Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[resolved/networkd] Behaviour for .~ seems invalid (or the documentation is not correct) #9472

Closed
msoltyspl opened this issue Jun 29, 2018 · 4 comments
Closed

[resolved/networkd] Behaviour for .~ seems invalid (or the documentation is not correct) #9472

msoltyspl opened this issue Jun 29, 2018 · 4 comments
Labels
documentation resolve

Comments

@msoltyspl
Copy link
Contributor

@msoltyspl msoltyspl commented Jun 29, 2018
edited

Systemd version: 238.133
Distro: Archlinux

The documentation from systemd.network claims that:

The "routing-only" domain "~." (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers if a link on which they are connected is available.

In particular the part about It causes all DNS traffic which does not match another configured domain routing entry. In reality it doesn't care about the match at all - adding ~. to per-link options (or to global options in resolved.conf) has the effect of using respective dnses (per-link or global respectively) for any query.

For example consider something like (only relevant parts listed):

# Part of 30-lan1.network
[Network]
Domains=~.
DNS=1.1.1.1
# Part of 30-lan2.network
[Network]
Domains=touk.pl
DNS=10.0.0.50

With such configs, when we enable debugging output in systemd-resolved, we can clearly see that

dig @127.0.0.53 google.pl will go only to 1.1.1.1, but dig @127.0.0.53 test.touk.pl will go in parallel to both 10.0.0.50 and 1.1.1.1

When I was testing (ethernet + macvlan on top), parts of log:

Jun 29 14:28:42 hakai systemd-resolved[18225]: Transaction 43019 for <hakai.touk.pl IN A> scope dns on mac0/*.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Using feature level UDP+EDNS0+DO+LARGE for transaction 43019.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Using DNS server 8.8.4.4 for transaction 43019.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Sending query packet with id 43019.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Cache miss for hakai.touk.pl IN A
Jun 29 14:28:42 hakai systemd-resolved[18225]: Transaction 38384 for <hakai.touk.pl IN A> scope dns on eno1/*.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Using feature level UDP+EDNS0+DO+LARGE for transaction 38384.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Using DNS server 192.168.0.30 for transaction 38384.
Jun 29 14:28:42 hakai systemd-resolved[18225]: Sending query packet with id 38384.

With --status output:

Link 4 (mac0)
      Current Scopes: DNS LLMNR/IPv4 mDNS/IPv4
       LLMNR setting: yes
MulticastDNS setting: yes
      DNSSEC setting: yes
    DNSSEC supported: yes
         DNS Servers: 8.8.4.4
          DNS Domain: ~.

Link 2 (eno1)
      Current Scopes: DNS LLMNR/IPv4 mDNS/IPv4
       LLMNR setting: yes
MulticastDNS setting: yes
      DNSSEC setting: yes
    DNSSEC supported: yes
         DNS Servers: 192.168.0.30
                      192.168.0.40
                      10.13.36.10
          DNS Domain: touk.pl

Shouldn't dnses from other/global connections with ~. defined explicitly be used only for non-matching domains (as the documentation states) ? This also should apply to global resolved.conf if it for example contains Domains=~. and DNS=1.1.1.1
@msoltyspl msoltyspl changed the title [resolved/netwrorkd] Behaviour for .~ seems invalid (or the documentation is not correct) [resolved/networkd] Behaviour for .~ seems invalid (or the documentation is not correct) Jun 29, 2018
@msoltyspl msoltyspl mentioned this issue Jun 29, 2018
Closed
@poettering
Copy link
Member

@poettering poettering commented Jul 4, 2018

So, yeah the docs are bogus.

Basically, when looking where to route queries resolved suffix-matches the query name against all search/routing domains of all interfaces, and will send the query to any matching interface/server. If none match it will then send the query to all interfaces/servers.

This means ~. just means "route any query also to this interface". It doesn't mean "route all queries only to this interface". Or to say this differently: it's not as special as the docs suggest: its treated like any other routing domain listed, it's just that it is a routing domain that matches a lot more lookups the other names...

@zeule zeule mentioned this issue Jul 6, 2018
Closed
@msoltyspl msoltyspl mentioned this issue Aug 7, 2018
Closed
@fgont
Copy link

@fgont fgont commented Nov 27, 2018

According to your description above, if this is there's only one "Domain" variable set to "~.", wouldn't this nevertheless mean that only this resolver would be used? (there is a matching interface/resolver... and there is only one of those...)

poettering added a commit to poettering/systemd that referenced this issue Dec 4, 2018
@poettering
resolved: rework how we determine which scope to send a query to
0f2a122 
Fixes: systemd#10830 systemd#9825 systemd#9472
@poettering poettering mentioned this issue Dec 4, 2018
Merged
@poettering
Copy link
Member

@poettering poettering commented Dec 4, 2018

Fix waiting in #11050, with a new section about DNS domain routing added to the docs

poettering added a commit to poettering/systemd that referenced this issue Dec 12, 2018
@poettering
resolved: rework how we determine which scope to send a query to
8fd665e 
Fixes: systemd#10830 systemd#9825 systemd#9472
poettering added a commit to poettering/systemd that referenced this issue Dec 15, 2018
@poettering
resolved: rework how we determine which scope to send a query to
6e1ab86 
Fixes: systemd#10830 systemd#9825 systemd#9472
poettering added a commit to poettering/systemd that referenced this issue Dec 17, 2018
@poettering
resolved: rework how we determine which scope to send a query to
f9f8869 
Fixes: systemd#10830 systemd#9825 systemd#9472
poettering added a commit to poettering/systemd that referenced this issue Dec 18, 2018
@poettering
resolved: rework how we determine which scope to send a query to
7047934 
Fixes: systemd#10830 systemd#9825 systemd#9472
poettering added a commit to poettering/systemd that referenced this issue Dec 21, 2018
@poettering
resolved: rework how we determine which scope to send a query to
a97a3b2 
Fixes: systemd#10830 systemd#9825 systemd#9472
@poettering
Copy link
Member

@poettering poettering commented Feb 26, 2019

Closing, as #11050 was merged a while back.

@poettering poettering closed this Feb 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation resolve
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fgont @poettering @msoltyspl