ドメイン名前解決
一般に、ドメイン名は IP アドレスを表し、DNS(Domain Name System)で関連付けられています。ここでは、ドメイン名前解決の設定方法とドメイン名の解決方法について説明します。
目次
Name Service Switch
Name Service Switch (NSS) 機能は GNU C ライブラリ (glibc) の一部であり、getaddrinfo(3) API をサポートしており、ドメイン名を解決するために使用されます。NSS では、システムデータベースを別々のサービスで提供することができ、その検索順序は管理者が nsswitch.conf(5) で設定することができます。ドメイン名の解決を行うデータベースは hosts データベースであり、glibc は以下のサービスを提供しています。
- files:
/etc/hosts
ファイルを読み込む。hosts(5) を参照してください。 - dns :
/etc/resolv.conf
を読み込む glibc resolver。 resolv.conf(5) を参照してください。
systemd はホスト名解決のために 3 つの NSS サービスを提供します。
- nss-resolve(8) — a caching DNS stub resolver, described in systemd-resolved
- nss-myhostname(8) — provides local hostname resolution without having to edit
/etc/hosts
, described in ネットワーク設定#ローカルのホストネーム解決 - nss-mymachines(8) — provides hostname resolution for the names of local systemd-machined(8) containers
NSS を使用してドメイン名を解決する
NSS データベースは getent(1) でクエリできます。ドメイン名は、NSS を介して解決できます。
$ getent hosts domain_name
Glibc resolver
The glibc resolver reads /etc/resolv.conf
for every resolution to determine the nameservers and options to use.
resolv.conf(5) lists nameservers together with some configuration options.
Nameservers listed first are tried first, up to three nameservers may be listed. Lines starting with a number sign (#
) are ignored.
Overwriting of /etc/resolv.conf
Network managers tend to overwrite /etc/resolv.conf
, for specifics see the corresponding section:
- dhcpcd#/etc/resolv.conf
- Netctl#/etc/resolv.conf
- NetworkManager#/etc/resolv.conf
- ConnMan#/etc/resolv.conf
To prevent programs from overwriting /etc/resolv.conf
, it is also possible to write-protect it by setting the immutable file attribute:
# chattr +i /etc/resolv.conf
Limit lookup time
If you are confronted with a very long hostname lookup (may it be in pacman or while browsing), it often helps to define a small timeout after which an alternative nameserver is used. To do so, put the following in /etc/resolv.conf
.
options timeout:1
Hostname lookup delayed with IPv6
If you experience a 5 second delay when resolving hostnames it might be due to a DNS-server/Firewall misbehaving and only giving one reply to a parallel A and AAAA request.[1] You can fix that by setting the following option in /etc/resolv.conf
:
options single-request
Local domain names
To be able to use the hostname of local machine names without the fully qualified domain name, add a line to /etc/resolv.conf
with the local domain such as:
domain example.org
That way you can refer to local hosts such as mainmachine1.example.org
as simply mainmachine1
when using the ssh command, but the drill command still requires the fully qualified domain names in order to perform lookups.
Lookup utilities
To query specific DNS servers and DNS/DNSSEC records you can use dedicated DNS lookup utilities. These tools implement DNS themselves and do not use NSS.
ldns provides drill(1), which is a tool designed to retrieve information out of the DNS.
For example, to query a specific nameserver with drill for the TXT records of a domain:
$ drill @nameserver TXT domain
Unless a DNS server is specified, drill will use the nameservers defined in /etc/resolv.conf
.
Resolver のパフォーマンス
Glibc resolver は問い合わせをキャッシュしません。ローカルキャッシュを実装するには、 systemd-resolved を使用するか、ローカルキャッシュ DNS server を設定し、 127.0.0.1
と ::1
を /etc/resolv.conf
または /etc/resolvconf
(openresolv を使用する場合) でネームサーバとして使用します。
Privacy and security
The DNS protocol is unencrypted and does not account for confidentiality, integrity or authentication, so if you use an untrusted network or a malicious ISP, your DNS queries can be eavesdropped and the responses manipulated. Furthermore, DNS servers can conduct DNS hijacking.
You need to trust your DNS server to treat your queries confidentially. DNS servers are provided by ISPs and third-parties. Alternatively you can run your own recursive name server, which however takes more effort. If you use a DHCP client in untrusted networks, be sure to set static name servers to avoid using and being subject to arbitrary DNS servers. To secure your communication with a remote DNS server you can use an encrypted protocol, like DNS over TLS (RFC 7858), DNS over HTTPS (RFC 8484), or DNSCrypt, provided that both the upstream server and your resolver support the protocol. An alternative can be a dedicated software to encrypt and decrypt the communication, such as stunnel. To verify that responses are actually from authoritative name servers, you can validate DNSSEC, provided that both the upstream server(s) and your resolver support it.
