New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot access .local domains in Docker #38531

Open
adrianmihalko opened this Issue Jan 10, 2019 · 10 comments

Comments

Projects
None yet
3 participants
@adrianmihalko
Copy link

adrianmihalko commented Jan 10, 2019

Description

I am trying to access devices on my network with .local domain, but it doesn't seem to work in Docker. I always get bad address for .local domains.

Steps to reproduce the issue:
1. $ sudo docker run --network host busybox ping -c 3 test1.local
Describe the results you received:

@ubuntudev:~$ sudo docker run --network host busybox ping -c 3 test1.local
ping: bad address 'test1.local'

Describe the results you expected:

Access .local domains.

Additional information you deem important (e.g. issue happens only occasionally):

Ping from host is working:

$ ping test1.local
PING test1.local (192.168.1.90) 56(84) bytes of data.
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=1 ttl=255 time=1.41 ms
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=2 ttl=255 time=1.54 ms

Docker demon config:

$ cat /etc/docker/daemon.json 
{
    "dns": ["192.168.1.1","8.8.8.8"]
}

If I try to ping test1.local from Docker:

$ sudo docker run --network host busybox ping -c 3 test1.local
ping: bad address 'test1.local'
Pinging device with IP works:

$ sudo docker run --network host busybox ping -c 3 192.168.1.90
PING 192.168.1.90 (192.168.1.90): 56 data bytes
64 bytes from 192.168.1.90: seq=0 ttl=255 time=4.855 ms
64 bytes from 192.168.1.90: seq=1 ttl=255 time=1.566 ms
So I assume something is wrong name resolution.
@ubuntudev:~$ cat /etc/resolv.conf 
$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.1
search localdomain

Output of docker version:

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.4
 Git commit:        e68fc7a
 Built:             Fri Oct 19 19:43:14 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       e68fc7a
  Built:            Thu Sep 27 02:39:50 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 21
 Running: 4
 Paused: 0
 Stopped: 17
Images: 21
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:  (expected: 468a545b9edcd5932818eb9de8e72413e616e86e)
runc version: N/A (expected: 69663f0bd4b60df09991c08812a60108003fa340)
init version: v0.18.0 (expected: fec3683b971d9c3ef73f284f176672c44b448662)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-34-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.853GiB
Name: ubuntudev
ID: XO2X:JYJC:GSMA:WHDR:5BMY:4IGW:J5KK:BTZI:OQEA:YYKC:5PJU:T4JK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: adriankoooo
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical/Ubuntu

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jan 10, 2019

Which DNS server are the .local domains registered in?

Looks like this may be related to systemd-resolved being used for DNS. Some fixes for this were merged in #37485, and are included in Docker 18.09;

Are you also seeing this after upgrading to Docker 18.09 ?

Looking at those changes, I wonder if /etc/resolv.conf should be used in the network=host situation (if systemd-resolved was detected);

if container.HostConfig.NetworkMode.IsHost() {
// Point to the host files, so that will be copied into the container running in host mode
*sboxOptions = append(*sboxOptions, libnetwork.OptionOriginHostsPath("/etc/hosts"))
*sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"))
} else {
*sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath(daemon.configStore.GetResolvConf()))
}

@fcrisciani ?

@adrianmihalko

This comment has been minimized.

Copy link

adrianmihalko commented Jan 10, 2019

I upgraded from docker.io to docker-ce to get version 18.09.

madrian@ubuntudev:~$ sudo docker info
Containers: 22
 Running: 4
 Paused: 0
 Stopped: 18
Images: 21
Server Version: 18.09.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 96ec2177ae841256168fcf76954f7177af9446eb
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-34-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.853GiB
Name: ubuntudev
ID: XO2X:JYJC:GSMA:WHDR:5BMY:4IGW:J5KK:BTZI:OQEA:YYKC:5PJU:T4JK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: adriankoooo
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support

Result is the same:

madrian@ubuntudev:~$ ping test1.local
PING test1.local (192.168.1.90) 56(84) bytes of data.
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=1 ttl=255 time=1.81 ms
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=2 ttl=255 time=3.23 ms
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=3 ttl=255 time=1.74 ms
^C
--- test1.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.745/2.266/3.235/0.685 ms
madrian@ubuntudev:~$ sudo docker run busybox ping -c 3 test1.local
ping: bad address 'test1.local'

"Which DNS server are the .local domains registered in?"

if I understand the question well, my .local domains are managed by my router 192.168.1.1.

