Linux DNS Configuration

NSS, systemd-resolved & DNSSEC

Linux

Systemd

Published

June 21, 2016

Modified

October 24, 2024

Domain Name Resolution

Hosts are identified by a standard numbers-and-dots notation…

…using IP-addresses, like 91.198.174.192 for Wikipedia
…alternatively easier to remember symbolic names, like wikipedia.org

DNS (Domain Name System)…

…maps (translates) symbolic names to an IP address (machine readable)
…resolvers map a domain name to an IP address that identifies the domains hosted location
…resolution is the process of obtaining answers from the DNS database
…domains resolved segment by segment from the highest-level domain down…
…eventually querying many (authoritative) DNS servers

Clients requests information from a DNS service …hosted on a DNS server

…called a lookup request from the DNS client
…the DNS server sends a lookup response
…forward lookup …uses the domain name to search for IP addresses
…reverse lookup …uses IP addresses to search for the domain name

Domain Name Structure

Tree structure of domain names (with the root zone at the top)…

…domain names processed from right to left, node labels separated by dots
…top-level domain names (TLDs) maintained by IANA root zone database…
- …two letter (country code) ccTLDs identify geography i.e. .de, .uk
- …(generic) gTLDs hint at a purpose i.e. .org, .com
- …domain names contain up to 255 chars and up to 127 node levels
- …absolute names are unique i.e. en.wikipedia.org

Resource records (RRs)

…store domain specific DNS data…

Record	Description
`SOA`	…start-of-authority, authoritative record for this domain
`NS`	…name server, server to retrieve domain name space information
`A`	…IP address
`PTR`	…reverse DNS lookups
`MX`	…mail eXchange, mail server address for the domain name
`CNAME`	…canonical name-to-name-to-IP address mapping

Naming Conventions

Adopt some logical and appropriate naming system…

Parsability …ascertain useful information from names
- …acronyms that represent actual information
- …enables programmatic automation for configuration management
Structure - …logic to address a specific sub-group
- …sub-group names should facilitate wild-cards
- …encode a type of class of a name
…allow room for growth in the numbering schema
- …consistent length of names to ease programmatic processing
- …numbering should use left padding with 0

NSS (Name Service Switch)

Part of the GNU C Library glibc …backs the getaddrinfo API…

…configuration databases and name resolution mechanisms
Host-names are resolved by the NSS framework…
- …according to the configured in /etc/nsswitch.conf
- Glibc does not cache DNS queries

# ...query NSS database
getent hosts $domain_name

`nsswitch.conf`

Name Service Switch configuration file /etc/nsswitch.conf…

…determine the sources from which to obtain name-service information
…the hosts (database) configures hostname resolution
Service specifications …determines query order …from left to right

Example…

# /etc/nsswitch.conf
#...
hosts: nis dns [NOTFOUND=return] files
#...

Source Modules

Sources modules implemented in Glibc…

nss-files …references /etc/hosts
nss-dns …uses the nss-dns module
- …resolves symbolic names and IP-addresses using DNS
- …requires to set up /etc/resolv.conf
nss-nis, nss-nisplus …legacy modules …originally used to access NIS (Network Information Service)

Systemd source modules for NSS…

nss-myhostname …resolution for the locally configured system hostname
nss-resolve …resolve hostnames via the systemd-resolved
- …should be before the files …systemd-resolved supports /etc/hosts internally
- …should be after mymachines …precedents for local VMs and containers
- …dns should be after resolve …fall back to nss-dns if systemd-resolved is failing
nss-mymachines …resolution for the names of containers running locally
- …that are registered with systemd-machined
- …systemd-nspawn with network namespacing

