Difference between revisions of "Talk:Domain name resolution"

From ArchWiki
Jump to navigation Jump to search
(How is systemd-resolved's DNS over TLS limited?: new section)
m (How is systemd-resolved's DNS over TLS limited?: a word)
(One intermediate revision by the same user not shown)
Line 129: Line 129:
== How is systemd-resolved's DNS over TLS limited? ==
== <s>How is systemd-resolved's DNS over TLS limited?</s> ==
To answer the question from [[Special:Diff/533580]]: It's [https://github.com/systemd/systemd/issues/9397 potentially insecure]. A quote from {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.'' -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 14:22, 12 August 2018 (UTC)
To answer the question from [[Special:Diff/533580]]: It's [https://github.com/systemd/systemd/issues/9397 potentially insecure]. A quote from {{man|5|resolved.conf}}: ''Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks.'' -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 14:22, 12 August 2018 (UTC)
:Thanks, [[Special:Diff/533586|I changed ''Limited'' to ''Insecure'' and added a footnote]]. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 15:23, 12 August 2018 (UTC)

Revision as of 15:28, 12 August 2018

UncensoredDNS port numbers

I am wondering whether the information on port 53 & 5353 is relevant or of any interest. Isn't it multicast that uses UDP on 5353? Some reference would be welcome. I would happily rewrite the paragraph if there is no objection. Kewl (talk) 20:45, 29 September 2017 (UTC)

I have found an announcement from ‏ @censurfridns 8 Dec 2013 on Twitter "Due to popular request ns1 and ns2 now listen on port 5353 as well as the standard 53, for those of you with ISPs hijacking port 53 traffic!" and have checked it is still the case with the new servers and will therefore update accordingly Kewl (talk) 08:57, 30 September 2017 (UTC)


I think this page deserves an overhaul. I am thinking of renaming the article to DNS configuration, moving Network configuration#Resolving domain names here, rewriting and moving systemd-resolved up as it's the DNS client Arch Linux systems use and outsourcing the NetworkManager and dhcpcd specific sections to their respective articles. As I have stated in Help talk:Template#Creation of Template:Out of scope I don't think a list of DNS servers belongs on the ArchWiki, but I won't touch the section till we reach a consensus.--Larivact (talk) 18:08, 20 May 2018 (UTC)

I introduced systemd-resolved here and I agree it deserves more room. Then I am not clear about "DNS configuration", is it the configuration to build a DNS server or is it using it as a client or both. I am not sure this is the most understandable title about what you want to move in there but to be discussed. Then about dropping the list of DNS servers I disagree, it has been growing and has attracted interest, it is I think becoming a reference of concise list of alternative DNS servers. That it can be arranged differently I am sure but I don't see what dogma would prevent us from maintaining such a useful reference in the Arch wiki. This is an external service the Arch system relies on, having an unsecured or slow resolution is something that is affecting the system directly and that should be well addressed. -- Kewl (talk) 19:05, 20 May 2018 (UTC)
Good point, DNS resolver would be better. I guess the dogma would be preventing scope creep. Yes Arch systems use DNS servers but so do any other operating systems.--Larivact (talk) 19:22, 20 May 2018 (UTC)
The systemd-resolved.service is not active unless you enable it, so it is not "the DNS client Arch Linux systems use" and does not deserve any more space than other tools. As for "outsourcing" NetworkManager and dhcpcd sections, they deserve as much space as systemd-resolved on this page - it doesn't make sense to keep only some DNS configuration on this page. -- Lahwaacz (talk) 19:58, 20 May 2018 (UTC)
Thanks for clearing that up. systemd-resolved however is a DNS resolver while NetworkManager and dhcpcd just change /etc/resolv.conf.--Larivact (talk) 20:04, 20 May 2018 (UTC)
And systemd-resolved is arguably part of systemd-networkd which is just another network manager. -- Lahwaacz (talk) 20:36, 20 May 2018 (UTC)
The point is that systemd-resolved does resolving while NetworkManager and dhcpcd don't.--Larivact (talk) 20:42, 20 May 2018 (UTC)
They use the resolv.conf config file which is still the central topic of this page even if you rename it. Moving the sections to different pages would either be totally out of place or you would have to move (and duplicate) a considerable part of this page. -- Lahwaacz (talk) 21:22, 20 May 2018 (UTC)
I was thinking of moving and linking the sections. NetworkManager configuration belongs to the NetworkManager article and dhcpcd configuration belongs to the dhcpcd article.--Larivact (talk) 04:02, 21 May 2018 (UTC)
What I meant is that the current information on systemd-resolved is pretty light and it deserves more elaborated comments given the different configuration possibilities. We have to see where we develop it, not here if we want to keep the balance with the other network tools and keep the focus on resolv.conf, probably in systemd-networkd then. -- Kewl (talk) 03:55, 21 May 2018 (UTC)
Moving systemd-resolved to systemd-networkd doesn't make sense as systemd-resolved can be used without systemd-networkd.--Larivact (talk) 07:29, 21 May 2018 (UTC)
I'd like to split off systemd-resolved to its own article, see User:nl6720/WIP/systemd-resolved for current draft. Thoughts? -- nl6720 (talk) 08:41, 18 July 2018 (UTC)
If no objection arises, I'll move User:nl6720/WIP/systemd-resolved to systemd-resolved sometime next week. -- nl6720 (talk) 06:50, 22 July 2018 (UTC)
With the help of Larivact, the move is done. -- nl6720 (talk) 12:52, 26 July 2018 (UTC)

Kewl said that they are "not clear about DNS configuration, is it the configuration to build a DNS server or is it using it as a client or both." I thought about renaming the article to DNS resolver but that's actually ambiguous as any DNS server is also a DNS resolver. I still consider DNS configuration the best title as it's about configuring the DNS of an Arch Linux system, just like Network configuration is about configuring the network of the host.

So I propose to move resolv.conf to DNS configuration and make the article describe NSS hosts, /etc/hosts, resolv.conf, and DNS lookup utilities like dig & drill.

Sections I want to move here:

Sections I want to move from resolv.conf (but still link):

--Larivact (talk) 12:30, 21 May 2018 (UTC)

As for the title, Domain name resolution sounds best: it is a common term, not limited to configuration (which you need to cover lookup utilities), covers resolution of hostnames on local networks (which doesn't use DNS), and I can't think of any ambiguity like with "DNS configuration". -- Lahwaacz (talk) 07:50, 22 May 2018 (UTC)
I agree. What do you think of outsourcing NetworkManager, dhcpcd & the DNS server list?--Larivact (talk) 08:40, 22 May 2018 (UTC)
We can leave it here for the moment and decide later based on how the article looks like. -- Lahwaacz (talk) 18:53, 22 May 2018 (UTC)
As for the DNS servers also being DNS resolvers problem, that also means that Category:DNS servers doesn't make sense because it does not separate the things you wanted. E.g. pdnsd from that category is basically the same thing as DNSCrypt or unbound which are not there. I think it would be best to merge Category:DNS servers back into Category:Domain Name System, there are not so many pages to require special subcategories. -- Lahwaacz (talk) 07:59, 22 May 2018 (UTC)
Done.--Larivact (talk) 08:40, 22 May 2018 (UTC)
Well I'm done, albeit the Systemd-resolved section can still be improved. What do you guys think? Before rewrite for reference: Special:Diff/522487 --Larivact (talk) 18:52, 23 May 2018 (UTC)


I'd like to replace Domain name resolution#Performance with a "Resolvers" section. "Performance" (i.e. DNS cache) is not the only reason to use an alternative resolver, some people might want a recursive resolver or one that validates DNSSEC, supports DNS over TLS, etc. See #Resolver draft below for the comparison table draft. -- nl6720 (talk) 08:23, 22 July 2018 (UTC)

Do we need to add an explanation for each column (like in AUR helpers) or will the wikilinks be enough? -- nl6720 (talk) 08:35, 23 July 2018 (UTC)
I've moved the table to Domain name resolution#Resolvers. Now only Domain name resolution#Performance needs to merged with it somehow. -- nl6720 (talk) 07:59, 24 July 2018 (UTC)
Sections merged (it's not perfect, but it's good enough for now). -- nl6720 (talk) 10:24, 31 July 2018 (UTC)

Resolver draft

The Glibc resolver provides only the most basic necessities, it does not cache queries or provide any security or privacy features. If you desire more functionality use another resolver.

To improve query lookup time you can set up a caching resolver.

Comment: Paragraph doesn't fit into tip. --Larivact (talk) 18:23, 26 July 2018 (UTC)
You mean the one in the tip below ↓ ? -- nl6720 (talk) 08:46, 27 July 2018 (UTC)
Yes. --Larivact (talk) 11:41, 27 July 2018 (UTC)
OK, I simplified it a little. -- nl6720 (talk) 12:37, 27 July 2018 (UTC)
  • The drill or dig lookup utilities report the query time.
  • A router usually sets its own caching resolver as the network's DNS server thus proving DNS cache for the whole network.
  • If it takes too long to switch to the next DNS server you can try decreasing the timeout.

Resolver table draft

Resolver Cache Recursor resolvconf compatibility Validates DNSSEC DNS over TLS DNS over HTTPS Notes
glibc No No No No No No
BIND Yes Yes openresolv subscriber Yes ? ?
dnscrypt-proxy Yes No No ? No Yes Implements the DNSCrypt protocol.
dnsmasq Yes No openresolv subscriber Yes No No
Knot Resolver Yes Yes No Yes Yes No [1]
pdnsd Yes ? openresolv subscriber Yes No No
Stubby No No No ? Yes ?
systemd-resolved Yes No systemd-resolvconf Yes Limited No [2]
Unbound Yes Yes openresolv subscriber Yes Yes ?
Comment: I don't see why we should prevent the name column from wrapping. --Larivact (talk) 07:31, 1 August 2018 (UTC)
No specific reason, I just think it looks better in one line. -- nl6720 (talk) 08:35, 1 August 2018 (UTC)
It's common practice on the web to wrap text to prevent horizontal overflow / scrolling. --Larivact (talk) 10:57, 1 August 2018 (UTC)
I know and I'm not against word wrapping per se, I just don't think the resolver name should wrap. Also this only affects the "Resolver" column, the other columns still wrap so the chance of horizontal scrolling is minimal. -- nl6720 (talk) 11:16, 1 August 2018 (UTC)

How is systemd-resolved's DNS over TLS limited?

To answer the question from Special:Diff/533580: It's potentially insecure. A quote from resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks. -- nl6720 (talk) 14:22, 12 August 2018 (UTC)

Thanks, I changed Limited to Insecure and added a footnote. --Larivact (talk) 15:23, 12 August 2018 (UTC)