Difference between revisions of "Talk:Domain name resolution"

From ArchWiki
Jump to: navigation, search
m (How is systemd-resolved's DNS over TLS limited?: a word)
(Resolvers: rm closed)
 
Line 67: Line 67:
  
 
:Well I'm done, albeit the ''Systemd-resolved'' section can still be improved. What do you guys think? Before rewrite for reference: [[Special:Diff/522487]] --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 18:52, 23 May 2018 (UTC)
 
:Well I'm done, albeit the ''Systemd-resolved'' section can still be improved. What do you guys think? Before rewrite for reference: [[Special:Diff/522487]] --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 18:52, 23 May 2018 (UTC)
 
== <s>Resolvers</s> ==
 
 
I'd like to replace [[Domain name resolution#Performance]] with a "Resolvers" section. "Performance" (i.e. DNS cache) is not the only reason to use an alternative resolver, some people might want a recursive resolver or one that validates DNSSEC, supports DNS over TLS, etc. See [[#Resolver draft]] below for the comparison table draft. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 08:23, 22 July 2018 (UTC)
 
 
:Do we need to add an explanation for each column (like in [[AUR helpers]]) or will the wikilinks be enough? -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 08:35, 23 July 2018 (UTC)
 
 
:I've moved the table to [[Domain name resolution#Resolvers]]. Now only [[Domain name resolution#Performance]] needs to merged with it somehow. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 07:59, 24 July 2018 (UTC)
 
 
::Sections merged (it's not perfect, but it's ''good enough'' for now). -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 10:24, 31 July 2018 (UTC)
 
 
=== Resolver draft ===
 
 
The Glibc resolver provides only the most basic necessities, it does not cache queries or provide any security or privacy features. If you desire more functionality use another resolver.
 
 
To improve query lookup time you can set up a caching resolver.
 
 
{{Comment|Paragraph doesn't fit into tip. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 18:23, 26 July 2018 (UTC)
 
:You mean the one in the tip below ↓ ? -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 08:46, 27 July 2018 (UTC)
 
::Yes. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 11:41, 27 July 2018 (UTC)
 
:OK, I simplified it a little. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 12:37, 27 July 2018 (UTC)
 
}}
 
 
{{Tip|
 
* The ''drill'' or ''dig'' [[#Lookup utilities|lookup utilities]] report the query time.
 
* A router usually sets its own caching resolver as the network's DNS server thus proving DNS cache for the whole network.
 
* If it takes too long to switch to the next DNS server you can try [[Domain name resolution#Limit lookup time|decreasing the timeout]].
 
}}
 
 
==== <s>Resolver table draft</s> ====
 
 
{| class="wikitable sortable"
 
! Resolver !! [[Wikipedia:Name server#Caching name server|Cache]] !! [[Wikipedia:Domain Name System#Recursive and caching name server|Recursor]] !! [[resolvconf]] compatibility !!  Validates [[DNSSEC|DNSSEC]] !! [[Wikipedia:DNS over TLS|DNS over TLS]] !! [[Wikipedia:DNS over HTTPS|DNS over HTTPS]] !! Notes
 
|-
 
| glibc || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} ||
 
|-
 
| [[BIND]] || {{Yes}} || {{Yes}} || {{G|[[openresolv]] subscriber}} || {{Yes}} || ? || ? ||
 
|-
 
| [[dnscrypt-proxy]] || {{Yes}} || {{No}} || {{No}} || ? || {{No}} || {{Yes}} || Implements the [[Wikipedia:DNSCrypt|DNSCrypt]] protocol.
 