Contemporary example including Systemd modules…

# /etc/nsswitch.conf
#...
hosts:  mymachines resolve [!UNAVAIL=return] files myhostname dns
#...

Status Messages

Switch status messages…

SUCCESS …a routine finds the information
Unsuccessful status messages…
- UNAVAIL …source not responding or unavailable
- TRYAGAIN …source is busy ..no respond to query
- NOTFOUND …no such entry …information missing
Action options …respond to status messages
- return …stop looking for information
- continue …try next source

Combination of status and action is called the search criteria …defaults…

SUCCESS=return …information found
UNAVAIL=continue, NOTFOUND=continue, TRYAGAIN=continue …continue search

`/etc/hosts`

Simple text file that associates IP addresses to hostnames…

…one line per host …in the form of ip-address hostname [aliases...]
…either IPv4 or IPv6 addresses (two entires per host possible)
…# comment until end of line

# The following lines are desirable for IPv4 capable hosts
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

# 127.0.1.1 is often used for the FQDN of the machine
127.0.1.1       thishost.example.org   thishost
192.168.1.10    foo.example.org        foo

Verify the configuration with getent:

>>> getent hosts -s hosts:files foo
192.168.1.10    foo.example.org        foo
>>> getent hosts -s hosts:files bar ; echo $?
2         # exit code indicates key could not be found in the database

`resolv.conf`

Resolver routines in the C library are configured by /etc/resolv.conf

…if the file is missing DNS server on localhost is queried
…the resolve library queries server in order listed

Configuration options…

nameserver, IP (ipv4/6) address of a name server
domain, allows short names relative to the local domain
search, list for hostname lookups (space separated list of domains)
options, modify the resolver mechanism (space separated list of options)

Simple example

# /etc/resolv.conf
#
nameserver 9.9.9.9
options timeout:1

Some relevant options options <opt1> <opt2>... :

…timeout:n …n seconds before query via a different name server (defaults to 5)
…attempts:n …n times the resolver will send a query (defaults to 2)
…rotate …round-robin selection of name servers
…single-request-reopen …reuse a socket for look up of the AAAA and A records
- …helps to mitigate slow DNS resolution for multiple seconds
- …caused by miss-configured firewall/router …dropping AAAA DNS packets

Disable overwrite of /etc/resolv.conf from NetworkManager:

# /etc/NetworkManager/NetworkManager.con
#...
[Main]
dns=none
#...

`resolveconf`

resolvconf manages the resolver configuration…

…links /etc/resolv.conf to a dynamic configured /etc/resolvconf/run/resolv.conf

apt -y install resolvconf                  # install the package
zless /usr/share/doc/resolvconf/README.gz  # documentation
ls -1 /etc/resolvconf/resolv.conf.d/       # configuration
echo "nameserver 8.8.8.8" >> /etc/resolvconf/resolv.conf.d/base
                                           # add a new DNS server (order matters)
resolvconf -u                              # update configuration after change

`systemd-resolved`

Enable nss-resolve in /etc/nsswitch.conf…

Provides network name resolution …supports DNSSEC and DNS over TLS

# start the service daemon
systemctl enable --now systemd-resolved

# check state
systemd-resolve --status

Configuration

Temporarily change the DNS server configuration:

$link specifies the network interface, get the name from resolvectl status or ip addr
$dns_server specifies the IP address of a DNS server i.e. 1.1.1.1

systemd-resolve -i $link --set-dns=$dns_server
# or
sudo resolvectl dns $link $dns_server

Configuration files in…

/etc/systemd/resolved.conf              
/etc/systemd/resolved.conf.d/*.conf     # drop-in files

DNS & Domains

Configuration Options…

DNS= …space-separated list of DNS IP-addresses
Domains= …space-separated list of domains (used as search suffixes)
FallbackDNS= …space-separated list of DNS IP-addresses
- …only used if there are no other DNS servers configured
- …if DNS= list is set then FallbackDNS= is ignored

mkdir /etc/systemd/resolved.conf.d

# use a drop in .conf file for the Quad9 primary DNS resolvers 
cat > /etc/systemd/resolved.conf.d/dns.conf <<EOF
[Resolve]
DNS=1.1.1.1 8.8.8.8
Domains=example.org
EOF

