Handle LLMNR only by nss-resolve #23622
Comments
|
I also think resolved stub should use |
|
Doing it this way would fix issues like reported on #23737 |
|
I have found current systemd-resolved implementation even violates LLMNR RFC: https://www.rfc-editor.org/rfc/rfc4795#section-5.4, last sentence very clearly says LLMNR must not be done in reaction to DNS query. But it is. |
|
This breaks simple queries, which are supposed to work. Examples why it is breaking stuff:
Both return NXDOMAIN. I am quite sure domains |
|
I think the behavior with those examples is faulty regardless of LLMNR status. Things like |
|
Well, technically I admit I were surprised a lot, when tested behaviour of Which does not mean that is okay. That is why I have proposed MR #28263, disabling that in following release. It is going to be removed anyway. |
|
Filled Fedora bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=2220973 |
|
Well, LLMNR seems deprecated (https://techcommunity.microsoft.com/t5/networking-blog/aligning-on-mdns-ramping-down-netbios-name-resolution-and-llmnr/ba-p/3290816) so I'd not spend many efforts in it |
|
PR #31621 has changed sent types to LLMNR only to selected types. That includes A, AAAA, PTR and CNAME. While it improves significantly DNSSEC validation, it will still disallow names to local hostnames without dot present at local DNS server, such as In a document linked from
What have been misunderstood is that non-local domain servers are any domain servers. But that is not true. If the local network DHCP provides us list of servers, we have no way to know whether they serve local content. But they are local in most cases, such as in our corporate network. They will be local in most of networks, especially if they use private IPv4 ranges. Even if they don't, they can be considered local. The only case we may assume they are likely not local, is when public servers like Google's 8.8.8.8 or 1.1.1.1 is used. But that is difficult to auto-detect, it should be specified by the user explicitly. It should be auto-enabled for fallback servers, which are very likely non-local, public DNS resolvers. What clearly were not specified by IAB statement, that single label queries should be sent to LLMNR only. I failed to find such recommendation. |
I understand you work in an entreprisey RHEL world where you have a mindset of having an "entreprise zone". But systemd is supposed to work in the real world, where you cannot rely on your network segment being trusted and giving you a trusted DNS. Hence we have this rule: single label (and .local) names have local scope, and multi-label names have internet scope. And we don't leak the single label lookups onto the Internet. And I think that actually works pretty well, the disagreements on this policy mostly come from a certain group of DNS truthers, who don't like whatever we do, whatever we tried. |
Strange. I have dnsmasq backed router at home. It auto-registers name for every machine doing DHCP. I do not live only on corporate networks. I am a software engineer, I manage only my home network. Have limited experience in community network also. This is true for home networks and also larger company driven networks. Any unicast DNS server provided by DHCP is more trusted than multicast service. Multicast protocols are great for nice to have services, but their reliability is much lower. And they add visible timeouts, which are not desired, like in #28166.
I have showed multiple proofs this approach is wrong. LLMNR is a dead protocol with no future. Even then, not even Microsoft Windows implemented it the way you did. Then do not leak lookups onto the Internet. If my local router provides its own address, in the same private range as my own local address, then that is not leaking it to the Internet! Not leaking queries it is job, because only there are all information, which names are used and which are not. If you have overridden DNS servers offered by the network (for example because I do not trust them), then very likely yours are public on the internet. That might be the only case, when filtering makes sense. But if DNS protocol is used by
No, it does not. There are multiple issues regarding LLMNR. But you do not listen. They know it should work different way but you do not want to hear that. It gets into their way often but you insist it works pretty well.
Try visiting https://chat.dns-oarc.net and ask professionals, how it should behave. Listen to them. Try to understand RFCs and what was meant by them. Not everything is obvious or written in detail. Those people know much better than me small details, how they should work and why. After just 7 years working on DNS I am still learning from them, but you can meet people who wrote some of those RFCs or have double my experience. If unsure, ask them. They are kind people. I haven't seen you there. What I have seen multiple times is issue were closed, when only partially solved what reporter has requested. The best example were #4621. It might help asking the reporter, if proposed fix does actually fix what they wanted. If they don't know, that is okay. |
|
I don't think it's true that every client that speaks dns to us on the stub cares that we only speak dns in return. E.g. libraries like c-ares are commonly used in C to get a better asynchronous resolver interface. Go has it's own resolver implementation that mimics the libc resolver. These clients can benefit from resolved's implementation of mdns/llmnr if enabled on the host, and this minimizes unexpected differences in answers between clients requesting the same name. If it were strictly enforced that queries to the stub were answered only with unicast dns, this would break |
|
The important difference is mdns resolution has own domain And I have checked Yes, you are true not every client does it on purpose. If the application could opt-in to llmnr usage also over DNS protocol, then okay. But that is not the case. I have not seen any strong evidence LLMNR is desired and it would be a problem to turn it on explicitly. |
Is your feature request related to a problem? Please describe.
Yes, described in #23494. LLMNR eats also queries to single label names, which are not wanted to be resolved by LLMNR. It should not
Describe the solution you'd like
I want to use LLMNR only from getaddrinfo() calls and similar. I think that is also equivalent to how Windows machines use it, because they do not redirect DNS to local service. They just provide equivalent to glibc nss plugins except dns.
Unlike Ubuntu, Fedora enabled also nss
resolveplugin in /etc/nsswitch.conf. Therefore it has a way to make clear distinction, when it uses just general get me addresses for a host name xy and get me dns response for query to local stub. Take advantage of it and serve LLMNR only for queries received fromresolveplugin, but not for queries received over DNS socket on port domain.If I have
search example.netin /etc/resolv.conf, then I want all single label queries to tryhost.example.netvia DNS. I don't want resolution passed to LLMNR and end there if not found. It would work itself just like before f33, when systemd-resolved started to be installed by default. nss-dns would ensure search is applied according to resolv.conf.Describe alternatives you've considered
Disabling LLMNR always and for all. We have mdns for multicast resolution. Create a separate nss-llmnr similar to nss-mdns. Local LLMNR on DNS stub should not serve ever LLMNR responses on 127.0.0.53 stub or 127.0.0.54 stub.
The systemd version you checked that didn't have the feature you are asking for
systemd-251.1-2.fc37.x86_64The text was updated successfully, but these errors were encountered: