Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fedora - systemd-resolved: introduction to split DNS

#1
systemd-resolved: introduction to split DNS

<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/systemd-resolved-introduction-to-split-dns.png" width="632" height="614" title="" alt="" /></div><div><p>Fedora 33 switches the default DNS resolver to <a href="https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html">systemd-resolved</a>. In simple terms, this means that systemd-resolved will run as a daemon. All programs wanting to translate domain names to network addresses will talk to it. This replaces the current default lookup mechanism where each program individually talks to remote servers and there is no shared cache.</p>
<p> <span id="more-31996"></span> </p>
<p>If necessary, systemd-resolved will contact remote DNS servers. systemd-resolved is a “stub resolver”—it doesn’t resolve all names itself (by starting at the root of the DNS hierarchy and going down label by label), but forwards the queries to a remote server. </p>
<p>A single daemon handling name lookups provides significant benefits. The daemon caches answers, which speeds answers for frequently used names. The daemon remembers which servers are non-responsive, while previously each program would have to figure this out on its own after a timeout. Individual programs only talk to the daemon over a local transport and are more isolated from the network. The daemon supports fancy rules which specify which name servers should be used for which domain names—in fact, the rest of this article is about those rules.</p>
<h2>Split DNS</h2>
<p>Consider the scenario of a machine that is connected to two semi-trusted networks (wifi and ethernet), and also has a VPN connection to your employer. Each of those three connections has its own network interface in the kernel. And there are multiple name servers: one from a DHCP lease from the wifi hotspot, two specified by the VPN and controlled by your employer, plus some additional manually-configured name servers. <em>Routing </em>is the process of deciding which servers to ask for a given domain name. Do not mistake this with the process of deciding where to send network packets, which is called routing too.</p>
<p>The network interface is king in systemd-resolved. systemd-resolved first picks one or more interfaces which are appropriate for a given name, and then queries one of the name servers attached to that interface. This is known as “split DNS”.</p>
<p>There are two flavors of domains attached to a network interface: <em>routing domains</em> and <em>search domains</em>. They both specify that the given domain and any subdomains are appropriate for that interface. Search domains have the additional function that single-label names are suffixed with that search domain before being resolved. For example, a lookup for “server” is treated as a lookup for “server.example.com” if the search domain is “example.com.” In systemd-resolved config files, routing domains are prefixed with the tilde (~) character. </p>
<h3>Specific example</h3>
<p>Now consider a specific example: your VPN interface <i>tun0</i> has a search domain <i>private.company.com</i> and a routing domain <i>~company.com</i>. If you ask for <i>mail.private.company.com</i>, it is matched by both domains, so this name would be routed to <i>tun0</i>.</p>
<p>A request for <i>www.company.com</i> is matched by the second domain and would also go to <i>tun0</i>. If you ask for <i>www</i>, (in other words, if you specify a single-label name without any dots), the difference between routing and search domains comes into play. systemd-resolved attempts to combine the single-label name with the search domain and tries to resolve <i>www.private.company.com</i> on <i>tun0</i>.</p>
<p>If you have multiple interfaces with search domains, single-label names are suffixed with all search domains and resolved in parallel. For multi-label names, no suffixing is done; search and routing domains are are used to route the name to the appropriate interface. The longest match wins. When there are multiple matches of the same length on different interfaces, they are resolved in parallel.</p>
<p>A special case is when an interface has a routing domain <i>~.</i> (a tilde for a routing domain and a dot for the root DNS label). Such an interface always matches any names, but with the shortest possible length. Any interface with a matching search or routing domain has higher priority, but the interface with <em>~.</em> is used for all other names. Finally, if no routing or search domains matched, the name is routed to all interfaces that have at least one name server attached.</p>
<h2>Lookup routing in systemd-resolved</h2>
<h3>Domain routing</h3>
<p>This seems fairly complex, partially because of the historic names which are confusing. In actual practice it’s not as complicated as it seems.</p>