DNSSEC

Configure a custom list of DNS resolvers, and enable DNSSEC

# if supported by the DNS resolvers, enforce DNSSEC validation
cat > /etc/systemd/resolved.conf.d/dnssec.conf <<EOF
[Resolve]
DNSSEC=true
EOF

# if supported by the DNS resolver, attempt to use DNS over TLS
cat > /etc/systemd/resolved.conf.d/dot.conf <<EOF
[Resolve]
DNSOverTLS=opportunistic
EOF

systemd-resolved currently only supports opportunistic DNS over TLS resolution

Resolver tries resolution using DoT before fall back to traditional DNS (allowing for downgrade attacks)
Eventually another option will be added strict to prevent fallback

DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks

`stub-resolv.conf`

Provide domain name resolution for programs that read /etc/resolv.conf directly

Use the stub-resolv.conf to redirect all applications to systemd-resolved

…provides a local DNS server instance on port 53
…addressed via the loopback interface 127.0.0.53
…lsof -i @127.0.0.53:53 to verify

rm /etc/resolv.conf
# redirect glibc NSS conf. file to local stub DNS resolver 
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Alternatively connect local clients directly to all known uplink DNS servers…

ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Note that /etc/resolv.conf may be managed by other packages…

…in which case systemd-resolved will read it for DNS configuration data
…systemd-resolved is consumer rather than provider of this configuration file

`resolvectl`

resolvectl status                       # check service status
resolvectl query <ip|name>              # query DNS records
resolvectl statistics                   # show DNS cache stats

Enable debugging and follow the logs:

resolvectl log-level debug             
journalctl -fu systemd-resolved
# disable debugging
resolvectl log-level info

`unbound`

Unbound caching DNS resolver including DNSSEC support…

ls -1 /etc/unbound/unbound.conf.d/*.conf          # configuration files
unbound-control status                            # service state
unbound-anchor -l                                 # list trusted achor key
unbound-control get_option auto-trust-anchor-file # show location of tursted key
unbound-control list_stubs                        # list root servers in use

Enable the control interface

>>> cat /etc/unbound/unbound.conf.d/control-interface.conf 
remote-control:
  control-enable: yes                                 # enable remote control
  control-interface: 127.0.0.1                        # interface listening for remote control
>>> unbound-control-setup                             # generate the necessary keys
>>> systemctl restart unbound                         # restart the service

unbound-control stats_noreset                         # print statistics without reset
unbound-control dump_cache                            # print chache
unbound-control reload                                # flush cache reload config

Lookup Utilities

Install user-space commands for DNS resolution:

sudo apt install -y dnsutils
sudo dnf install -y bind-utils
sudo pacman -Ss bind-tools

`nslookup`

nslookup uses an internal implementation for lookup

…developed as part of ISC BIND
…is in the process of being depricated

nslookup $ip_address
nslookup $domain_name

# ...specific resource record types
nslookup -type=MX $domain_name

`host`

The host command is the most simple to use…

# ...resolve an IP address
host $ip_address

# ...resolve a DNS name
host $domain_name

# ...optional specifify a DNS server to query with a second argument
host ... $dns_server

# ...specific resource record types
host -t MX $domain_name

`dig`

dig uses the C resolver library …more detailed the host command

# ...reverse lookup
dig +x $ip_address

# ...specific resource record types
dig $domain_name MX

# ...query a particular DNS server
dig @$dns_server $domain_name

# ...return only the IP-address
dif +short $domain_name
# ...entire record
dig +noall +answer $domain_name

# ...track DNS resolution
dig +trace ...

Use ~/.digrc to customize your configuration…

echo "+noall +answer" > ~/.digrc

`dnspeep`

Experimental software!