Application-level DNS
Be aware that some client software, such as major web browsers[2][3], are starting to implement DNS over HTTPS. While the encryption of queries may often be seen as a bonus, it also means the software sidetracks queries around the system resolver configuration.[4]
Firefox provides configuration options to enable or disable DNS over HTTPS and select a DNS server.
Chromium will examine the user's system resolver and enable DNS over HTTPS if the system resolver addresses are known to also provide DNS over HTTPS. See this blog post for more information and how DNS over HTTPS can be disabled.
Mozilla has proposed universally disabling application-level DNS if the system resolver cannot resolve the domain use-application-dns.net
. Currently, this is only implemented in Firefox.
Oblivious DNS
Oblivious DNS is a system which addresses a number of DNS privacy concerns. See Cloudflare's article for more information.
Third-party DNS services
There are various third-party DNS services available, some of which also have dedicated software:
- cloudflared — A DNS client for Cloudflare DNS over HTTPS
- dingo — A DNS client for Google DNS over HTTPS
- opennic-up — Automates the renewal of the DNS servers with the most responsive OpenNIC servers
- nextdns — A DNS-over-HTTPS CLI client for NextDNS
You can use dnsperftest to test the performance of the most popular DNS resolvers from your location. dnsperf.com provides global benchmarks between providers.
DNS サーバ
DNS servers can be authoritative and recursive. If they are neither, they are called stub resolvers and simply forward all queries to another recursive name server. Stub resolvers are typically used to introduce DNS caching on the local host or network. Note that the same can also be achieved with a fully-fledged name server. This section compares the available DNS servers, for a more detailed comparison, refer to Wikipedia:Comparison of DNS server software.
Name | Package | Capabilities | resolvconf | Supported protocols | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Authoritative | Recursive | Cache | Validates DNSSEC |
DNS | DNSCrypt | DNS over TLS |
DNS over HTTPS | |||
BIND | bind | Yes | Yes | Yes | Yes | Yes | Yes | No | Server1 | Server |
CoreDNS | corednsAUR or coredns-binAUR | ? | ? | ? | ? | ? | ? | ? | Yes | ? |
Deadwood (MaraDNS recursor) | maradnsAUR | No | Yes | Yes | No | No | Yes | No | No | No |
dnscrypt-proxy | dnscrypt-proxy | No | No | Yes | No | No | Server | Resolver | No | Yes |
dnsmasq | dnsmasq | Partial2 | No | Yes | Yes | Yes | Yes | No | No | No |
Knot Resolver | knot-resolver | No | Yes | Yes | Yes | No | Yes | No | Yes | Server |
pdnsd | pdnsd | Yes | Yes | Permanent | No | Yes | Yes | No | No | No |
PowerDNS Recursor | powerdns-recursor | No | Yes | Yes | Yes | Yes | Yes | No | Partial | No |
Rescached | rescached-gitAUR | No | No | Yes | No | Yes | Yes | No | Yes | Yes |
SmartDNS | smartdns | No | No | Yes | No | ? | Yes | No | Resolver | Resolver |
Stubby | stubby | No | No | No | Yes | No | Server | No | Resolver | No |
systemd-resolved | systemd | No | No | Yes | Yes | Yes | Resolver and limited server | No | Resolver | No |
Unbound | unbound | Partial | Yes | Yes3 | Yes | Yes | Yes | Server | Yes | Server |
- BIND can serve both DNS over TLS and DNS over HTTPS (see tls{} and listen-on), but cannot yet forward queries to a DNS over TLS/DNS over HTTPS upstream. The dig tool can make queries over DNS over TLS and DNS over HTTPS (using
+tls
and+https
options), though without any certificate checks. - From Wikipedia: dnsmasq has limited authoritative support, intended for internal network use rather than public Internet use.
- The Redis backend can be used to provide a persistent cache for Unbound.
Authoritative-only servers
Name | Package | DNSSEC | Geographic balancing |
---|---|---|---|
gdnsd | gdnsd | No | Yes |
Knot DNS | knot | Yes | Yes |
MaraDNS | maradnsAUR | No | ? |
NSD | nsd | No | No |
PowerDNS | powerdns | Yes | Yes |
Conditional forwarding
It is possible to use specific DNS resolvers when querying specific domain names. This is particularly useful when connecting to a VPN, so that queries to the VPN network are resolved by the VPN's DNS, while queries to the internet will still be resolved by your standard DNS resolver. It can also be used on local networks.
To implement it, you need to use a local resolver because glibc does not support it.
In a dynamic environment (laptops and to some extents desktops), you need to configure your resolver based on the network(s) you are connected to. The best way to do that is to use openresolv because it supports multiple subscribers. Some network managers support it, either through openresolv, or by configuring the resolver directly. NetworkManager supports conditional forwarding without openresolv.
See also
- Linux Network Administrators Guide
- Debian Handbook
- RFC:7706 - Decreasing Access Time to Root Servers by Running One on Loopback
- Domain name system overview - Diagram about DNS
- Alternative DNS services