Difference between revisions of "Domain name resolution"

From ArchWiki
Jump to navigation Jump to search
(Alternative DNS servers: update Move template)
m (Page moved.)
 
(189 intermediate revisions by 12 users not shown)
Line 1: Line 1:
{{Lowercase title}}
 
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
 
[[Category:Network configuration]]
 
[[Category:Network configuration]]
 
[[de:Resolv.conf]]
 
[[de:Resolv.conf]]
[[es:Resolv.conf]]
+
[[es:Domain name resolution]]
 
[[fr:Resolv.conf]]
 
[[fr:Resolv.conf]]
 
[[it:Resolv.conf]]
 
[[it:Resolv.conf]]
 
[[ja:Resolv.conf]]
 
[[ja:Resolv.conf]]
[[zh-hans:Resolv.conf]]
+
[[pt:Domain name resolution]]
 +
[[zh-hans:Domain name resolution]]
 
{{Related articles start}}
 
{{Related articles start}}
{{Related|Improving performance#Network}}
+
{{Related|Network configuration}}
 
{{Related articles end}}
 
{{Related articles end}}
{{Move|DNS configuration|Article should describe nsswitch.conf, resolv.conf, caching DNS servers and utilities like dig & drill.|section=Rewrite}}
+
In general, a [[Wikipedia:Domain name|domain name]] represents an IP address and is associated to it in the [[Wikipedia:Domain Name System|Domain Name System]] (DNS).
 +
This article explains how to configure domain name resolution and resolve domain names.
  
The configuration file for DNS resolvers is {{ic|/etc/resolv.conf}}. From {{man|5|resolv.conf}}:
+
== Name Service Switch ==
:The resolver is a set of routines in the GNU C library ({{Pkg|glibc}}) that provide access to the Domain Name System. The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. The file is designed to be human readable and contains a list of keywords with values that provide various types of resolver information.
 
  
:If this file does not exist, only the name server on the local machine will be queried; the domain name is determined from the hostname and the domain search path is constructed from the domain name.
+
The [[Wikipedia:Name Service Switch|Name Service Switch]] (NSS) facility is part of the GNU C Library ({{Pkg|glibc}}) and backs the {{man|3|getaddrinfo}} API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in {{man|5|nsswitch.conf}}. The database responsible for domain name resolution is the ''hosts'' database, for which glibc offers the following services:
  
To use [[#Alternative DNS servers]], edit {{ic|/etc/resolv.conf}} and add them at the top of the list so they are used first, optionally removing or commenting out other servers. Currently, you may include a maximum of three nameservers.  
+
* ''file'': reads the {{ic|/etc/hosts}} file, see {{man|5|hosts}}
 +
* ''dns'': the [[#Glibc resolver|glibc resolver]] which reads {{ic|/etc/resolv.conf}}, see {{man|5|resolv.conf}}
  
{{Note|Changes made to {{ic|/etc/resolv.conf}} take effect immediately.}}
+
[[Systemd]] provides three NSS services for hostname resolution:
  
{{Tip|If you require more flexibility, e.g. more than three nameservers, you can use a local DNS resolver like [[dnsmasq]] or [[unbound]]. In this case the nameserver IP address will likely be {{ic|127.0.0.1}}.}}
+
* {{man|8|nss-resolve}} - a caching DNS stub resolver, described in [[systemd-resolved]]
 +
* {{man|8|nss-myhostname}} - provides hostname resolution without having to edit {{ic|/etc/hosts}}, described in [[Network configuration#Local hostname resolution]]
 +
* {{man|8|nss-mymachines}} - provides hostname resolution for the names of local {{man|8|systemd-machined}} containers
  
== DNS in Linux ==
+
=== Resolve a domain name using NSS ===
  
ISPs usually provide working [[wikipedia:Domain_Name_System|DNS]] servers. A router may also add an extra DNS server in case it has its own cache server. Switching between DNS servers is transparent for Windows users, because if a DNS server is slow or does not work it will immediately switch to a better one. However, Linux usually takes longer to timeout, which could be the reason why you are getting a delay.
+
NSS databases can be queried with {{man|1|getent}}. A domain name can be resolved through NSS using:
  
=== Testing ===
+
$ getent hosts ''domain_name''
  
Use ''drill'' (provided by package {{Pkg|ldns}}) before any changes, repeat after making the adjustments and compare the query time(s). The following command uses the nameservers set in {{ic|/etc/resolv.conf}}:
+
{{Note|While most programs resolve domain names using NSS, some may read {{ic|/etc/resolv.conf}} and/or {{ic|/etc/hosts}} directly. See [[Network configuration#Local hostname resolution]].}}
$ drill www.archlinux.org
 
  
You can also specify a specific nameserver's ip address, bypassing the settings in your {{ic|/etc/resolv.conf}}:
+
== Glibc resolver ==
  
$ drill @''ip.of.name.server'' www.archlinux.org
+
The glibc resolver reads {{ic|/etc/resolv.conf}} for every resolution to determine the nameservers and options to use.  
  
For example to test Google's name servers:
+
{{man|5|resolv.conf}} lists nameservers together with some configuration options.
 +
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign ({{ic|#}}) are ignored.
  
$ drill @8.8.8.8 www.archlinux.org
+
{{Note|The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See [[#DNS servers]] for more information.}}
  
To test a local name server (such as [[unbound]]) do:
+
=== Overwriting of /etc/resolv.conf ===
  
$ drill @127.0.0.1 www.archlinux.org
+
[[Network manager]]s tend to overwrite {{ic|/etc/resolv.conf}}, for specifics see the corresponding section:
  
== Preserve DNS settings ==
+
* [[dhcpcd#resolv.conf]]
 +
* [[netctl#resolv.conf]]
 +
* [[NetworkManager#resolv.conf]]
  
[[dhcpcd]], [[netctl]], [[NetworkManager]], and various other processes can overwrite {{ic|/etc/resolv.conf}}. This is usually desirable behavior, but sometimes DNS settings need to be set manually (e.g. when using a static IP address). There are several ways to accomplish this.
+
To prevent programs from overwriting {{ic|/etc/resolv.conf}} you can also write-protect it by setting the immutable [[file attribute]]:
 
 
*If you are using ''dhcpcd'', see [[#Modify the dhcpcd config]] below.
 
*If you are using [[netctl]] and static IP address assignment, do not use the {{ic|DNS*}} options in your profile, otherwise ''resolvconf'' is called and {{ic|/etc/resolv.conf}} overwritten.
 
 
 
=== Systemd-resolved configuration ===
 
 
 
{{man|8|systemd-resolved}} is a [[systemd]] service that provides network name resolution to local applications.
 
''systemd-resolved'' has [https://jlk.fjfi.cvut.cz/arch/manpages/man/systemd-resolved.8#/ETC/RESOLV.CONF four different modes for handling ''resolv.conf'']. We will focus here on the two most relevant modes.
 
 
 
# The mode in which ''systemd-resolved'' is a client of the {{ic|/etc/resolv.conf}}. This mode preserves {{ic|/etc/resolv.conf}} and is '''compatible''' with the procedures described in this page.
 
# The ''systemd-resolved'''s '''recommended''' mode of operation: the DNS stub file as indicated below contains both the local stub {{ic|127.0.0.53}} as the only DNS servers and a list of search domains.
 
 
 
{{hc|/run/systemd/resolve/stub-resolv.conf|
 
nameserver 127.0.0.53
 
search lan
 
}}
 
 
 
The service users are advised to redirect the {{ic|/etc/resolv.conf}} file to the local stub DNS resolver file {{ic|/run/systemd/resolve/stub-resolv.conf}} managed by ''systemd-resolved''. This propagates the systemd managed configuration to all the clients. This can be done by deleting or renaming the existing {{ic|/etc/resolv.conf}} and replacing it by a symbolic link to the systemd stub:
 
 
 
# ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 
 
 
In this mode, the DNS servers are provided in the {{man|5|resolved.conf}} file:
 
 
 
{{hc|/etc/systemd/resolved.conf|2=
 
[Resolve]
 
'''DNS=91.239.100.100 89.233.43.71'''
 
...
 
}}
 
 
 
In order to check the DNS actually used by ''systemd-resolved'', the command to use is:
 
 
 
$ systemd-resolve --status
 
 
 
{{Tip|
 
* To understand the context around the DNS choices and switches, one can turn on detailed debug information for ''systemd-resolved'' as described in [[Systemd#Diagnosing a service]].
 