dnspeep ¹ us a debugging tool to monitor all DNS queries from a host

…lists all DNS responses that their computer is getting
…helps to identify software that uses the internet behind the scenes

DNS Servers

Domain name servers resolve DNS information

listens for DNS queries, responds with local (zone) or cached DNS data
caches (recently retrieved) data about non-local domains (from other zones)
uses its resolver to forward queries to other (authoritative) domain name servers
primary name servers hold authoritative information about set of domains
secondary servers maintain a copy of zone information, using a process called zone transfer
- zone transfer performed according to the expire time parameter in SOA
- full Zone Transfer - Secondary downloads all RRs
- incremental Zone Transfer - Primary notifies about changes for an partial download
dynamic DNS (DDNS) allows DHCP server to send updates to primary DNS server
split(-horizon) DNS send a distinguished responds to DNS queries depending on the client source address
- mechanism for security/privacy management by logical/physical separation of DNS information
- used to separate public (external) DNS resolution from internal local networks (not visible from the Internet)

Domain name registry, different entities providing DNS services

Domain registrar, service to select (purchase) a domain name…

…managed by the IANA (part of ICANN), nonprofit organizations, runs the root zone management
…registers an IP address of a DNS server that authoritatively respond for a domain
…the whois command queries the domain name registry

DNS hosting provider, service operating authoritative response for a domain

…name space tree divided into zones
…contain domain names starting at a particular point in the tree
…group of node servers linked by an authoritative DNS server
…zone file contains pointers to subdomains delegating authority

DNSSEC

DNSSEC (domain name system security extensions)
- enables DNS resolvers to authenticate DNS information
- provides data integrity, but not availability or confidentiality
- mechanism for including cryptographic signatures within the DNS resolution
adds DNS resource records (RRs):
- RRSIG signature
- DNSKEY primary key record for zone
- DS key record fingerprint
- NSEC3 sign negative responses
resolvers verify DNS resolution with with the root zone public key [^2]

dig +trace <url> | grep -e RRSIG -e DS            # check for DNSSEC capability
dig org. SOA +dnssec @8.8.8.8 | grep ';; flags'   # ^ should return the "ad" flag

DNS over TLS (DoT) is a protocol to encrypting DNS resolution, cf. RFC7858 [^3]

Public Servers

Public DNS servers…

quad9.net
- …aims to protect users from malware and phishing
- …multiple service options
- …operated by Quad9 Foundation (Swiss public-benefit, not-for-profit foundation)
dns0.eu
- …free, GDPR-compliant, security focused
- …operated by french non‑profit organization (entity under EU laws)
- …runs on 100% renewable energy
- …one DNS instance per country
DNS4EU (in development)
- …protect people, companies, and governments from harmful attacks
- …group of companies from 10 European countries have been chosen to build this service
OpenNIC

References

[^1] IANA Root Zone Database
http://data.iana.org/TLD/tlds-alpha-by-domain.txt

[^2] IANA Trust Anchors and Keys
https://www.iana.org/dnssec/files

[^3] Specification for DNS over Transport Layer Security (TLS)
https://tools.ietf.org/html/rfc7858

[^4] hBlock https://github.com/hectorm/hblock

Footnotes

dnspeep Monitor DNS Queries
https://jvns.ca/blog/2021/03/31/dnspeep-tool
https://github.com/jvns/dnspeep ↩︎

