, see {{man|5|hosts}}
 +
* ''dns'': the [[#Glibc resolver|glibc resolver]] which reads {{ic|/etc/resolv.conf}}, see {{man|5|resolv.conf}}
  
Your ISP (usually) provides working [[wikipedia:Domain_Name_System|DNS]] servers, and a router may also add an extra DNS server in case it has its own cache server. Switching between DNS servers does not represent a problem for Windows users, because if a DNS server is slow or does not work it will immediately switch to a better one.  However, Linux usually takes longer to timeout, which could be the reason why you are getting a delay.
+
[[Systemd]] provides three NSS services for hostname resolution:
  
=== Testing ===
+
* {{man|8|nss-resolve}} - a caching DNS stub resolver, described in [[systemd-resolved]]
 +
* {{man|8|nss-myhostname}} - provides hostname resolution without having to edit {{ic|/etc/hosts}}, described in [[Network configuration#Local hostname resolution]]
 +
* {{man|8|nss-mymachines}} - provides hostname resolution for the names of local {{man|8|systemd-machined}} containers
  
Use ''drill'' (provided by package {{Pkg|ldns}}) before any changes, repeat after making the adjustments and compare the query time(s). The following command uses the nameservers set in {{ic|/etc/resolv.conf}}:
+
=== Resolve a domain name using NSS ===
$ drill www5.yahoo.com
 
  
You can also specify a specific nameserver's ip address, bypassing the settings in your {{ic|/etc/resolv.conf}}:
+
NSS databases can be queried with {{man|1|getent}}. A domain name can be resolved through NSS using:
  
  $ drill @''ip.of.name.server'' www5.yahoo.com
+
  $ getent hosts ''domain_name''
  
For example to test Google's name servers:
+
{{Note|While most programs resolve domain names using NSS, some may read {{ic|/etc/resolv.conf}} and/or {{ic|/etc/hosts}} directly. See [[Network configuration#Local hostname resolution]].}}
  
$ drill @8.8.8.8 www5.yahoo.com
+
== Glibc resolver ==
  
To test a local name server (such as [[unbound]]) do:
+
The glibc resolver reads {{ic|/etc/resolv.conf}} for every resolution to determine the nameservers and options to use.
  
$ drill @127.0.0.1 www5.yahoo.com
+
{{man|5|resolv.conf}} lists nameservers together with some configuration options.
 +
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign ({{ic|#}}) are ignored.
  
== Alternative DNS servers ==
+
{{Note|The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See [[#DNS servers]] for more information.}}
  
To use alternative DNS servers, edit {{ic|/etc/resolv.conf}} and add them at the top of the list so they are used first, optionally removing or commenting out other servers. Currently, you may include a maximum of three nameservers.
+
=== Overwriting of /etc/resolv.conf ===
  
{{Note|Changes made to {{ic|/etc/resolv.conf}} take effect immediately.}}
+
[[Network manager]]s tend to overwrite {{ic|/etc/resolv.conf}}, for specifics see the corresponding section:
  
{{Tip|If you require more flexibility, e.g. more than three nameservers, you can use a local DNS resolver like [[dnsmasq]] or [[unbound]]. In this case the nameserver IP address will likely be {{ic|127.0.0.1}}.}}
+
* [[dhcpcd#resolv.conf]]
 +
* [[netctl#resolv.conf]]
 +
* [[NetworkManager#resolv.conf]]
  
=== OpenNIC ===
+
To prevent programs from overwriting {{ic|/etc/resolv.conf}} you can also write-protect it by setting the immutable [[file attribute]]:
  
[http://www.opennicproject.org/ OpenNIC] provides free uncensored nameservers located in multiple countries.
+
# chattr +i /etc/resolv.conf
  
The full list of public servers is available [https://servers.opennic.org/ here] and a shortlist of nearest nameservers for optimal performance is generated on their [https://www.opennic.org/ home page].  
+
{{Tip|If you want multiple processes to write to {{ic|/etc/resolv.conf}}, you can use [[resolvconf]].}}
  