* The mode of operation of ''systemd-resolved'' is detected automatically, depending on whether {{ic|/etc/resolv.conf}} is a symlink to the local stub DNS resolver file or contains server names.
 
}}
 
 
 
=== Prevent NetworkManager modifications ===
 
 
 
{{Move|NetworkManager#Prevent overwriting of resolv.conf|NetworkManager configuration belongs to the [[NetworkManager]] article.|section=Rewrite}}
 
 
 
To stop ''NetworkManager'' from modifying {{ic|/etc/resolv.conf}}, edit {{ic|/etc/NetworkManager/NetworkManager.conf}} and add the following in the {{ic|[main]}} section:
 
 
 
dns=none
 
 
 
{{ic|/etc/resolv.conf}} might be a broken symlink that you will need to remove after doing that. Then, just create a new {{ic|/etc/resolv.conf}} file.
 
 
 
''NetworkManager'' also offers hooks via so called dispatcher scripts that can be used to alter the {{ic|/etc/resolv.conf}} after network changes. See [[NetworkManager#Network services with NetworkManager dispatcher]] and {{man|8|NetworkManager}} for more information.
 
 
 
=== Openresolv ===
 
 
 
{{Pkg|openresolv}} provides a utility ''resolvconf'', which is a framework for managing multiple DNS configurations. See {{man|8|resolvconf}} and {{man|5|resolvconf.conf}} for more information.
 
 
 
The configuration is done in {{ic|/etc/resolvconf.conf}} and running {{ic|resolvconf -u}} will generate {{ic|/etc/resolv.conf}}.
 
 
 
Note that ''NetworkManager'' can be configured to use ''openresolv'', see [[NetworkManager#Configure NetworkManager resolv.conf management mode to use resolvconf]].
 
 
 
=== Modify the dhcpcd config ===
 
 
 
{{Move|dhcpcd#Prevent overwriting of resolv.conf|dhcpcd configuration belongs to the [[dhcpcd]] article.|section=Rewrite}}
 
 
 
''dhcpcd'''s configuration file may be edited to prevent the ''dhcpcd'' daemon from overwriting {{ic|/etc/resolv.conf}}. To do this, add the following to the last section of {{ic|/etc/dhcpcd.conf}}:
 
 
 
nohook resolv.conf
 
 
 
Alternatively, you can create a file called {{ic|/etc/resolv.conf.head}} containing your DNS servers. ''dhcpcd'' will prepend this file to the beginning of {{ic|/etc/resolv.conf}}.
 
 
 
Or you can configure dhcpcd to use the same DNS servers every time. To do this, add the following line at the end of your {{ic|/etc/dhcpcd.conf}}, where {{ic|''dns-server-ip-addressses''}} is a space separated list of DNS IP addresses.
 
 
 
static domain_name_servers=''dns-server-ip-addresses''
 
 
 
For example, to set it to Google's DNS servers:
 
 
 
static domain_name_servers=8.8.8.8 8.8.4.4
 
 
 
=== Write-protect resolv.conf ===
 
 
 
Another way to protect your {{ic|/etc/resolv.conf}} from being modified by anything is setting the immutable (write-protection) attribute:
 
  
 
  # chattr +i /etc/resolv.conf
 
  # chattr +i /etc/resolv.conf
  
== Tips and tricks ==
+
{{Tip|If you want multiple processes to write to {{ic|/etc/resolv.conf}}, you can use [[resolvconf]].}}
  
 
=== Limit lookup time ===
 
=== Limit lookup time ===
Line 140: Line 66:
 
=== Hostname lookup delayed with IPv6 ===
 
=== Hostname lookup delayed with IPv6 ===
  
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request ([http://udrepper.livejournal.com/20948.html source]).
+
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[https://udrepper.livejournal.com/20948.html] You can fix that by setting the following option in {{ic|/etc/resolv.conf}}:
You can fix that by setting the following option in {{ic|/etc/resolv.conf}}:
 
  
 
  options single-request
 
  options single-request
Line 147: Line 72:
 
=== Local domain names ===
 
=== Local domain names ===
  
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to {{ic|resolv.conf}} with the local domain such as:
+
If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to {{ic|/etc/resolv.conf}} with the local domain such as:
  
 
  domain example.com
 
  domain example.com
Line 153: Line 78:
 
That way you can refer to local hosts such as {{ic|mainmachine1.example.com}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the ''drill'' command still requires the fully qualified domain names in order to perform lookups.
 