|-
 
| [[dnsmasq]] || {{Yes}} || {{No}} || {{G|[[openresolv]] subscriber}} || {{Yes}} || {{No}} || {{No}} ||
 
|-
 
| [[Knot Resolver]] || {{Yes}} || {{Yes}} || {{No}} || {{Yes}} || {{Yes}} || {{R|No [https://gitlab.labs.nic.cz/knot/knot-resolver/issues/243]}} ||
 
|-
 
| [[pdnsd]] || {{Yes}} || ? || {{G|[[openresolv]] subscriber}} || {{Yes}} || {{No}} || {{No}} ||
 
|-
 
| [[Stubby]] || {{No}} || {{No}} || {{No}} || ? || {{Yes}} || ? ||
 
|-
 
|style="white-space: nowrap;"| [[systemd-resolved]] || {{Yes}} || {{No}} || {{G|{{Pkg|systemd-resolvconf}}}} || {{Yes}} || {{Y|Limited}} || {{R|No [https://github.com/systemd/systemd/issues/8639]}} ||
 
|-
 
| [[Unbound]] || {{Yes}} || {{Yes}} || {{G|[[openresolv]] subscriber}} || {{Yes}} || {{Yes}} || ? ||
 
|}
 
 
{{Comment|I don't see why we should prevent the name column from wrapping. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:31, 1 August 2018 (UTC)
 
 
:No specific reason, I just think it looks better in one line. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 08:35, 1 August 2018 (UTC)
 
 
::It's common practice on the web to wrap text to prevent horizontal overflow / scrolling. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 10:57, 1 August 2018 (UTC)
 
 
:::I know and I'm not against word wrapping per se, I just don't think the resolver name should wrap. Also this only affects the "Resolver" column, the other columns still wrap so the chance of horizontal scrolling is minimal. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 11:16, 1 August 2018 (UTC)
 
}}
 
  
 
== <s>How is systemd-resolved's DNS over TLS limited?</s> ==
 
== <s>How is systemd-resolved's DNS over TLS limited?</s> ==

Latest revision as of 16:28, 12 August 2018

UncensoredDNS port numbers

I am wondering whether the information on port 53 & 5353 is relevant or of any interest. Isn't it multicast that uses UDP on 5353? Some reference would be welcome. I would happily rewrite the paragraph if there is no objection. Kewl (talk) 20:45, 29 September 2017 (UTC)

I have found an announcement from ‏ @censurfridns 8 Dec 2013 on Twitter "Due to popular request ns1 and ns2 now listen on port 5353 as well as the standard 53, for those of you with ISPs hijacking port 53 traffic!" and have checked it is still the case with the new servers and will therefore update accordingly Kewl (talk) 08:57, 30 September 2017 (UTC)

Rewrite

I think this page deserves an overhaul. I am thinking of renaming the article to DNS configuration, moving Network configuration#Resolving domain names here, rewriting and moving systemd-resolved up as it's the DNS client Arch Linux systems use and outsourcing the NetworkManager and dhcpcd specific sections to their respective articles. As I have stated in Help talk:Template#Creation of Template:Out of scope I don't think a list of DNS servers belongs on the ArchWiki, but I won't touch the section till we reach a consensus.--Larivact (talk) 18:08, 20 May 2018 (UTC)

