{{tag>Brouillon DNS CA}}
= Notes client DNS
Voir aussi les clients DNS :
* [[https://doc.ubuntu-fr.org/unbound|Unbound]]
Voir aussi :
* https://linuxfr.org/news/happydomain-on-devrait-tous-avoir-un-nom-de-domaine#toc-%C3%80-quoi-sert-happydomain
=== /etc/resolv.conf
Voir aussi:
* /etc/nsswitch.conf
==== Hard limits for the /etc/resolv.conf file
NOTE : Le comportement est différent avec **musl libc** (alternative à glibc)
You need to be aware of the hard limits for name servers, domain name, and search domains when you create or edit the ''/etc/resolv.conf'' file.
The hard limits for the ''/etc/resolv.conf'' file are as follows:
* Maximum number of name servers is 3. (is hardcoded as the 4th will never be used)
* Maximum line size is 256. (avant glibc 2.26 ?)
* Maximum domain name length is 256 characters. (avant glibc 2.26 ?)
* Maximum search domains limit is 6.
* In glibc 2.25 and earlier, the search list is limited to six domains with a total of 256 characters. Since glibc 2.26, the search list is unlimited (RHEL 6 ; sous RHEL 7 et 8 ça dépend de la version de la glibc)
* Total number of characters for all search domains is 256. (avant glibc 2.26)
* Note: You should use only tab or space to separate host names in the search domain list.
Si plus de 3 serveurs dans /etc/resolv.conf : "Nameserver limits were exceeded, some nameservers have been omitted..."
Note: There is no limit on file size.
Le mot-clé **search** du fichier ''resolv.conf'' du système peut être surchargé indépendamment
pour chaque processus en remplissant la variable d'environnement **LOCALDOMAIN** avec une
liste de domaines de recherche séparés par des espaces. \\
Le mot-clé **options** du fichier ''resolv.conf'' du système peut être surchargé indépendamment
pour chaque processus en remplissant la variable d'environnement **RES_OPTIONS** en une liste
d'options de la bibliothèque resolver (séparées par des espaces)...
=== Redirection de port
sudo socat -v -v udp4-listen:53,reuseaddr,fork udp4:8.8.8.8:53
== Test connexions
# UDP
#host -U -W 1 127.0.0.1 8.8.8.8
host -W 1 127.0.0.1 8.8.8.8
# TCP
host -T -W 1 127.0.0.1 8.8.8.8
echo "127.0.0.1,192.168.1.1,8.8.8.8" |tr "," "\n" |xargs -L1 -I% bash -c "host -W 1 plop.plop % |grep -q 'not found' && echo OK % || echo NOK %"
- name: Check DNS connectivity - UDP
command: "host -W 1 127.0.0.1 {{ item | quote }}"
check_mode: false
changed_when: false
register: cmd_host_udp
failed_when: not ( cmd_host_udp.rc == 0 or ( cmd_host_udp.rc == 1 and cmd_host_udp.stdout_lines is search('not found') ) )
with_items: "{{ resolv_new_nameservers }}"
- name: Check DNS connectivity - TCP
command: "host -T -W 1 127.0.0.1 {{ item | quote }}"
check_mode: false
changed_when: false
register: cmd_host_tcp
failed_when: not ( cmd_host_tcp.rc == 0 or ( cmd_host_tcp.rc == 1 and cmd_host_tcp.stdout_lines is search('not found') ) )
with_items: "{{ resolv_new_nameservers }}"
Ou encore :
curl --dns-servers 192.168.0.1,192.168.0.2 https://example.com
curl --dns-servers 10.0.0.1:53 https://example.com
systemd-resolve HOSTNAME SERVERNAME
== Conf Docker
=== Docker-compose
my-app:
build: my-app
dns:
- 10.20.20.1 # dns server 1
- 10.21.21.2 # dns server 2
dns_search: ibm-edv.ibmnet.int
spec:
containers:
- name: test
image: nginx
dnsConfig:
options:
- name: timeout
value: "2"
extra_hosts:
- "somehost:162.242.195.82"
- "otherhost:50.31.209.229"
== Cache DNS coté client
Voir aussi :
* https://geekflare.com/fr/setup-dns-caching-dnsmasq-on-ubuntu/
* https://doc.ubuntu-fr.org/unbound
* Rescached
* https://wiki.archlinux.org/title/rescached
* https://github.com/shuLhan/rescached-go
''/etc/systemd/resolved.conf''
DNS=1.1.1.1 1.0.0.1
sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
''/etc/resolv.conf''
nameserver 127.0.0.53
options edns0
**Voir aussi ''/etc/nsswitch.conf''**
sudo pkill -USR1 systemd-resolve
sudo systemd-resolve --flush-caches
sudo resolvectl flush-caches
sudo journalctl -u systemd-resolved > ~/resolved.txt
sudo systemd-resolve --statistics
=== Flush DNS / Clear cache
Vider le cache DNS SystemD
systemd-resolve --flush-caches
Clear BIND Server DNS Cache
sudo rndc restart
Clear DNS cache for a particular domain, use the below command.
