Open jjb opened 1 month ago
First thing would be avoid using .local
domain for anything used in unicast DNS. That domain is for use of multicast DNS instead. Also I think using ndots > 1 can have dangerous consequences and should be avoided.
But to the point. /etc/resolv.conf file is not intended to configure DNS forwarders. Problem is there is no standardized way to configure that instead.
Also search is applied only by stub clients, typically done by glibc. Once a request is DNS message, it is always absolute. No search should be applied to it at that time. Because unbound accepts queries over DNS protocol, it should not append search domains itself. It should be done by client sending that query, whatever it is.
Client should first ask postgres.my.service.local A?
, then postgres.my.cool.microservices.domain A?
, then at least postgres. A?
. I do no think this should be modified at unbound. If there is a place for modification, that would be probably glibc and its nsswitch dns plugin.
But we attempt something similar with our dnsconfd project. But use Network Manager for it. Check it out: https://github.com/InfrastructureServices/dnsconfd
Might be possible with a custom module before iterator. That might scan /etc/resolv.conf before trying iterator. The problem I see is /etc/resolv.conf should in such case contain pointer to localhost, where unbound is running and providing DNS caching for local system. Then definitions of specific link-local domains needs to be read from some other place. It might be Network Manager or static definition. It may even ignore own localhost address in /etc/resolv.conf, which could be set first.
Btw, why is ndots:5 used? It seems dangerous to me. Is there any documentation recommending such settings?
I have created issue for attempt for forwarder definition, maybe including also encryption. See https://github.com/uapi-group/specifications/issues/122
thanks for a great project!
i have a /etc/resolv.conf like this
with this unbound config:
queries to unbound for internet domains (e.g.
google.com
) work, but queries to unbound for local domains that require search (e.g.postgres
→postgres.my.service.local
) do not work.with this unbound config:
all domains work, internet and local search.
is there a way to configure unbound to respect the local search config without needing to add the explicit forward-zone block?
Thanks!