That way you can refer to local hosts such as {{ic|mainmachine1.example.com}} as simply {{ic|mainmachine1}} when using the ''ssh'' command, but the ''drill'' command still requires the fully qualified domain names in order to perform lookups.
  
== Alternative DNS servers ==
+
== Lookup utilities ==
{{Move|Public DNS servers|While a list of public DNS servers is relevant to DNS configuration it's a different topic.|section=Rewrite}}
 
  
=== Cisco Umbrella (formerly OpenDNS) ===
+
To query specific DNS servers and DNS/[[DNSSEC]] records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use [[#Name Service Switch|NSS]].
  
[https://www.opendns.com/home-internet-security/ OpenDNS] provided free alternative nameservers, was [https://umbrella.cisco.com/products/features/opendns-cisco-umbrella bought by Cisco in Nov. 2016] and continues to offer OpenDNS as end-user product of its "Umbrella" product suite with focus on Security Enforcement, Security Intelligence and Web Filtering.
+
* {{Pkg|ldns}} provides {{man|1|drill}}, which is a tool designed to retrieve information out of the DNS.
The old nameservers [https://www.opendns.com/setupguide/ still work] but are [https://www.opendns.com/home-internet-security/ pre-configured to block adult content]:
 
  
IPv4 nameservers
+
For example, to query a specific nameserver with ''drill'' for the TXT records of a domain:
208.67.222.222
 
208.67.220.220
 
  
IPv6 nameservers
+
  $ drill @''nameserver'' TXT ''domain''
  2620:0:ccc::2
 
2620:0:ccd::2
 
  
=== Cloudflare ===
+
If you do not specify a DNS server ''drill'' uses the nameservers defined in {{ic|/etc/resolv.conf}}.
  
[https://1.1.1.1/ Cloudflare] provides a service committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours, with the exception of providing data to APNIC labs for research purposes. APNIC and Cloudfare committed to treat all data with high privacy standards in their [https://labs.apnic.net/?p=1127 research agreement statement].
+
* {{Pkg|bind-tools}} provides {{man|1|dig}}, {{man|1|host}}, {{man|1|nslookup}} and a bunch of {{ic|dnssec-}} tools.
  
IPv4 nameservers:
+
== Resolver performance ==
1.1.1.1
 
1.0.0.1
 
  
IPv6 nameservers:
+
The Glibc resolver does not cache queries. If you want local caching use [[systemd-resolved]] or set up a local caching [[#DNS servers|DNS server]] and use {{ic|127.0.0.1}} as your name server.
2606:4700:4700::1111
 
2606:4700:4700::1001
 
  
=== Comodo ===
+
{{Tip|
 
+
* The ''drill'' or ''dig'' [[#Lookup utilities|lookup utilities]] report the query time.
[http://securedns.dnsbycomodo.com/ Comodo] provides another IPv4 set, with optional (non-free) web-filtering. Implied in this feature is that the service hijacks the queries.  
+
* A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.  
 
+
* If it takes too long to switch to the next DNS server you can try [[#Limit lookup time|decreasing the timeout]].}}
8.26.56.26
 
8.20.247.20
 
 
 
=== DNS.WATCH ===
 
 
 
[https://dns.watch/ DNS.WATCH] focuses on neutrality and security and provides two servers located in Germany with no logging and with DNSSEC enabled. Note they welcome commercial sponsorship.
 
 
 
84.200.69.80    # resolver1.dns.watch
 
84.200.70.40    # resolver2.dns.watch
 
 
 
=== Google ===
 
 
 
[https://developers.google.com/speed/public-dns/ Google's nameservers] can be used as an alternative:
 
 
 
IPv4 nameservers
 
8.8.8.8
 
8.8.4.4
 
 
 
IPv6 nameservers
 
2001:4860:4860::8888
 
2001:4860:4860::8844
 
 
 
=== OpenNIC ===
 
 
 
[http://www.opennicproject.org/ OpenNIC] provides free uncensored nameservers located in multiple countries. The full list of public servers is available at [https://servers.opennic.org/ servers.opennic.org] and a shortlist of nearest nameservers for optimal performance is generated on their [https://www.opennic.org/ home page].
 
 
 
To retrieve a list of nearest nameservers, an [https://wiki.opennic.org/api/geoip API] is also available and returns, based on the [https://wiki.opennic.org/api/geoip#url_parameters URL parameters] provided, a list of nameservers in the desired format. For example to get the 200 nearest IPv4 servers, one can use https://api.opennicproject.org/geoip/?list&ipv=4&res=200&adm=0&bl&wl.
 
 
 
Alternatively, the anycast servers below can be used; while reliable their latency [https://wiki.opennic.org/opennic/dont_anycast fluctuates a lot].
 
 
 
IPv4 nameservers (Worldwide Anycast)
 
185.121.177.177
 
185.121.177.53
 
  
IPv6 nameservers (Worldwide Anycast)
+
== Privacy and security ==
2a05:dfc7:5::53
 
2a05:dfc7:5::5353
 
  
{{Note|
+
The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses [[Wikipedia:Man-in-the-middle attack|manipulated]]. Furthermore, DNS servers can conduct [[Wikipedia:DNS hijacking|DNS hijacking]].
* The use of OpenNIC DNS servers will allow host name resolution in the traditional Top-Level Domain (TLD) registries, but also in OpenNIC or afiliated operated namespaces: ''.o'', ''.libre'', ''.dyn''...
 
* The tool {{App|opennic-up|automates the renewal of the DNS servers with the most responsive OpenNIC servers|https://github.com/kewlfft/opennic-up|{{AUR|opennic-up}}}}
 
}}
 
  
=== Quad9 ===
+
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and [[#Third-party DNS services|third-parties]]. Alternatively you can run your own [[#DNS servers|recursive name server]], which however takes more effort. If you use a [[DHCP]] client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like [[Wikipedia:DNS over TLS|DNS over TLS]], [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] or [[Wikipedia:DNSCrypt|DNSCrypt]], provided that both the upstream server and your [[#DNS servers|resolver]] support the protocol. To verify that responses are actually from [[Wikipedia:Authoritative name server|authoritative name servers]], you can validate [[DNSSEC]], provided that both the upstream server(s) and your [[#DNS servers|resolver]] support it.
  
[https://quad9.net/#/ Quad9] is a free DNS service founded by [https://www.ibm.com/security IBM], [https://www.pch.net Packet Clearing House] and [https://www.globalcyberalliance.org Global Cyber Alliance]; its primary unique feature is a blocklist which avoids resolving known malicious domains. The addresses below are worldwide anycast.
+
Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/#trr-and-doh]
  
IPv4 nameservers
+
== Third-party DNS services ==
9.9.9.9    ## "secure", with blocklist and DNSSEC
 
9.9.9.10    ## no blocklist, no DNSSEC
 
  
IPv6 nameservers
+
{{Note|Before using a third-party DNS service, check its privacy policy for information on how user data is handled. User data has value and can be sold to other parties.}}
2620:fe::fe    ## "secure", with blocklist and DNSSEC
 
2620:fe::10    ## no blocklist, no DNSSEC
 
  
=== UncensoredDNS ===
+
There are various [[Wikipedia:Public recursive name server#List of public DNS service operators|third-party DNS services]] available, some of which also have dedicated software:
  
[http://censurfridns.dk UncensoredDNS] is a free uncensored DNS service. It is run by a private individual and consists in one anycast served by multiple servers and one unicast node hosted in Denmark.
+
* {{App|dingo|A DNS client for Google DNS over HTTPS|https://github.com/pforemski/dingo|{{Pkg|dingo}}}}
 +
* {{App|opennic-up|Automates the renewal of the DNS servers with the most responsive OpenNIC servers|https://github.com/kewlfft/opennic-up|{{AUR|opennic-up}}}}
  
IPv4 nameservers
+
== DNS servers ==
91.239.100.100    ## anycast.censurfridns.dk
 