Alternatively, the anycast servers below can be used; while reliable their latency [https://wiki.opennic.org/opennic/dont_anycast fluctuates a lot].
+
=== Limit lookup time ===
  
# OpenNIC IPv4 nameservers (Worldwide Anycast)
+
If you are confronted with a very long hostname lookup (may it be in [[pacman]] or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in {{ic|/etc/resolv.conf}}.
nameserver 185.121.177.177
 
nameserver 185.121.177.53
 
  
  # OpenNIC IPv6 nameservers (Worldwide Anycast)
+
  options timeout:1
nameserver 2a05:dfc7:5::53
 
nameserver 2a05:dfc7:5::5353
 
  
{{Note|Use of OpenNIC DNS servers will allow host name resolution in the traditional Top-Level Domain (TLD) registries, but also in OpenNIC or afiliated operated namespaces.}}
+
=== Hostname lookup delayed with IPv6 ===
  
=== Cisco Umbrella (formerly OpenDNS) ===
+
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[https://udrepper.livejournal.com/20948.html] You can fix that by setting the following option in {{ic|/etc/resolv.conf}}:
  
[https://www.opendns.com/home-internet-security/ OpenDNS] provided free alternative nameservers, was [https://umbrella.cisco.com/products/features/opendns-cisco-umbrella bought by Cisco in Nov. 2016] and continues to offer OpenDNS as end-user product of its "Umbrella" product suite with focus on Security Enforcement, Security Intelligence and Web Filtering.
+
options single-request
The old nameservers [https://www.opendns.com/setupguide/ still work] but are [https://www.opendns.com/home-internet-security/ pre-configured to block adult content]:
 
  
# OpenDNS IPv4 nameservers
+
=== Local domain names ===
nameserver 208.67.222.222
 
nameserver 208.67.220.220
 
  
# OpenDNS IPv6 nameservers
+
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to {{ic|/etc/resolv.conf}} with the local domain such as:
nameserver 2620:0:ccc::2
 
nameserver 2620:0:ccd::2
 
  
=== Google ===
+
domain example.com
  
[https://developers.google.com/speed/public-dns/ Google's nameservers] can be used as an alternative:
+
That way you can refer to local hosts such as {{ic|mainmachine1.example.com}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the ''drill'' command still requires the fully qualified domain names in order to perform lookups.
 
 
# Google IPv4 nameservers
 
nameserver 8.8.8.8
 
nameserver 8.8.4.4
 
 
 
# Google IPv6 nameservers
 
nameserver 2001:4860:4860::8888
 
nameserver 2001:4860:4860::8844
 
 
 
=== Comodo ===
 
[http://securedns.dnsbycomodo.com/ Comodo] provides another IPv4 set, with optional (non-free) web-filtering. Implied in this feature is that the service hijacks the queries.
 
 
 
# Comodo nameservers
 
nameserver 8.26.56.26
 
nameserver 8.20.247.20
 
  
=== Yandex ===
+
== Lookup utilities ==
[https://dns.yandex.com/advanced/ Yandex.DNS] has three options:
 
  
# Basic Yandex.DNS - Quick and reliable DNS
+
To query specific DNS servers and DNS/[[DNSSEC]] records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use [[#Name Service Switch|NSS]].
nameserver 77.88.8.8              # Preferred IPv4 DNS
 
nameserver 77.88.8.1              # Alternate IPv4 DNS
 
 
nameserver 2a02:6b8::feed:0ff    # Preferred IPv6 DNS
 
nameserver 2a02:6b8:0:1::feed:0ff # Alternate IPv6 DNS
 
  
# Safe Yandex.DNS - Protection from virus and fraudulent content
+
* {{Pkg|ldns}} provides {{man|1|drill}}, which is a tool designed to retrieve information out of the DNS.
nameserver 77.88.8.88            # Preferred IPv4 DNS
 
nameserver 77.88.8.2              # Alternate IPv4 DNS
 
 
nameserver 2a02:6b8::feed:bad    # Preferred IPv6 DNS
 
nameserver 2a02:6b8:0:1::feed:bad # Alternate IPv6 DNS
 
  
# Family Yandex.DNS - Without adult content
+
For example, to query a specific nameserver with ''drill'' for the TXT records of a domain:
nameserver 77.88.8.7              # Preferred IPv4 DNS
 