<p>To introspect a running system, use the <em>resolvectl domain</em> command. For example:</p>
<pre class="wp-block-preformatted">$ <strong>resolvectl domain</strong><br />Global:<br />Link 4 (wlp4s0): ~.<br />Link 18 (hub0): <br />Link 26 (tun0): redhat.com</pre>
<p>You can see that <em>www</em> would resolve as <em>www.redhat.com</em>. over <em>tun0</em>. Anything ending with <i>redhat.com</i> resolves over <i>tun0</i>. Everything else would resolve over <i>wlp4s0</i> (the wireless interface). In particular, a multi-label name like <i>www.foobar</i> would resolve over <i>wlp4s0</i>, and most likely fail because there is no <i>foobar</i> top-level domain (yet).</p>
<h3>Server routing</h3>
<p>Now that you know which <em>interface</em> or interfaces should be queried, the <em>server</em> or servers to query are easy to determine. Each interface has one or more name servers configured. systemd-resolved will send queries to the first of those. If the server is offline and the request times out or if the server sends a syntactically-invalid answer (which shouldn’t happen with “normal” queries, but often becomes an issue when DNSSEC is enabled), systemd-resolved switches to the next server on the list. It will use that second server as long as it keeps responding. All servers are used in a round-robin rotation.</p>
<p>To introspect a running system, use the <em>resolvectl dns</em> command:</p>
<pre class="wp-block-preformatted">$ <strong>resolvectl dns</strong><br />Global:<br />Link 4 (wlp4s0): 192.168.1.1 8.8.4.4 8.8.8.8<br />Link 18 (hub0):<br />Link 26 (tun0): 10.45.248.15 10.38.5.26</pre>
<p>When combined with the previous listing, you know that for <i>www.redhat.com</i>, systemd-resolved will query 10.45.248.15, and—if it doesn’t respond—10.38.5.26. For <i>www.google.com</i>, systemd-resolved will query 192.168.1.1 or the two Google servers 8.8.4.4 and 8.8.8.8.</p>
<h2>Differences from nss-dns</h2>
<p>Before going further detail, you may ask how this differs from the previous default implementation (nss-dns). With nss-dns there is just one global list of up to three name servers and a global list of search domains (specified as <i>nameserver</i> and <i>search</i> in <i>/etc/resolv.conf</i>).</p>
<p>Each name to query is sent to the first name server. If it doesn’t respond, the same query is sent to the second name server, and so on. systemd-resolved implements split-DNS and remembers which servers are currently considered active.</p>
<p>For single-label names, the query is performed with each of the the search domains suffixed. This is the same with systemd-resolved. For multi-label names, a query for the unsuffixed name is performed first, and if that fails, a query for the name suffixed by each of the search domains in turn is performed. systemd-resolved doesn’t do that last step; it only suffixes single-label names.</p>
<p>A second difference is that with <i>nss-dns</i>, this module is loaded into each process. The process itself communicates with remote servers and implements the full DNS stack internally. With systemd-resolved, the <i>nss-resolve</i> module is loaded into the process, but it only forwards the query to systemd-resolved over a local transport (D-Bus) and doesn’t do any work itself. The systemd-resolved process is heavily sandboxed using systemd service features.</p>
<p>The third difference is that with systemd-resolved all state is dynamic and can be queried and updated using D-Bus calls. This allows very strong integration with other daemons or graphical interfaces.</p>
<h2>Configuring systemd-resolved</h2>
<p>So far, this article talked about servers and the routing of domains without explaining how to configure them. systemd-resolved has a configuration file (<i>/etc/systemd/resolv.conf</i>) where you specify name servers with <i>DNS=</i> and routing or search domains with <i>Domains=</i> (routing domains with <i>~</i>, search domains without). This corresponds to the <i>Global:</i> lists in the two listings above.</p>
<p>In this article’s examples, both lists are empty. Most of the time configuration is attached to specific interfaces, and “global” configuration is not very useful. Interfaces come and go and it isn’t terribly smart to contact servers on an interface which is down. As soon as you create a VPN connection, you want to use the servers configured for that connection to resolve names, and as soon as the connection goes down, you want to stop.</p>
<p>How does then systemd-resolved acquire the configuration for each interface? This happens dynamically, with the network management service pushing this configuration over D-Bus into systemd-resolved. The default in Fedora is NetworkManager and it has very good integration with systemd-resolved. Alternatives like systemd’s own systemd-networkd implement similar functionality. But the <a href="https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html">interface is open</a> and other programs can do the appropriate D-Bus calls.</p>