I introduced systemd-resolved here and I agree it deserves more room. Then I am not clear about "DNS configuration", is it the configuration to build a DNS server or is it using it as a client or both. I am not sure this is the most understandable title about what you want to move in there but to be discussed. Then about dropping the list of DNS servers I disagree, it has been growing and has attracted interest, it is I think becoming a reference of concise list of alternative DNS servers. That it can be arranged differently I am sure but I don't see what dogma would prevent us from maintaining such a useful reference in the Arch wiki. This is an external service the Arch system relies on, having an unsecured or slow resolution is something that is affecting the system directly and that should be well addressed. -- Kewl (talk) 19:05, 20 May 2018 (UTC)
Good point, DNS resolver would be better. I guess the dogma would be preventing scope creep. Yes Arch systems use DNS servers but so do any other operating systems.--Larivact (talk) 19:22, 20 May 2018 (UTC)
The systemd-resolved.service is not active unless you enable it, so it is not "the DNS client Arch Linux systems use" and does not deserve any more space than other tools. As for "outsourcing" NetworkManager and dhcpcd sections, they deserve as much space as systemd-resolved on this page - it doesn't make sense to keep only some DNS configuration on this page. -- Lahwaacz (talk) 19:58, 20 May 2018 (UTC)
Thanks for clearing that up. systemd-resolved however is a DNS resolver while NetworkManager and dhcpcd just change /etc/resolv.conf.--Larivact (talk) 20:04, 20 May 2018 (UTC)
And systemd-resolved is arguably part of systemd-networkd which is just another network manager. -- Lahwaacz (talk) 20:36, 20 May 2018 (UTC)
The point is that systemd-resolved does resolving while NetworkManager and dhcpcd don't.--Larivact (talk) 20:42, 20 May 2018 (UTC)
They use the resolv.conf config file which is still the central topic of this page even if you rename it. Moving the sections to different pages would either be totally out of place or you would have to move (and duplicate) a considerable part of this page. -- Lahwaacz (talk) 21:22, 20 May 2018 (UTC)
I was thinking of moving and linking the sections. NetworkManager configuration belongs to the NetworkManager article and dhcpcd configuration belongs to the dhcpcd article.--Larivact (talk) 04:02, 21 May 2018 (UTC)
What I meant is that the current information on systemd-resolved is pretty light and it deserves more elaborated comments given the different configuration possibilities. We have to see where we develop it, not here if we want to keep the balance with the other network tools and keep the focus on resolv.conf, probably in systemd-networkd then. -- Kewl (talk) 03:55, 21 May 2018 (UTC)
Moving systemd-resolved to systemd-networkd doesn't make sense as systemd-resolved can be used without systemd-networkd.--Larivact (talk) 07:29, 21 May 2018 (UTC)
I'd like to split off systemd-resolved to its own article, see User:nl6720/WIP/systemd-resolved for current draft. Thoughts? -- nl6720 (talk) 08:41, 18 July 2018 (UTC)
If no objection arises, I'll move User:nl6720/WIP/systemd-resolved to systemd-resolved sometime next week. -- nl6720 (talk) 06:50, 22 July 2018 (UTC)
With the help of Larivact, the move is done. -- nl6720 (talk) 12:52, 26 July 2018 (UTC)

Kewl said that they are "not clear about DNS configuration, is it the configuration to build a DNS server or is it using it as a client or both." I thought about renaming the article to DNS resolver but that's actually ambiguous as any DNS server is also a DNS resolver. I still consider DNS configuration the best title as it's about configuring the DNS of an Arch Linux system, just like Network configuration is about configuring the network of the host.

So I propose to move resolv.conf to DNS configuration and make the article describe NSS hosts, /etc/hosts, resolv.conf, and DNS lookup utilities like dig & drill.

Sections I want to move here:

Sections I want to move from resolv.conf (but still link):

--Larivact (talk) 12:30, 21 May 2018 (UTC)

As for the title, Domain name resolution sounds best: it is a common term, not limited to configuration (which you need to cover lookup utilities), covers resolution of hostnames on local networks (which doesn't use DNS), and I can't think of any ambiguity like with "DNS configuration". -- Lahwaacz (talk) 07:50, 22 May 2018 (UTC)
I agree. What do you think of outsourcing NetworkManager, dhcpcd & the DNS server list?--Larivact (talk) 08:40, 22 May 2018 (UTC)
We can leave it here for the moment and decide later based on how the article looks like. -- Lahwaacz (talk) 18:53, 22 May 2018 (UTC)
As for the DNS servers also being DNS resolvers problem, that also means that Category:DNS servers doesn't make sense because it does not separate the things you wanted. E.g. pdnsd from that category is basically the same thing as DNSCrypt or unbound which are not there. I think it would be best to merge Category:DNS servers back into Category:Domain Name System, there are not so many pages to require special subcategories. -- Lahwaacz (talk) 07:59, 22 May 2018 (UTC)
Done.--Larivact (talk) 08:40, 22 May 2018 (UTC)
Well I'm done, albeit the Systemd-resolved section can still be improved. What do you guys think? Before rewrite for reference: Special:Diff/522487 --Larivact (talk) 18:52, 23 May 2018 (UTC)

How is systemd-resolved's DNS over TLS limited?

To answer the question from Special:Diff/533580: It's potentially insecure. A quote from resolved.conf(5): Note as the resolver is not capable of authenticating the server, it is vulnerable for "man-in-the-middle" attacks. -- nl6720 (talk) 14:22, 12 August 2018 (UTC)

Thanks, I changed Limited to Insecure and added a footnote. --Larivact (talk) 15:23, 12 August 2018 (UTC)