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jan 10, 2019

if I understand the question well, my .local domains are managed by my router 192.168.1.1.

So, the daemon is configured to use 192.168.1.1 as a default DNS for new containers, however when using network=host, the container runs in the hosts's networking namespace (i.e., it won't have its own IP-address and/or networking isolation). In that case, the configuration, IP-address, and hostname of the host are used for the container as well.

From the code I linked to (#38531 (comment)), I see that the container will get a copy of /etc/resolv.conf (to get the same DNS configured as on the host), which in your case contains:

nameserver 127.0.0.1
search localdomain

Recent versions of Ubuntu use systemd-resolved by default, which means that /etc/resolv.conf is not used, but `` should be used (which may explain the problem).

Could you;

  • check if systemd-resolved is running on your host (pidof systemd-resolved)?

  • if it is; check the contents of /run/systemd/resolve/resolv.conf (cat /run/systemd/resolve/resolv.conf) on the host?

  • check the contents of /etc/resolv.conf inside the container;

    docker run --rm --network=host busybox cat /etc/resolv.conf

To see if the DNS configuration is indeed the cause; could you try if it works if you manually override the DNS for the container?

docker run --rm -it --network=host --dns=192.168.1.1 busybox ping -c1 -w1 test1.local
@adrianmihalko

This comment has been minimized.

Copy link

adrianmihalko commented Jan 10, 2019

I tried with network=host and without, result was the same.

Let's go on the tests:

check if systemd-resolved is running on your host (pidof systemd-resolved)?

madrian@ubuntudev:~$ pidof systemd-resolved
1368

if it is; check the contents of /run/systemd/resolve/resolv.conf (cat /run/systemd/resolve/resolv.conf) on the host?

madrian@ubuntudev:~$ cat /run/systemd/resolve/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 192.168.1.1
search localdomain

check the contents of /etc/resolv.conf inside the container;
docker run --rm --network=host busybox cat /etc/resolv.conf

madrian@ubuntudev:~$ sudo docker run --rm --network=host busybox cat /etc/resolv.conf
search localdomain
nameserver 192.168.1.1
nameserver 8.8.8.8

To see if the DNS configuration is indeed the cause; could you try if it works if you manually override the DNS for the container?

madrian@ubuntudev:~$ ping test1.local
PING test1.local (192.168.1.90) 56(84) bytes of data.
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=1 ttl=255 time=1.61 ms
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=2 ttl=255 time=2.15 ms
^C
--- test1.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.613/1.884/2.155/0.271 ms
madrian@ubuntudev:~$ sudo docker run --rm -it --network=host --dns=192.168.1.1 busybox ping -c1 -w1 test1.local
ping: bad address 'test1.local'

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jan 10, 2019

Hm.. so it's using the right DNS server. Wondering if it's an mDNS issue perhaps 🤔

@fcrisciani any ideas?

@euanh

This comment has been minimized.

Copy link

euanh commented Jan 11, 2019

"Which DNS server are the .local domains registered in?"

if I understand the question well, my .local domains are managed by my router 192.168.1.1.

To confirm how DNS resolution is working on your host, did you have to log into the router and add test1.local manually some sort of DNS table? Could you please post the output of running the following commands on your host?

cat /etc/nsswitch.conf
dig test1.local

Busybox uses a different resolver to most Linux distributions, so rule that out as a problem can you please try the following commands in a Fedora container?

docker run --rm -it --network=host --dns=192.168.1.1 fedora:latest bash
fedora> cat /etc/nsswitch.conf
fedora> dnf install -y bind-utils
fedora> dig test1.local

Finally please try the same thing in alpine. (Alpine uses busybox but it's easier to install additional packages)

docker run --rm -it --network=host --dns=192.168.1.1 alpine:latest sh
alpine> apk update && apk add bind-tools
alpine> dig test1.local

N.B. Alpine and Busybox don't have /etc/nsswitch.conf.