89.233.43.71      ## unicast.censurfridns.dk
 
  
IPv6 nameservers
+
[[DNS]] servers can be [[Wikipedia:Authoritative name server|authoritative]] and [[Wikipedia:Name server#Recursive query|recursive]]. If they are neither, they are called '''stub resolvers''' and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to [[Wikipedia:Comparison of DNS server software]].
2001:67c:28a4::  ## anycast.censurfridns.dk
 
2a01:3a0:53:53:: ## unicast.censurfridns.dk
 
  
{{Note|Its servers listen to port 5353 as well as the standard port 53. This can be used in case your ISP hijacks port 53.}}
+
{{Expansion|Fill in the unknowns. Add {{AUR|deadwood}}.}}
  
=== Yandex ===
+
{| class="wikitable sortable" style="text-align:center"
 +
! Name !! Package !! [[Wikipedia:Authoritative name server|Authoritative]] !! [[Wikipedia:Name server#Recursive query|Recursive]] !! [[Wikipedia:Name server#Caching name server|Cache]] !! [[resolvconf]] !!  [[Wikipedia:Domain Name System Security Extensions#The lookup procedure|Validates]]<br>[[DNSSEC]] !! [[Wikipedia:DNSCrypt|DNSCrypt]] !! [[Wikipedia:DNS over TLS|DNS<br>over TLS]] !! [[Wikipedia:DNS over HTTPS|DNS<br>over HTTPS]]
 +
|-
 +
! [[dnscrypt-proxy]]
 +
| {{Pkg|dnscrypt-proxy}} || {{No}} || {{No}} || {{Yes}} || {{No}} || {{No}} || {{Y|Resolver}} || {{No}} || {{Y|Resolver}}
 +
|-
 +
! [[Rescached]]
 +
| {{AUR|rescached-git}} || {{No}} || {{No}} || {{Yes}} || {{Yes|https://github.com/shuLhan/rescached-go#integration-with-openresolv}} || {{No}} || {{No}} || {{No}} || {{Y|Limited}}<sup>1</sup>
 +
|-
 +
! [[Stubby]]
 +
| {{Pkg|stubby}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{No}} || {{Y|Resolver}} || {{No}}
 +
|-
 +
!style="white-space: nowrap;"| [[systemd-resolved]]
 +
| {{Pkg|systemd}} || {{No}} || {{No}} || {{Yes}} || {{G|[[systemd-resolvconf|Yes]]}} || {{Yes}} || {{No}} || {{Y|Insecure resolver}}<sup>2</sup> || {{No|https://github.com/systemd/systemd/issues/8639}}
 +
|-
 +
! [[dnsmasq]]
 +
| {{Pkg|dnsmasq}} || {{Y|Partial}}<sup>3</sup> || {{No}} || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || {{No}} || {{No|http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q2/012131.html}} || {{No}}
 +
|-
 +
! [[BIND]]
 +
| {{Pkg|bind}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || {{No}} || {{No|https://kb.isc.org/docs/aa-01386}} || {{No}}
 +
|-
 +
! [[Knot Resolver]]
 +
| {{AUR|knot-resolver}} || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}} || {{No}} || {{Yes}} || {{No|https://gitlab.labs.nic.cz/knot/knot-resolver/issues/243}}
 +
|-
 +
! [[Wikipedia:MaraDNS|MaraDNS]]
 +
| {{AUR|maradns}} || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}}
 +
|-
 +
! [[pdnsd]]
 +
| {{Pkg|pdnsd}} || {{Yes}} || {{Yes}} || {{G|Permanent}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{No}} || {{No}} || {{No}} || {{No}}
 +
|-
 +
! [https://www.powerdns.com/recursor.html PowerDNS Recursor]
 +
| {{Pkg|powerdns-recursor}} || {{Yes}} || {{Yes}} || {{Yes}} || {{No|https://roy.marples.name/projects/openresolv/config#pdns_recursor}} || {{Yes}} || {{No}} || {{No}} || {{No}}
 +
|-
 +
! [[Unbound]]
 +
| {{Pkg|unbound}} || {{Yes}} || {{Yes}} || {{Yes}} || {{G|[[openresolv#Subscribers|Yes]]}} || {{Yes}} || {{Y|Server}} || {{Yes}} || {{No|1=https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=1200}}
 +
|}
  