--- title: Linux DNS Configuration subtitle: NSS, systemd-resolved & DNSSEC categories: - Linux - Systemd date: 2016/06/21 date-modified: 2024/10/24 toc-expand: 3 publish: true --- # Domain Name Resolution Hosts are identified by a standard numbers-and-dots notation... - ...using **IP-addresses**, like `91.198.174.192` for Wikipedia - ...alternatively easier to remember **symbolic names**, like `wikipedia.org` DNS (Domain Name System)... - ...maps (translates) symbolic names to an IP address (machine readable) - ...**resolvers** map a domain name to an IP address that identifies the domains hosted location - ...**resolution** is the process of obtaining answers from the DNS database - ...domains resolved segment by segment from the highest-level domain down... - ...eventually querying many (authoritative) DNS servers Clients requests information from a DNS service ...hosted on a DNS server - ...called a **lookup request** from the DNS client - ...the DNS server sends a **lookup response** - ...**forward lookup** ...uses the domain name to search for IP addresses - ...**reverse lookup** ...uses IP addresses to search for the domain name ### Domain Name Structure Tree structure of domain names (with the root zone at the top)... - ...domain names processed from right to left, node labels separated by dots - ...**top-level domain** names (TLDs) maintained by IANA root zone database... - ...two letter (country code) ccTLDs identify geography i.e. `.de`, `.uk` - ...(generic) gTLDs hint at a purpose i.e. `.org`, `.com` - ...domain names contain up to 255 chars and up to 127 node levels - ...absolute names are unique i.e. `en.wikipedia.org` ### Resource records (RRs) ...store domain specific DNS data... Record | Description --------|---------------- `SOA` | ...start-of-authority, authoritative record for this domain `NS` | ...name server, server to retrieve domain name space information `A` | ...IP address `PTR` | ...reverse DNS lookups `MX` | ...mail eXchange, mail server address for the domain name `CNAME` | ...canonical name-to-name-to-IP address mapping ## Naming Conventions Adopt some logical and appropriate naming system… - **Parsability** …ascertain useful information from names - …acronyms that represent actual information - …enables programmatic automation for configuration management - **Structure** - …logic to address a specific sub-group - …sub-group names should facilitate wild-cards - …encode a type of class of a name - …allow room for growth in the numbering schema - …consistent length of names to ease programmatic processing - …numbering should use left padding with `0` # NSS (Name Service Switch) Part of the GNU C Library `glibc` ...backs the `getaddrinfo` API... - ...configuration databases and name resolution mechanisms - Host-names are resolved by the NSS framework... - ...according to the configured in `/etc/nsswitch.conf` - Glibc does not cache DNS queries ```sh # ...query NSS database getent hosts $domain_name ``` ## `nsswitch.conf` Name Service Switch configuration file `/etc/nsswitch.conf`... - ...determine the sources from which to obtain name-service information - ...the `hosts` (database) configures hostname resolution - Service specifications ...determines query order ...from left to right Example... ```sh # /etc/nsswitch.conf #... hosts: nis dns [NOTFOUND=return] files #... ``` ### Source Modules Sources modules implemented in Glibc... - `nss-files` ...references `/etc/hosts` - `nss-dns` ...uses the `nss-dns` module - ...resolves symbolic names and IP-addresses using DNS - ...requires to set up `/etc/resolv.conf` - `nss-nis`, `nss-nisplus` ...legacy modules ...originally used to access NIS (Network Information Service) Systemd source modules for NSS... - `nss-myhostname` ...resolution for the locally configured system hostname - `nss-resolve` ...resolve hostnames via the `systemd-resolved` - ...should be before the `files` ...systemd-resolved supports `/etc/hosts` internally - ...should be after `mymachines` ...precedents for local VMs and containers - ...`dns` should be after `resolve` ...fall back to `nss-dns` if `systemd-resolved` is failing - `nss-mymachines` ...resolution for the names of containers running locally - ...that are registered with `systemd-machined` - ...