sudo rndc flushname
Clear the dnsmasq Server DNS Cache
sudo systemctl restart dnsmasq
Flush nscd server DNS Cache
sudo systemctl restart nscd
pdnsd
pdnsd-ctl empty-cache
== Options
No ipv6 AAAA
# since glibc 2.36
options no-aaaa
no-tld-query (since glibc 2.14)
== Pb
=== Pb Résolution noms courts
''/etc/resolv.conf''
# options rotate timeout:1 retries:1
# options rotate timeout:2 attempts: 1
options timeout:0 attempts:1
nameserver 192.168.10.10
nameserver 192.168.11.10
search domain1.local domain2.local
domain domain2.local
Résolution FQDN OK
# getent hosts srv01.domain1.local
192.168.1.101 srv01.domain1.local
Résolution FQDN NOK
# getent hosts srv01
#
==== Solution
Placer ''search'' après ''domain'' ou alors commenter ''domain''
According to the implementation of Glibc, if ''domain'' and ''search'' directives are both used, only the last instance will be used for DNS queries. \\
Source : https://access.redhat.com/solutions/5958611
The ''domain'' directive is an obsolete name for the ''search'' directive that handles one search list entry only. \\
Source : https://man7.org/linux/man-pages/man5/resolv.conf.5.html
''/etc/resolv.conf''
options rotate timeout:1 retries:1
# options rotate timeout:2 attempts: 1
nameserver 192.168.10.10
nameserver 192.168.11.10
domain domain2.local
search domain1.local domain2.local
# getent hosts srv01
192.168.1.101 srv01.domain1.local
# getent hosts srv01.domain1.local
192.168.1.101 srv01.domain1.local
=== Pb client DNS Linux résolution FQDN KO
$ getent hosts plop
192.168.21.25 plop.acme.local
$ getent hosts plop.acme.local
$
$ dig +short plop.acme.local
192.168.21.25
==== Solution
Vérif avec dig / nslookup et si OK le pb est ailleurs, par exemple dans la conf **libc**
''/etc/nsswitch.conf''
#hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
hosts: files dns myhostname
== Outils
=== Dig
the step-by-step name resolution, you can do this:
dig +add +trace @8.8.8.8 www.google.com
=== kdig
kdig client (part of Knot):
kdig +tls @localhost -p 8353 foobar.test
=== check-soa
https://framagit.org/bortzmeyer/check-soa
=== blaeu-resolve
blaeu-resolve -r 100 - -type NS meteofrance.com
--------------
== Notes client DNS & diag
# /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved.service
Conf
systemd-resolve --set-dns=192.168.1.1 -i wlan1
Status
systemd-resolve --status
Disable and stop the systemd-resolved service
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
''/etc/NetworkManager/NetworkManager.conf''
[main]
dns=default
unlink /etc/resolv.conf
sudo service network-manager restart
DHCP DNS ?
''/etc/systemd/network/enp0s31f6.network''
[DHCP]
UseDNS=true
Autre
ps aux |grep dnsmasq
=== Diag port ?
''resolv.py''
import socket
for x in range(5):
print(socket.getaddrinfo('gnu.org', 80))
# strace -e trace=connect python resolv.py 2>&1 | grep 53
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.10.10")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.20.20")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.5")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.10.10")}, 16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.20.20")}, 16) = 0
lsof -i udp:53
time tcpdump udp port 53 -Qout -n |nl
time strace -f -e trace=%network -p 29976 2>&1 |grep 'htons(53)' |nl
# sysdig -c lsof "'fd.l4proto=udp and fd.port=53'"
COMMAND PID TID USER FD TYPE NAME
systemd-resolve 2870470 2870470 systemd 12 ipv4 127.0.0.53:53
csysdig -v connections fd.ip=10.172.93.224
iftop -f "host 10.172.93.224"
== Autres
windows
nslookup
set detail
== Todo
Root serveur.
MX
Transfer de zone.
[[audit]]
-------
https://github.com/bortzmeyer/check-soa
check-soa -i dz