How to get the systemd resolver to resolve local (i.e. unqalified) names?

Tom H tomh0665 at gmail.com
Sun Jun 4 17:05:34 UTC 2017 

On Sun, Jun 4, 2017 at 10:26 AM, Chris Green <cl at isbd.net> wrote:
> On Sun, Jun 04, 2017 at 10:09:32AM -0400, Tom H wrote:
>> On Sun, Jun 4, 2017 at 9:00 AM, Chris Green <cl at isbd.net> wrote:
>>> On Sun, Jun 04, 2017 at 01:18:41PM +0100, Chris Green wrote:
>>>>
>>>> I have an account on the bug reporting system so I will do so.
>>>
>>> The bug is already reported - Bug 1685628, I have added some
>>> confirmation as a comment.
>>
>> Thanks. I'd somehow understood that you had a github account and were
>> going to file a systemd bug report report. Slow Sunday...
>
> I do have a github account as well but it seemed more sensible to
> report the bug against ubuntu as it might well be some sort of
> configuration/set-up problem rather than something fundamentally wrong
> with systemd.

It's both a configuration issue (if Ubuntu set up a "search" line in
"resolv.conf" there'd be no problem) and a bug issue (resolved ignored
its "Domains=" setting when host/dig are used).

================================================

The following's long and only peripherally-relevant. I set up a 17.10
VM using the latest "server" daily in order to check whether LLMNR
could be disabled on an interface when using systemd-networkd, unlike
when using ifupdown.

================================================

In the default install

1) dnsmasq-base is installed (it's pulled in by lxd) but it's not running.

2) systemd-resolved.service isn't enabled.

3) "/etc/resolv.conf" is a symlink to "/run/resolvconf/resolv.conf",
obviously set up by resolvconf and it's populated by the
"dns-nameservers" and "dns-search" values in
"/etc/network/interfaces".

================================================

So I disabled and masked "networking", enabled
"systemd-networkd.service" and "systemd-resolved.service", and set up
"enp0s3.network" to disable LLMNR. The result's that LLMNR's disabled
on the enp0s3.


root at localhost:~# cat
/lib/systemd/system/systemd-resolved.service.d/resolvconf.conf
# tell resolvconf about resolved's builtin DNS server, so that DNS servers
# picked up via networkd are respected when using resolvconf, and that software
# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS
# resolution; do not remove the entry after stop though, as that leads to
# timeouts on shutdown via the resolvconf hooks (see LP: #1648068)
[Service]
ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] ||
echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved'
ReadWritePaths=-/run/resolvconf


which results in the following


root at localhost:~# cat /etc/resolv.conf
<snip>
nameserver 127.0.0.53


which means that the resolvconf drop-in _could_ be extended to add a
"search" line if there were a file from which to get that info; but
from ?... It's simpler for a user to edit
"/etc/resolvconf/resolv.conf.d/base".

<rant>
I've always disliked the dns-* resolvconf settings. It would've been
better for the installer to drop a file with "nameserver ..." and
"search ..." into "/etc/resolvconf/resolv.conf.d/" because it wouldn't
have been ifupdown-specific and wouldn't have required whatever extra
code had to be added to ifupdown. Sometimes developers overdo the spit
and polish :(
</rant>


root at localhost:~# cat /etc/systemd/network/enp0s3.network
[Match]
MACAddress=08:00:27:f6:ef:36
[Network]
Address=192.168.1.243/24
Gateway=192.168.1.1
DNS=8.8.8.8
LLMNR=no
MulticastDNS=no
DNSSEC=no


root at localhost:~# cat /etc/systemd/resolved.conf
<snip>
[Resolve]
#DNS=
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
#Domains=
#LLMNR=yes
#MulticastDNS=yes
#DNSSEC=no
#Cache=yes
#DNSStubListener=udp


root at localhost:~# grep hosts /etc/nsswitch.conf
hosts:          files resolve [!UNAVAIL=return] dns


root at localhost:~# systemd-resolve --status
<snip>
Link 2 (enp0s3)
      Current Scopes: DNS
       LLMNR setting: no
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 8.8.8.8


root at localhost:~# ss -ntul | grep -v Netid | column -t
udp  UNCONN  0  0    127.0.0.53%lo:53  *:*
udp  UNCONN  0  0    *:5355            *:*
udp  UNCONN  0  0    :::5355           :::*
tcp  LISTEN  0  128  *:22              *:*
tcp  LISTEN  0  128  *:5355            *:*
tcp  LISTEN  0  128  :::22             :::*
tcp  LISTEN  0  128  :::5355           :::*


So LLMNR is disabled on enp0s3 (according to the systemd-resolve
output; I have no way - and no idea how - to test this) but it's
enabled globally. The man page says that they both have to be "yes"
for LLMNR to be active.


Setting

root at localhost:~# cat /etc/systemd/resolved.conf.d/dns.conf
[Resolve]
LLMNR=no
MulticastDNS=no


results in


root at localhost:~# ss -ntul | grep -v Netid | column -t
udp  UNCONN  0  0    127.0.0.53%lo:53  *:*
tcp  LISTEN  0  128  *:22              *:*
tcp  LISTEN  0  128  :::22             :::*


So LLMNR is now disabled globally too.

More information about the ubuntu-users mailing list