[https://dns.yandex.com/advanced/ Yandex.DNS] has servers in Russia, Eastern and Western Europe and has three options, ''Basic'', ''Safe'' and ''Family'':
+
# Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[https://github.com/shuLhan/rescached-go#integration-with-dns-over-https]
 +
# From {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.''[https://github.com/systemd/systemd/issues/9397] Also, the only supported mode is "opportunistic", which ''makes DNS-over-TLS vulnerable to "downgrade" attacks''.[https://github.com/systemd/systemd/issues/10755]
 +
# From [[Wikipedia:Comparison of DNS server software#cite_note-masqauth-25|Wikipedia]]: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
  
Basic Yandex.DNS - Quick and reliable DNS
+
=== Authoritative-only servers ===
77.88.8.8              # Preferred IPv4 DNS
 
77.88.8.1              # Alternate IPv4 DNS
 
 
2a02:6b8::feed:0ff    # Preferred IPv6 DNS
 
2a02:6b8:0:1::feed:0ff # Alternate IPv6 DNS
 
  
Safe Yandex.DNS - Protection from virus and fraudulent content
+
{| class="wikitable sortable" style="text-align:center"
  77.88.8.88            # Preferred IPv4 DNS
+
! Name !! Package !! [[DNSSEC]] !! Geographic<br>balancing
77.88.8.2              # Alternate IPv4 DNS
+
|-
+
! [https://gdnsd.org/ gdnsd]
2a02:6b8::feed:bad    # Preferred IPv6 DNS
+
| {{Pkg|gdnsd}} || {{No}} || {{Yes}}
2a02:6b8:0:1::feed:bad # Alternate IPv6 DNS
+
|-
 +
! [https://www.knot-dns.cz/ Knot DNS]
 +
| {{Pkg|knot}} || {{Yes}} || {{Yes|https://www.knot-dns.cz/docs/2.7/singlehtml/#geoip-geography-based-responses}}
 +
|-
 +
! [[NSD]]
 +
| {{Pkg|nsd}} || {{No}} || {{No}}
 +
|-
 +
! [https://www.powerdns.com/auth.html PowerDNS]
 +
| {{Pkg|powerdns}} || {{Yes}} || {{Yes}}
 +
|}
  
Family Yandex.DNS - Without adult content
+
== See also ==
77.88.8.7              # Preferred IPv4 DNS
 
77.88.8.3              # Alternate IPv4 DNS
 
 
2a02:6b8::feed:a11    # Preferred IPv6 DNS
 
2a02:6b8:0:1::feed:a11 # Alternate IPv6 DNS
 
  
Yandex.DNS' speed is the same in the three modes. In ''Basic'' mode, there is no traffic filtering. In ''Safe'' mode, protection from infected and fraudulent sites is provided. ''Family'' mode enables protection from dangerous sites and blocks sites with adult content.
+
* [https://www.tldp.org/LDP/nag2/x-087-2-resolv.html Linux Network Administrators Guide]
 +
* [https://www.debian.org/doc/manuals/debian-handbook/sect.hostname-name-service.en.html#sect.name-resolution Debian Handbook]
 +
* [[RFC:7706]] - Decreasing Access Time to Root Servers by Running One on Loopback

Latest revision as of 03:21, 5 March 2019

In general, a domain name represents an IP address and is associated to it in the Domain Name System (DNS). This article explains how to configure domain name resolution and resolve domain names.

Name Service Switch

The Name Service Switch (NSS) facility is part of the GNU C Library (glibc) and backs the getaddrinfo(3) API, used to resolve domain names. NSS allows system databases to be provided by separate services, whose search order can be configured by the administrator in nsswitch.conf(5). The database responsible for domain name resolution is the hosts database, for which glibc offers the following services:

Systemd provides three NSS services for hostname resolution:

Resolve a domain name using NSS

NSS databases can be queried with getent(1). A domain name can be resolved through NSS using:

$ getent hosts domain_name
Note: While most programs resolve domain names using NSS, some may read /etc/resolv.conf and/or /etc/hosts directly. See Network configuration#Local hostname resolution.

Glibc resolver

The glibc resolver reads /etc/resolv.conf for every resolution to determine the nameservers and options to use.

resolv.conf(5) lists nameservers together with some configuration options. Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#) are ignored.

