Allow ordering (before, after) of new DNS nameservers

Question

Allow ordering (before, after) of new DNS nameservers

jefft opened this issue 7 years ago · 4 comments

It would be handy if update-systemd-resolved let one specify whether new nameservers should take precedence or not over existing nameservers.

In my case update-systemd-resolved is updating my /etc/resolv.conf from the default:

nameserver 192.168.1.254
search home.gateway

to:

nameserver 192.168.1.254
nameserver 10.34.0.99
search home.gateway corp.company.com

That is perfectly sensible default behaviour, but in my particular case I'd like the order swapped:

nameserver 10.34.0.99
nameserver 192.168.1.254
search corp.company.com home.gateway

so that hostnames with differing internal and external IPs resolve to the internal IP, not the external.

(Thanks for writing update-systemd-resolved - it's now an indispensable part of any openvpn setup)

Answer 1 · 2018-03-12T13:14:05.000Z

@jefft,

You're welcome. update-systemd-resolved is not designed to maintain and manage /etc/resolv.conf, and I don't currently know of a way to set the priority of a server within DBus request, which in turn will reflect in the output to resolv.conf.

Ideally, you should be setting up /etc/nsswitch.conf to use resolve ahead of dns (or replace it) and then use DOMAIN-SEARCH or DOMAIN-ROUTE to override the routing of the DNS request to the appropriate name. In your case, using resolve will mean that DNS request for anything ending in corp.company.com will be routed to 10.34.0.99 and only be asked there - your local DNS server will only receive requests for home.gateway or general requests under the global namespace. (IIRC, global lookups may be sent to the corporate server too; the first to reply will be used and returned to the application.)

Give the nssswitch.conf configuration a try and see if it helps your lookups.

Answer 2 · 2018-03-12T13:29:05.000Z

Related: https://www.freedesktop.org/software/systemd/man/resolved.conf.html

Answer 3 · 2018-03-13T02:15:05.000Z

Thanks, I've got it working properly now. The whole problem was that I didn't RTFM and add resolve entries to my /etc/nsswitch.conf. On recent Ubuntus one also has to apt-get install libnss-resolve.

Specifically, the full solution for me (on Ubuntu 17.10) was:

apt-get install libnss-resolve.
Replace dns with resolve on the hosts: line in my /etc/nsswitch.conf, per the nss-resolve man page. This was not present by default. Apparently Ubuntu 16.10 had a 'resolve' entry in /etc/nsswitch.conf, but my 17.10 system does not and Ubuntu won't in future (see LP: #1685045).

That was sufficient. My system then resolved hostnames to their internal IP, presumably because the OpenVPN server pushed a DOMAIN corp.company.com option, after which (per your excellent docs) "requests for this domain [are] routed to the DNS servers provided on this link."

I don't really understand the whole "stub resolver" vs. libnss-resolve, but it appears that update-systemd-resolved is only fully functional when libnss-resolve (resolve entry in /etc/nsswitch.conf) is in use.

Answer 4 · 2018-07-11T07:45:28.000Z

Just for information, merging zones by ordering DNS servers like you did originally is not supported by RFC standard and systemd-resolved. This was working only due to implementation detail of your resolver. See discussion at systemd/systemd#5755 and especially comment systemd/systemd#5755 (comment)