`systemd-nspawn` with network namespacing Contemporary example including Systemd modules... ```sh # /etc/nsswitch.conf #... hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns #... ``` ### Status Messages Switch **status messages**... - `SUCCESS` ...a routine finds the information - Unsuccessful status messages... - `UNAVAIL` ...source not responding or unavailable - `TRYAGAIN` ...source is busy ..no respond to query - `NOTFOUND` ...no such entry ...information missing - **Action options** ...respond to status messages - `return` ...stop looking for information - `continue` ...try next source Combination of status and action is called the **search criteria** ...defaults... - `SUCCESS=return` ...information found - `UNAVAIL=continue`, `NOTFOUND=continue`, `TRYAGAIN=continue` ...continue search ## `/etc/hosts` Simple text file that associates IP addresses to hostnames… - …one line per host …in the form of `ip-address hostname [aliases...]` - …either IPv4 or IPv6 addresses (two entires per host possible) - …`#` comment until end of line ```sh # The following lines are desirable for IPv4 capable hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # 127.0.1.1 is often used for the FQDN of the machine 127.0.1.1 thishost.example.org thishost 192.168.1.10 foo.example.org foo ``` Verify the configuration with `getent`: ```sh >>> getent hosts -s hosts:files foo 192.168.1.10 foo.example.org foo >>> getent hosts -s hosts:files bar ; echo $? 2 # exit code indicates key could not be found in the database ``` ## `resolv.conf` Resolver routines in the C library are configured by `/etc/resolv.conf` - ...if the file is missing DNS server on localhost is queried - ...the resolve library queries server in order listed Configuration options... - `nameserver`, IP (ipv4/6) address of a name server - `domain`, allows short names relative to the local domain - `search`, list for hostname lookups (space separated list of domains) - `options`, modify the resolver mechanism (space separated list of options) Simple example ```sh # /etc/resolv.conf # nameserver 9.9.9.9 options timeout:1 ``` Some relevant options `options <opt1> <opt2>...` : - ...`timeout:n` ...`n` seconds before query via a different name server (defaults to 5) - ...`attempts:n` ...`n` times the resolver will send a query (defaults to 2) - ...`rotate` ...round-robin selection of name servers - ...`single-request-reopen` ...reuse a socket for look up of the `AAAA` and `A` records - ...helps to mitigate slow DNS resolution for multiple seconds - ...caused by miss-configured firewall/router ...dropping `AAAA` DNS packets Disable overwrite of `/etc/resolv.conf` from NetworkManager: ```ini # /etc/NetworkManager/NetworkManager.con #... [Main] dns=none #... ``` ## `resolveconf` `resolvconf` manages the resolver configuration... - ...links `/etc/resolv.conf` to a dynamic configured `/etc/resolvconf/run/resolv.conf` ```bash apt -y install resolvconf # install the package zless /usr/share/doc/resolvconf/README.gz # documentation ls -1 /etc/resolvconf/resolv.conf.d/ # configuration echo "nameserver 8.8.8.8" >> /etc/resolvconf/resolv.conf.d/base # add a new DNS server (order matters) resolvconf -u # update configuration after change ``` # `systemd-resolved` **Enable `nss-resolve` in `/etc/nsswitch.conf`...** Provides network name resolution ...supports DNSSEC and DNS over TLS ```sh # start the service daemon systemctl enable --now systemd-resolved # check state systemd-resolve --status ``` ## Configuration Temporarily change the DNS server configuration: * `$link` specifies the network interface, get the name from `resolvectl status` or `ip addr` * `$dns_server` specifies the IP address of a DNS server i.e. `1.1.1.1` ```bash systemd-resolve -i $link --set-dns=$dns_server # or sudo resolvectl dns $link $dns_server ``` Configuration files in... ```sh /etc/systemd/resolved.conf /etc/systemd/resolved.conf.d/*.conf # drop-in files ``` ### DNS & Domains Configuration Options... - `DNS=` ...space-separated list of DNS IP-addresses - `Domains=` ...space-separated list of domains (used as search suffixes) - `FallbackDNS=` ...space-separated