Note: The glibc resolver does not cache queries. To improve query lookup time you can set up a caching resolver. See #DNS servers for more information.

Overwriting of /etc/resolv.conf

Network managers tend to overwrite /etc/resolv.conf, for specifics see the corresponding section:

To prevent programs from overwriting /etc/resolv.conf you can also write-protect it by setting the immutable file attribute:

# chattr +i /etc/resolv.conf
Tip: If you want multiple processes to write to /etc/resolv.conf, you can use resolvconf.

Limit lookup time

If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf.

options timeout:1

Hostname lookup delayed with IPv6

If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf:

options single-request

Local domain names

If you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line to /etc/resolv.conf with the local domain such as:

domain example.com

That way you can refer to local hosts such as mainmachine1.example.com as simply mainmachine1 when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.

Lookup utilities

To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.

  • ldns provides drill(1), which is a tool designed to retrieve information out of the DNS.

For example, to query a specific nameserver with drill for the TXT records of a domain:

$ drill @nameserver TXT domain

If you do not specify a DNS server drill uses the nameservers defined in /etc/resolv.conf.

Resolver performance

The Glibc resolver does not cache queries. If you want local caching use systemd-resolved or set up a local caching DNS server and use 127.0.0.1 as your name server.

Tip:
  • The drill or dig lookup utilities report the query time.
  • A router usually sets its own caching resolver as the network's DNS server thus providing DNS cache for the whole network.
  • If it takes too long to switch to the next DNS server you can try decreasing the timeout.

Privacy and security

The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore, DNS servers can conduct DNS hijacking.

You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and third-parties. Alternatively you can run your own recursive name server, which however takes more effort. If you use a DHCP client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS, DNS over HTTPS or DNSCrypt, provided that both the upstream server and your resolver support the protocol. To verify that responses are actually from authoritative name servers, you can validate DNSSEC, provided that both the upstream server(s) and your resolver support it.

Be aware that client software, such as major web browsers, may also (start to) implement some of the protocols. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[2]

Third-party DNS services

Note: Before using a third-party DNS service, check its privacy policy for information on how user data is handled. User data has value and can be sold to other parties.

There are various third-party DNS services available, some of which also have dedicated software:

  • dingo — A DNS client for Google DNS over HTTPS
https://github.com/pforemski/dingo || dingo
  • opennic-up — Automates the renewal of the DNS servers with the most responsive OpenNIC servers
https://github.com/kewlfft/opennic-up || opennic-upAUR

DNS servers

DNS servers can be authoritative and recursive. If they are neither, they are called stub resolvers and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to Wikipedia:Comparison of DNS server software.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Fill in the unknowns. Add deadwoodAUR. (Discuss in Talk:Domain name resolution#)
Name Package Authoritative Recursive Cache resolvconf Validates
DNSSEC
DNSCrypt DNS
over TLS
DNS
over HTTPS
dnscrypt-proxy dnscrypt-proxy No No Yes No No Resolver No Resolver
Rescached rescached-gitAUR No No Yes Yes No No No Limited1
Stubby stubby No No No No Yes No Resolver No
systemd-resolved systemd No No Yes Yes Yes No Insecure resolver2 No
dnsmasq dnsmasq Partial3 No Yes Yes Yes No No No
BIND bind Yes Yes Yes Yes Yes No No No
Knot Resolver knot-resolverAUR Yes Yes Yes No Yes No Yes No
MaraDNS maradnsAUR Yes Yes Yes No No No No No
pdnsd pdnsd Yes Yes Permanent Yes No No No No
PowerDNS Recursor powerdns-recursor Yes Yes Yes No Yes No No No
Unbound unbound Yes Yes Yes Yes Yes Server Yes No
  1. Only forwards using DNS over HTTPS when Rescached itself is queried using DNS over HTTPS.[3]
  2. From resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.[4] Also, the only supported mode is "opportunistic", which makes DNS-over-TLS vulnerable to "downgrade" attacks.[5]
  3. From Wikipedia: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.

Authoritative-only servers

Name Package DNSSEC Geographic
balancing
gdnsd gdnsd No Yes
Knot DNS knot Yes Yes
NSD nsd No No
PowerDNS powerdns Yes Yes

See also