nameserver 77.88.8.3              # Alternate IPv4 DNS
 
 
nameserver 2a02:6b8::feed:a11    # Preferred IPv6 DNS
 
nameserver 2a02:6b8:0:1::feed:a11 # Alternate IPv6 DNS
 
  
Yandex.DNS' speed is the same in the three modes. In ''Basic'' mode, there is no traffic filtering. In ''Safe'' mode, protection from infected and fraudulent sites is provided. ''Family'' mode enables protection from dangerous sites and blocks sites with adult content.
+
$ drill @''nameserver'' TXT ''domain''
  
=== UncensoredDNS ===
+
If you do not specify a DNS server ''drill'' uses the nameservers defined in {{ic|/etc/resolv.conf}}.
  
[http://censurfridns.dk UncensoredDNS] is a free uncensored DNS service. It is run by a private individual and consists in one anycast served by multiple servers and one unicast node hosted in Denmark.
+
* {{Pkg|bind-tools}} provides {{man|1|dig}}, {{man|1|host}}, {{man|1|nslookup}} and a bunch of {{ic|dnssec-}} tools.
  
# censurfridns.dk IPv4 nameservers
+
== Resolver performance ==
nameserver 91.239.100.100    ## anycast.censurfridns.dk
 
nameserver 89.233.43.71      ## unicast.censurfridns.dk
 
  
# censurfridns.dk IPv6 nameservers
+
The Glibc resolver does not cache queries. If you want local caching use [[systemd-resolved]] or set up a local caching [[#DNS servers|DNS server]] and use {{ic|127.0.0.1}} as your name server.
nameserver 2001:67c:28a4::  ## anycast.censurfridns.dk
 
nameserver 2a01:3a0:53:53::  ## unicast.censurfridns.dk
 
  
{{Note|Its servers listen to port 5353 as well as the standard port 53. This can be used in case your ISP hijacks port 53.}}
+
{{Tip|
 +
* The ''drill'' or ''dig'' [[#Lookup utilities|lookup utilities]] report the query time.
 +
* A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.  
 +
* If it takes too long to switch to the next DNS server you can try [[#Limit lookup time|decreasing the timeout]].}}
  
== Preserve DNS settings ==
+
== Privacy and security ==
  
[[dhcpcd]], [[netctl]], [[NetworkManager]], and various other processes can overwrite {{ic|/etc/resolv.conf}}. This is usually desirable behavior, but sometimes DNS settings need to be set manually (e.g. when using a static IP address). There are several ways to accomplish this.
+
The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses [[Wikipedia:Man-in-the-middle attack|manipulated]]. Furthermore, DNS servers can conduct [[Wikipedia:DNS hijacking|DNS hijacking]].
*If you are using ''dhcpcd'', see [[#Modify the dhcpcd config]] below.
 
*If you are using [[netctl]] and static IP address assignment, do not use the {{ic|DNS*}} options in your profile, otherwise ''resolvconf'' is called and {{ic|/etc/resolv.conf}} overwritten.
 
  
=== With NetworkManager===
+
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS services|third-parties]]. Alternatively you can run your own [[#DNS servers|recursive name server]], which however takes more effort. If you use a [[DHCP]] client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the upstream server and your [[#DNS servers|resolver]] support the protocol. To verify that responses are actually from [[Wikipedia:Authoritative name server|authoritative name servers]], you can validate [[DNSSEC]], provided that both the upstream server(s) and your [[#DNS servers|resolver]] support it.
  