list of DNS IP-addresses - ...only used if there are no other DNS servers configured - ...if `DNS=` list is set then `FallbackDNS=` is ignored ```sh mkdir /etc/systemd/resolved.conf.d # use a drop in .conf file for the Quad9 primary DNS resolvers cat > /etc/systemd/resolved.conf.d/dns.conf <<EOF [Resolve] DNS=1.1.1.1 8.8.8.8 Domains=example.org EOF ``` ### DNSSEC Configure a custom list of DNS resolvers, and enable DNSSEC ```sh # if supported by the DNS resolvers, enforce DNSSEC validation cat > /etc/systemd/resolved.conf.d/dnssec.conf <<EOF [Resolve] DNSSEC=true EOF # if supported by the DNS resolver, attempt to use DNS over TLS cat > /etc/systemd/resolved.conf.d/dot.conf <<EOF [Resolve] DNSOverTLS=opportunistic EOF ``` systemd-resolved currently only supports `opportunistic` DNS over TLS resolution - Resolver tries resolution using DoT before fall back to traditional DNS (allowing for downgrade attacks) - Eventually another option will be added `strict` to prevent fallback DNS server certificates are not checked making systemd-resolved vulnerable to man-in-the-middle attacks ## `stub-resolv.conf` Provide domain name resolution for programs that read `/etc/resolv.conf` directly Use the `stub-resolv.conf` to **redirect all applications to `systemd-resolved`** - ...provides a local DNS server instance on port 53 - ...addressed via the loopback interface 127.0.0.53 - ...`lsof -i @127.0.0.53:53` to verify ```sh rm /etc/resolv.conf # redirect glibc NSS conf. file to local stub DNS resolver ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf ``` Alternatively connect local clients directly to all known uplink DNS servers... ```sh ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf ``` Note that `/etc/resolv.conf` may be managed by other packages... - ...in which case `systemd-resolved` will read it for DNS configuration data - ...`systemd-resolved is consumer` rather than provider of this configuration file ## `resolvectl` ```sh resolvectl status # check service status resolvectl query <ip|name> # query DNS records resolvectl statistics # show DNS cache stats ``` Enable debugging and follow the logs: ```sh resolvectl log-level debug journalctl -fu systemd-resolved # disable debugging resolvectl log-level info ``` # `unbound` [Unbound](https://www.unbound.net/) caching DNS resolver including DNSSEC support... ```sh ls -1 /etc/unbound/unbound.conf.d/*.conf # configuration files unbound-control status # service state unbound-anchor -l # list trusted achor key unbound-control get_option auto-trust-anchor-file # show location of tursted key unbound-control list_stubs # list root servers in use ``` Enable the control interface ```sh >>> cat /etc/unbound/unbound.conf.d/control-interface.conf remote-control: control-enable: yes # enable remote control control-interface: 127.0.0.1 # interface listening for remote control >>> unbound-control-setup # generate the necessary keys >>> systemctl restart unbound # restart the service ``` ```sh unbound-control stats_noreset # print statistics without reset unbound-control dump_cache # print chache unbound-control reload # flush cache reload config ``` # Lookup Utilities Install user-space commands for DNS resolution: ```sh sudo apt install -y dnsutils sudo dnf install -y bind-utils sudo pacman -Ss bind-tools ``` ## `nslookup` `nslookup` uses an internal implementation for lookup - ...developed as part of ISC BIND - ...is in the process of being depricated ```sh nslookup $ip_address nslookup $domain_name # ...specific resource record types nslookup -type=MX $domain_name ``` ## `host` The `host` command is the most simple to use... ```sh # ...resolve an IP address host $ip_address # ...resolve a DNS name host $domain_name # ...optional specifify a DNS server to query with a second argument host ... $dns_server # ...specific resource record types host -t MX $domain_name ``` ## `dig` `dig` uses the C resolver library ...more detailed the `host` command ```sh # ...reverse lookup dig +x $ip_address # ...specific resource record types dig $domain_name MX # ...query a particular DNS server dig @$dns_server $domain_name # ...return only the IP-address dif +short $domain_name # ...entire record