<p>Alternatively, <i>resolvectl</i> can be used for this (it is just a wrapper around the D-Bus API). Finally, <i>resolvconf</i> provides similar functionality in a form compatible with a tool in Debian with the same name.</p>
<h3>Scenario: Local connection more trusted than VPN</h3>
<p>The important thing is that in the common scenario, systemd-resolved follows the configuration specified by other tools, in particular NetworkManager. So to understand how systemd-resolved names, you need to see what NetworkManager tells it to do. Normally NM will tell systemd-resolved to use the name servers and search domains received in a DHCP lease on some interface. For example, look at the source of configuration for the two listings shown above:</p>
<p><img class="wp-image-31998" style="width: 500px" src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/systemd-resolved-introduction-to-split-dns.png" alt="" /><img class="wp-image-31999" style="width: 500px" src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/systemd-resolved-introduction-to-split-dns-1.png" alt="" /></p>
<p>There are two connections: “Parkinson” wifi and “Brno (BRQ)” VPN. In the first panel <em>DNS:Automatic</em> is enabled, which means that the DNS server received as part of the DHCP lease (192.168.1.1) is passed to systemd-resolved. Additionally. 8.8.4.4 and 8.8.8.8 are listed as alternative name servers. This configuration is useful if you want to resolve the names of other machines in the local network, which 192.168.1.1 provides. Unfortunately the hotspot DNS server occasionally gets stuck, and the other two servers provide backup when that happens.</p>
<p>The second panel is similar, but doesn’t provide any special configuration. NetworkManager combines routing domains for a given connection from DHCP, SLAAC RDNSS, and VPN, and finally manual configuration and forward this to systemd-resolved. This is the source of the search domain <i>redhat.com</i> in the listing above.</p>
<p>There is an important difference between the two interfaces though: in the second panel, “Use this connection only for resources on its network” is <strong>checked</strong>. This tells NetworkManager to tell systemd-resolved to only use this interface for names under the search domain received as part of the lease (<i>Link 26 (tun0): redhat.com</i> in the first listing above). In the first panel, this checkbox is <strong>unchecked</strong>, and NetworkManager tells systemd-resolved to use this interface for all other names (<i>Link 4 (wlp4s0): ~.</i>). This effectively means that the wireless connection is more trusted.</p>
<h3>Scenario: VPN more trusted than local network</h3>
<p>In a different scenario, a VPN would be more trusted than the local network and the domain routing configuration reversed. If a VPN without “Use this connection only for resources on its network” is active, NetworkManager tells systemd-resolved to attach the default routing domain to this interface. After unchecking the checkbox and restarting the VPN connection:</p>
<pre class="wp-block-preformatted">$ <strong>resolvectl domain</strong>
Global:
Link 4 (wlp4s0):
Link 18 (hub0):
Link 28 (tun0): ~. redhat.com
$<strong> resolvectl dns</strong>
Global:
Link 4 (wlp4s0):
Link 18 (hub0):
Link 28 (tun0): 10.45.248.15 10.38.5.26</pre>
<p>Now all domain names are routed to the VPN. The network management daemon controls systemd-resolved and the user controls the network management daemon.</p>
<h2>Additional systemd-resolved functionality</h2>
<p>As mentioned before, systemd-resolved provides a common name lookup mechanism for all programs running on the machine. Right now the effect is limited: shared resolver and cache and split DNS (the lookup routing logic described above). systemd-resolved provides additional resolution mechanisms beyond the traditional unicast DNS. These are the local resolution protocols MulticastDNS and LLMNR, and an additional remote transport DNS-over-TLS.</p>
<p>Fedora 33 does not enable MulticastDNS and DNS-over-TLS in systemd-resolved. MulticastDNS is implemented by <i>nss-mdns4_minimal</i> and Avahi. Future Fedora releases may enable these as the upstream project improves support.</p>
<p>Implementing this all in a single daemon which has runtime state allows smart behaviour: DNS-over-TLS may be enabled in opportunistic mode, with automatic fallback to classic DNS if the remote server does not support it. Without the daemon which can contain complex logic and runtime state this would be much harder. When enabled, those additional features will apply to all programs on the system.</p>
<p>There is more to systemd-resolved: in particular LLMNR and DNSSEC, which only received brief mention here. A future article will explore those subjects.</p>
</div>


https://www.sickgaming.net/blog/2020/10/...split-dns/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016