To stop NetworkManager from modifying {{ic|/etc/resolv.conf}}, edit {{ic|/etc/NetworkManager/NetworkManager.conf}} and add the following in the {{ic|[main]}} section:
+
Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh]
  
dns=none
+
== Third-party DNS services ==
  
{{ic|/etc/resolv.conf}} might be a broken symlink that you will need to remove after doing that. Then, just create a new {{ic|/etc/resolv.conf}} file.
+
{{Note|Before using a third-party DNS service, check its privacy policy for information on how user data is handled. User data has value and can be sold to other parties.}}
  
=== Using openresolv ===
+
There are various [[Wikipedia:Public recursive name server#List of public DNS service operators|third-party DNS services]] available, some of which also have dedicated software:
  
{{Pkg|openresolv}} provides a utility ''resolvconf'', which is a framework for managing multiple DNS configurations. See {{man|8|resolvconf}} and {{man|5|resolvconf.conf}} for more information.
+
* {{App|dingo|A DNS client for Google DNS over HTTPS|https://github.com/pforemski/dingo|{{Pkg|dingo}}}}
 +
* {{App|opennic-up|Automates the renewal of the DNS servers with the most responsive OpenNIC servers|https://github.com/kewlfft/opennic-up|{{AUR|opennic-up}}}}
  
The configuration is done in {{ic|/etc/resolvconf.conf}} and running {{ic|resolvconf -u}} will generate {{ic|/etc/resolv.conf}}.
+
== DNS servers ==
  
=== Modify the dhcpcd config ===
+
[[DNS]] servers can be [[Wikipedia:Authoritative name server|authoritative]] and [[Wikipedia:Name server#Recursive query|recursive]]. If they are neither, they are called '''stub resolvers''' and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to [[Wikipedia:Comparison of DNS server software|Wikipedia]].
  
''dhcpcd'''s configuration file may be edited to prevent the ''dhcpcd'' daemon from overwriting {{ic|/etc/resolv.conf}}. To do this, add the following to the last section of {{ic|/etc/dhcpcd.conf}}:
+
{{Expansion|Fill in the unknowns. Add {{AUR|deadwood}}.}}
  
  nohook resolv.conf
+
{| class="wikitable sortable" style="text-align:center"
 +
! Name !! Package !! [[Wikipedia:Authoritative name server|Authoritative]]<br>/ [[Wikipedia:Name server#Recursive query|Recursive]] !! [[Wikipedia:Name server#Caching name server|Cache]] !! [[resolvconf]] !! [[Wikipedia:Domain Name System Security Extensions#The lookup procedure|Validates]]<br>[[DNSSEC]] !! [[Wikipedia:DNS over TLS|DNS<br>over TLS]] !! [[Wikipedia:DNS over HTTPS|DNS<br>over HTTPS]]
 +
|-
 +
! [[dnscrypt-proxy]]<sup>1</sup>
 +
| {{Pkg|dnscrypt-proxy}} || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{Yes}}
 +
|-
 +
! [[Rescached]]
 +
| {{AUR|rescached-git}} || {{No}} || {{Yes}} || {{Yes|https://github.com/shuLhan/rescached-go#integration-with-openresolv}} || {{No}} || {{No}} || {{Y|Limited}}<sup>2</sup>
 +
|-
 +
! [[Stubby]]
 +
| {{Pkg|stubby}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}}
 +
|-
 +
!style="white-space: nowrap;"| [[systemd-resolved]]
 +
| {{Pkg|systemd}} || {{No}} || {{Yes}} || {{G|[[systemd-resolvconf|Yes]]}} || {{Yes}} || {{Y|Insecure}}<sup>3</sup> || {{No|https://github.com/systemd/systemd/issues/8639}}
 +
|-
 +
! [[dnsmasq]]
 +
| {{Pkg|dnsmasq}} || {{Y|Partial}}<sup>4</sup> || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || {{No|http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q2/012131.html}} || {{No}}
 +
|-
 +
! [[BIND]]
 +
| {{Pkg|bind}} || {{Yes}} || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || ? || ?
 +
|-
 +
! [[Knot Resolver]]
 +
| {{AUR|knot-resolver}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}} || {{Yes}} || {{No|https://gitlab.labs.nic.cz/knot/knot-resolver/issues/243}}
 +
|-
 +
! [[Wikipedia:MaraDNS|MaraDNS]]
 +
| {{AUR|maradns}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}}
 +
|-
 +
! [[pdnsd]]
 +
| {{Pkg|pdnsd}} || {{Yes}} || {{G|Permanent}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{No}} || {{No}} || {{No}}
 +
|-
 +
! [https://www.powerdns.com/recursor.html PowerDNS Recursor]
 +
| {{Pkg|powerdns-recursor}} || {{Yes}} || {{Yes}} || {{No|https://roy.marples.name/projects/openresolv/config#pdns_recursor}} || {{Yes}} || ? || ?
 +
|-
 +
! [[Unbound]]
 +
| {{Pkg|unbound}} || {{Yes}} || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || {{Yes}} || {{No|1=https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=1200}}
 +
|}
  
