Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use /etc/resolv.conf to find upstream, and also respect search config #1139

Open
jjb opened this issue Sep 13, 2024 · 4 comments
Open

use /etc/resolv.conf to find upstream, and also respect search config #1139

jjb opened this issue Sep 13, 2024 · 4 comments

Comments

@jjb
Copy link

jjb commented Sep 13, 2024

thanks for a great project!

i have a /etc/resolv.conf like this

search my.service.local my.cool.microservices.domain
nameserver 10.0.1.1
options ndots:5

with this unbound config:

server:
  interface: 127.0.0.1
  pidfile: "/etc/unbound/unbound.pid"

queries to unbound for internet domains (e.g. google.com) work, but queries to unbound for local domains that require search (e.g. postgrespostgres.my.service.local) do not work.

with this unbound config:

server:
  interface: 127.0.0.1
  pidfile: "/etc/unbound/unbound.pid"

forward-zone:
  name: "."
  forward-addr: 10.0.1.1

all domains work, internet and local search.

is there a way to configure unbound to respect the local search config without needing to add the explicit forward-zone block?

Thanks!
@pemensik
Copy link
Contributor

pemensik commented Oct 2, 2024

First thing would be avoid using .local domain for anything used in unicast DNS. That domain is for use of multicast DNS instead. Also I think using ndots > 1 can have dangerous consequences and should be avoided.

But to the point. /etc/resolv.conf file is not intended to configure DNS forwarders. Problem is there is no standardized way to configure that instead.

Also search is applied only by stub clients, typically done by glibc. Once a request is DNS message, it is always absolute. No search should be applied to it at that time. Because unbound accepts queries over DNS protocol, it should not append search domains itself. It should be done by client sending that query, whatever it is.

Client should first ask postgres.my.service.local A?, then postgres.my.cool.microservices.domain A?, then at least postgres. A?. I do no think this should be modified at unbound. If there is a place for modification, that would be probably glibc and its nsswitch dns plugin.

@pemensik
Copy link
Contributor

pemensik commented Oct 2, 2024

But we attempt something similar with our dnsconfd project. But use Network Manager for it. Check it out: https://github.com/InfrastructureServices/dnsconfd

@pemensik
Copy link
Contributor

Might be possible with a custom module before iterator. That might scan /etc/resolv.conf before trying iterator. The problem I see is /etc/resolv.conf should in such case contain pointer to localhost, where unbound is running and providing DNS caching for local system. Then definitions of specific link-local domains needs to be read from some other place. It might be Network Manager or static definition. It may even ignore own localhost address in /etc/resolv.conf, which could be set first.

Btw, why is ndots:5 used? It seems dangerous to me. Is there any documentation recommending such settings?

@pemensik
Copy link
Contributor

I have created issue for attempt for forwarder definition, maybe including also encryption. See uapi-group/specifications#122

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjb @pemensik