dig +noall +answer $domain_name # ...track DNS resolution dig +trace ... ``` Use `~/.digrc` to customize your configuration... ```sh echo "+noall +answer" > ~/.digrc ``` ## `dnspeep` Experimental software! `dnspeep` [^fQtEl] us a debugging tool to monitor all DNS queries from a host - …lists all DNS responses that their computer is getting - …helps to identify software that uses the internet behind the scenes [^fQtEl]: `dnspeep` Monitor DNS Queries <https://jvns.ca/blog/2021/03/31/dnspeep-tool> <https://github.com/jvns/dnspeep> # DNS Servers Domain name servers resolve DNS information - listens for DNS queries, **responds** with local (zone) or cached DNS data - caches (recently retrieved) data about non-local domains (from other zones) - uses its resolver to **forward queries** to other (authoritative) domain name servers * **primary** name servers hold **authoritative** information about set of domains * **secondary** servers maintain a copy of zone information, using a process called **zone transfer** - zone transfer performed according to the expire time parameter in SOA - full Zone Transfer - Secondary downloads all RRs - incremental Zone Transfer - Primary notifies about changes for an partial download * dynamic DNS (DDNS) allows DHCP server to send updates to primary DNS server * **split(-horizon) DNS** send a distinguished responds to DNS queries depending on the client source address - mechanism for security/privacy management by logical/physical separation of DNS information - used to separate public (external) DNS resolution from internal local networks (not visible from the Internet) **Domain name registry**, different entities providing DNS services **Domain registrar**, service to select (purchase) a domain name... - ...managed by the IANA (part of ICANN), nonprofit organizations, runs the root zone management - ...registers an IP address of a DNS server that authoritatively respond for a domain - ...the `whois` command queries the domain name registry **DNS hosting provider**, service operating authoritative response for a domain * ...name space tree divided into **zones** * ...contain domain names starting at a particular point in the tree * ...group of node servers linked by an authoritative DNS server * ...zone file contains pointers to **subdomains** delegating authority ## DNSSEC * DNSSEC (domain name system security extensions) - enables DNS resolvers to **authenticate DNS information** - provides data integrity, but not availability or confidentiality - mechanism for including cryptographic signatures within the DNS resolution * adds DNS resource records (RRs): - `RRSIG` signature - `DNSKEY` primary key record for zone - `DS` key record fingerprint - `NSEC3` sign negative responses * resolvers verify DNS resolution with with the root zone public key [^2] ```bash dig +trace <url> | grep -e RRSIG -e DS # check for DNSSEC capability dig org. SOA +dnssec @8.8.8.8 | grep ';; flags' # ^ should return the "ad" flag ``` * **DNS over TLS** (DoT) is a protocol to encrypting DNS resolution, cf. RFC7858 [^3] ## Public Servers Public DNS servers... - [quad9.net](https://www.quad9.net) - ...aims to protect users from malware and phishing - ...multiple [service options](https://www.quad9.net/service/service-addresses-and-features/) - ...operated by Quad9 Foundation (Swiss public-benefit, not-for-profit foundation) - [dns0.eu](https://www.dns0.eu/) - ...free, GDPR-compliant, security focused - ...operated by french non‑profit organization (entity under EU laws) - ...runs on 100% renewable energy - ...one [DNS instance](https://www.dns0.eu/network) per country - [DNS4EU](https://www.whalebone.io/dns4eu) (in development) - ...protect people, companies, and governments from harmful attacks - ...group of companies from 10 European countries have been chosen to build this service - [OpenNIC](https://www.opennic.org) # References [^1] IANA Root Zone Database <http://data.iana.org/TLD/tlds-alpha-by-domain.txt> [^2] IANA Trust Anchors and Keys <https://www.iana.org/dnssec/files> [^3] Specification for DNS over Transport Layer Security (TLS) <https://tools.ietf.org/html/rfc7858> [^4] hBlock <https://github.com/hectorm/hblock>