Alternatively, you can create a file called {{ic|/etc/resolv.conf.head}} containing your DNS servers. ''dhcpcd'' will prepend this file to the beginning of {{ic|/etc/resolv.conf}}.
+
# Implements a [[Wikipedia:DNSCrypt|DNSCrypt]] protocol client.
 +
# Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[https://github.com/shuLhan/rescached-go#integration-with-dns-over-https]
 +
# From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397] Also, the only supported mode is "opportunistic", which ''makes DNS-over-TLS vulnerable to "downgrade" attacks''.[https://github.com/systemd/systemd/issues/10755]
 +
# From [[Wikipedia:Comparison_of_DNS_server_software#cite_note-masqauth-26|Wikipedia]]: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
  
Or you can configure dhcpcd to use the same DNS servers every time. To do this, add the following line at the end of your {{ic|/etc/dhcpcd.conf}}, where {{ic|''dns-server-ip-addressses''}} is a space separated list of DNS IP addresses.
+
=== Authoritative-only servers ===
  
  static domain_name_servers=''dns-server-ip-addresses''
+
{| class="wikitable sortable" style="text-align:center"
 +
! Name !! Package !! [[DNSSEC]] !! Geographic<br>balancing
 +
|-
 +
! [https://gdnsd.org/ gdnsd]
 +
| {{Pkg|gdnsd}} || {{No}} || {{Yes}}
 +
|-
 +
! [https://www.knot-dns.cz/ Knot DNS]
 +
| {{Pkg|knot}} || {{Yes}} || {{No}}
 +
|-
 +
! [[NSD]]
 +
| {{Pkg|nsd}} || {{No}} || {{No}}
 +
|-
 +
! [https://www.powerdns.com/auth.html PowerDNS]
 +
| {{Pkg|powerdns}} || {{Yes}} || {{Yes}}
 +
|}
  
For example, to set it to Google's DNS servers:
+
== See also ==
  
static domain_name_servers=8.8.8.8 8.8.4.4
+
* [https://www.tldp.org/LDP/nag2/x-087-2-resolv.html Linux Network Administrators Guide]
 
+
* [https://www.debian.org/doc/manuals/debian-handbook/sect.hostname-name-service.en.html#sect.name-resolution Debian Handbook]
=== Write-protect /etc/resolv.conf ===
+
* [[RFC:7706]] - Decreasing Access Time to Root Servers by Running One on Loopback
 
 
Another way to protect your {{ic|/etc/resolv.conf}} from being modified by anything is setting the immutable (write-protection) attribute:
 
 
 
# chattr +i /etc/resolv.conf
 
 
 
=== Use timeout option to reduce hostname lookup time ===
 
 
 
If you are confronted with a very long hostname lookup (may it be in [[pacman]] or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in {{ic|/etc/resolv.conf}}.
 
 
 
options timeout:1
 
 
 
== Tips and tricks ==
 
 
 
=== Local domain names ===
 
 
 
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to {{ic|resolv.conf}} with the local domain such as:
 
 
 
domain example.com
 
 
 
That way you can refer to local hosts such as {{ic|mainmachine1.example.com}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the ''drill'' command still requires the fully qualified domain names in order to perform lookups.
 

Latest revision as of 19:18, 9 January 2019

In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.

Name Service Switch

The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:

Systemd provides three NSS services for hostname resolution:

Resolve a domain name using NSS

NSS databases can be queried with getent(1). A domain name can be resolved through NSS using:

$ getent hosts domain_name
Note: While most programs resolve domain names using NSS, some may read /etc/resolv.conf and/or /etc/hosts directly. See Network configuration#Local hostname resolution.