@adrianmihalko

This comment has been minimized.

Copy link

adrianmihalko commented Jan 11, 2019

cat /etc/nsswitch.conf
dig test1.local

madrian@ubuntudev:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
madrian@ubuntudev:~$ ping test1.local
PING test1.local (192.168.1.90) 56(84) bytes of data.
64 bytes from 192.168.1.90 (192.168.1.90): icmp_seq=1 ttl=255 time=3.11 ms
^C
--- test1.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.110/3.110/3.110/0.000 ms
madrian@ubuntudev:~$ dig test1.local

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> test1.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.local.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 11 12:44:46 CET 2019
;; MSG SIZE  rcvd: 40

docker run --rm -it --network=host --dns=192.168.1.1 fedora:latest bash

[root@ubuntudev /]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files in /etc
#	db			Use the pre-processed /var/db files
#	compat			Use /etc files plus *_compat pseudo-databases
#	hesiod			Use Hesiod (DNS) for user lookups
#	sss			Use sssd (System Security Services Daemon)
#	[NOTFOUND=return]	Stop searching if not found so far
#
# 'sssd' performs its own 'files'-based caching, so it should
# generally come before 'files'.

# To use 'db', install the nss_db package, and put the 'db' in front
# of 'files' for entries you want to be looked up first in the
# databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

hosts:      files dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   sss

publickey:  files

automount:  files sss
aliases:    files
[root@ubuntudev /]# dig test1.local

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc29 <<>> test1.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56024
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test1.local.			IN	A

;; AUTHORITY SECTION:
.			86397	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019011001 1800 900 604800 86400

;; Query time: 45 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 11 11:52:23 UTC 2019
;; MSG SIZE  rcvd: 115

[root@ubuntudev /]# ping test1.local
ping: test1.local: Name or service not known
[root@ubuntudev /]# 

madrian@ubuntudev:~$ sudo docker run --rm -it --network=host --dns=192.168.1.1 alpine:latest sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
cd784148e348: Pull complete 
Digest: sha256:46e71df1e5191ab8b8034c5189e325258ec44ea739bba1e5645cff83c9048ff1
Status: Downloaded newer image for alpine:latest
/ # apk update && apk add bind-tools
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
v3.8.2-19-g151c2021d6 [http://dl-cdn.alpinelinux.org/alpine/v3.8/main]
v3.8.2-18-gd7f33f856a [http://dl-cdn.alpinelinux.org/alpine/v3.8/community]
OK: 9546 distinct packages available
(1/5) Installing libgcc (6.4.0-r9)
(2/5) Installing json-c (0.13.1-r0)
(3/5) Installing libxml2 (2.9.8-r1)
(4/5) Installing bind-libs (9.12.3-r0)
(5/5) Installing bind-tools (9.12.3-r0)
Executing busybox-1.28.4-r2.trigger
OK: 9 MiB in 18 packages
/ # apk add iputils
(1/2) Installing libcap (2.25-r1)
(2/2) Installing iputils (20161105-r1)
Executing busybox-1.28.4-r2.trigger
OK: 10 MiB in 20 packages
/ # dig test1.local

; <<>> DiG 9.12.3 <<>> test1.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28327
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test1.local.			IN	A

;; AUTHORITY SECTION:
.			86391	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019011001 1800 900 604800 86400

;; Query time: 100 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 11 11:54:00 UTC 2019
;; MSG SIZE  rcvd: 115

/ # ping test1.local
ping: test1.local: Name does not resolve
/ # 

Some additional info: I am using Unifi USG router. If I log in to the router (192.168.1.1):

madrian@UniFiSecurityGateway3P:~$ ping test1.local 
ping: unknown host test1.local

