use /etc/resolv.conf to find upstream, and also respect search config

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.

https://nlnetlabs.nl/unbound

BSD 3-Clause "New" or "Revised" License

3.09k stars 354 forks source link

use /etc/resolv.conf to find upstream, and also respect search config #1139

Open jjb opened 1 month ago

jjb commented 1 month ago

thanks for a great project!

i have a /etc/resolv.conf like this

search my.service.local my.cool.microservices.domain
nameserver 10.0.1.1
options ndots:5

with this unbound config:

server:
  interface: 127.0.0.1
  pidfile: "/etc/unbound/unbound.pid"

queries to unbound for internet domains (e.g. google.com) work, but queries to unbound for local domains that require search (e.g. postgres → postgres.my.service.local) do not work.

with this unbound config:

server:
  interface: 127.0.0.1
  pidfile: "/etc/unbound/unbound.pid"

forward-zone:
  name: "."
  forward-addr: 10.0.1.1

all domains work, internet and local search.

is there a way to configure unbound to respect the local search config without needing to add the explicit forward-zone block?

Thanks!

pemensik commented 2 weeks ago

First thing would be avoid using .local domain for anything used in unicast DNS. That domain is for use of multicast DNS instead. Also I think using ndots > 1 can have dangerous consequences and should be avoided.

But to the point. /etc/resolv.conf file is not intended to configure DNS forwarders. Problem is there is no standardized way to configure that instead.

Also search is applied only by stub clients, typically done by glibc. Once a request is DNS message, it is always absolute. No search should be applied to it at that time. Because unbound accepts queries over DNS protocol, it should not append search domains itself. It should be done by client sending that query, whatever it is.

Client should first ask postgres.my.service.local A?, then postgres.my.cool.microservices.domain A?, then at least postgres. A?. I do no think this should be modified at unbound. If there is a place for modification, that would be probably glibc and its nsswitch dns plugin.

pemensik commented 2 weeks ago

But we attempt something similar with our dnsconfd project. But use Network Manager for it. Check it out: https://github.com/InfrastructureServices/dnsconfd

pemensik commented 3 days ago

Might be possible with a custom module before iterator. That might scan /etc/resolv.conf before trying iterator. The problem I see is /etc/resolv.conf should in such case contain pointer to localhost, where unbound is running and providing DNS caching for local system. Then definitions of specific link-local domains needs to be read from some other place. It might be Network Manager or static definition. It may even ignore own localhost address in /etc/resolv.conf, which could be set first.

Btw, why is ndots:5 used? It seems dangerous to me. Is there any documentation recommending such settings?

pemensik commented 3 days ago

I have created issue for attempt for forwarder definition, maybe including also encryption. See https://github.com/uapi-group/specifications/issues/122