Glibc resolver

The glibc resolver reads /etc/resolv.conf for every resolution to determine the nameservers and options to use.

resolv.conf(5) lists nameservers together with some configuration options. Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#) are ignored.

Note: The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See #DNS servers for more information.

Overwriting of /etc/resolv.conf

Network managers tend to overwrite /etc/resolv.conf, for specifics see the corresponding section:

To prevent programs from overwriting /etc/resolv.conf you can also write-protect it by setting the immutable file attribute:

# chattr +i /etc/resolv.conf
Tip: If you want multiple processes to write to /etc/resolv.conf, you can use resolvconf.

Limit lookup time

If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf.

options timeout:1

Hostname lookup delayed with IPv6

If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf:

options single-request

Local domain names

If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to /etc/resolv.conf with the local domain such as:

domain example.com

That way you can refer to local hosts such as mainmachine1.example.com as simply mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.

Lookup utilities

To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.

  • ldns provides drill(1), which is a tool designed to retrieve information out of the DNS.

For example, to query a specific nameserver with drill for the TXT records of a domain:

$ drill @nameserver TXT domain

If you do not specify a DNS server drill uses the nameservers defined in /etc/resolv.conf.

Resolver performance

The Glibc resolver does not cache queries. If you want local caching use systemd-resolved or set up a local caching DNS server and use 127.0.0.1 as your name server.

Tip:
  • The drill or dig lookup utilities report the query time.
  • A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.
  • If it takes too long to switch to the next DNS server you can try decreasing the timeout.

Privacy and security

The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore, DNS servers can conduct DNS hijacking.

You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and third-parties. Alternatively you can run your own recursive name server, which however takes more effort. If you use a DHCP client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS, DNS over HTTPS or DNSCrypt, provided that both the upstream server and your resolver support the protocol. To verify that responses are actually from authoritative name servers, you can validate DNSSEC, provided that both the upstream server(s) and your resolver support it.

Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[2]

Third-party DNS services

Note: Before using a third-party DNS service, check its privacy policy for information on how user data is handled. User data has value and can be sold to other parties.

There are various third-party DNS services available, some of which also have dedicated software:

  • dingo — A DNS client for Google DNS over HTTPS
https://github.com/pforemski/dingo || dingo
  • opennic-up — Automates the renewal of the DNS servers with the most responsive OpenNIC servers
https://github.com/kewlfft/opennic-up || opennic-upAUR

DNS servers

DNS servers can be authoritative and recursive. If they are neither, they are called stub resolvers and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to Wikipedia.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Fill in the unknowns. Add deadwoodAUR. (Discuss in Talk:Domain name resolution#)
Name Package Authoritative
/ Recursive
Cache resolvconf Validates
DNSSEC
DNS
over TLS
DNS
over HTTPS
dnscrypt-proxy1 dnscrypt-proxy No Yes No No No Yes
Rescached rescached-gitAUR No Yes Yes No No Limited2
Stubby stubby No No No Yes Yes No
systemd-resolved systemd No Yes Yes Yes Insecure3 No
dnsmasq dnsmasq Partial4 Yes Yes Yes No No
BIND bind Yes Yes Yes Yes ? ?
Knot Resolver knot-resolverAUR Yes Yes No Yes Yes No
MaraDNS maradnsAUR Yes Yes No No No No
pdnsd pdnsd Yes Permanent Yes No No No
PowerDNS Recursor powerdns-recursor Yes Yes No Yes ? ?
Unbound unbound Yes Yes Yes Yes Yes No
  1. Implements a DNSCrypt protocol client.
  2. Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[3]
  3. From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[4] Also, the only supported mode is "opportunistic", which makes DNS-over-TLS vulnerable to "downgrade" attacks.[5]
  4. From Wikipedia: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.

Authoritative-only servers

Name Package DNSSEC Geographic
balancing
gdnsd gdnsd No Yes
Knot DNS knot Yes No
NSD nsd No No
PowerDNS powerdns Yes Yes

See also