But then why I am able to ping .local domains from all clients behind that router? There is no other DNS server in my home. Maybe clients (iPhone, Mac, ubuntu server) have it's own DNS server which resolve .local domains?

adrianmihalko@MacBook-Pro:~$ ping test1.local
PING test1.local (192.168.1.90): 56 data bytes
64 bytes from 192.168.1.90: icmp_seq=0 ttl=255 time=95.112 ms
^C
--- test1.local ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 95.112/95.112/95.112/0.000 ms
adrianmihalko@MacBook-Pro:~$ dig test1.local

; <<>> DiG 9.10.6 <<>> test1.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30164
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test1.local.			IN	A

;; AUTHORITY SECTION:
.			80644	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019011000 1800 900 604800 86400

;; Query time: 125 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 11 12:59:24 CET 2019
;; MSG SIZE  rcvd: 115

@adrianmihalko

This comment has been minimized.

Copy link

adrianmihalko commented Jan 11, 2019

I think this is a related issue:

crossbario/crossbar-fabric-public#21

I am pretty sure we have a Multicast DNS problem and this is not managed by router, but the host OS itself, because this is how mDNS works:

"When an mDNS client needs to resolve a host name, it sends an IP multicast query message that asks the host having that name to identify itself. That target machine then multicasts a message that includes its IP address. All machines in that subnet can then use that information to update their mDNS caches."

@euanh

This comment has been minimized.

Copy link

euanh commented Jan 11, 2019

I am pretty sure we have a Multicast DNS problem and this is not managed by router, but the host OS itself, because this is how mDNS works:

Yes. The /etc/nsswitch.conf file on your host specifies that mDNS should be used for hosts:

hosts:          files mdns4_minimal [NOTFOUND=return] dns

In the Fedora and Alpine containers, mDNS is not being used (there is no mdns in the Fedora /etc/nsswitch.conf, for example) so the resolver tries to look them up using your router's DNS server (192.168.1.1).

Dig shows that 192.168.1.1 doesn't know about test1.local and responds with NXDOMAIN (nonexistent domain).

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28327

You could try following these instructions to enable mDNS in the Fedora container and see if it starts to work:

https://fedoramagazine.org/find-systems-easily-lan-mdns/

The main part is installing the nss-mdns package - you can skip setting the hostname and just see whether you can then resolve test1.local

I'm afraid I can't find an example of using mDNS in busybox / Alpine.

@adrianmihalko

This comment has been minimized.

Copy link

adrianmihalko commented Jan 11, 2019

For some reason it is still doesn't work under Fedora. It's pretty hard thing to make this work, maybe one day it will work better.

Should I close the issue?

[root@78475bae0523 /]# dnf install -y nss-mdns avahi iputils bind-utils
[root@78475bae0523 /]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files in /etc
#	db			Use the pre-processed /var/db files
#	compat			Use /etc files plus *_compat pseudo-databases
#	hesiod			Use Hesiod (DNS) for user lookups
#	sss			Use sssd (System Security Services Daemon)
#	[NOTFOUND=return]	Stop searching if not found so far
#
# 'sssd' performs its own 'files'-based caching, so it should
# generally come before 'files'.

# To use 'db', install the nss_db package, and put the 'db' in front
# of 'files' for entries you want to be looked up first in the
# databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   sss

publickey:  files

automount:  files sss
aliases:    files
[root@78475bae0523 /]# dig test1.local

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc29 <<>> test1.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40104
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test1.local.			IN	A

;; AUTHORITY SECTION:
.			3600	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019011100 1800 900 604800 86400

;; Query time: 35 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 11 18:26:33 UTC 2019
;; MSG SIZE  rcvd: 115

[root@78475bae0523 /]# nslookup test1.local
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find test1.local: NXDOMAIN

[root@78475bae0523 /]# ping test1.local
ping: test1.local: Name or service not known
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment