109.4 Lesson 1
Certificate: |
LPIC-1 |
---|---|
Version: |
5.0 |
Topic: |
109 Networking Fundamentals |
Objective: |
109.4 Configure client side DNS |
Lesson: |
1 of 1 |
Introduction
This lesson covers configuring client side name resolution and how to use a few CLI name resolution tools.
Remembering and maintaining IP addresses, UIDs, and GIDs, and other numbers for everything isn’t feasible. Name resolution services translate easy to remember names to numbers and vice versa. This lesson focuses on host name resolution, but a similar process happens for user names, group names, port numbers, and several others.
Name Resolution Process
Programs that resolve names to numbers almost always use functions provided by the standard C library, which on Linux systems is the GNU project’s glibc. The first things these functions do is read the file /etc/nsswitch.conf
for instructions on how to resolve that type of name. This lesson is focused on host name resolution, but the same process applies to other types of name resolution as well. Once the process reads /etc/nsswitch.conf
, it looks up the name in the manner specified. Since /etc/nsswitch.conf
supports plugins, what comes next could be anything. After the function is done looking up the name or number, it returns the result to the calling process.
DNS Classes
DNS has three record classes, IN, HS, and CH. In this lesson, all DNS queries will be of type IN. The IN class is for internet addresses using the TCP/IP stack. CH is for ChaosNet, which is a network technology that was short lived and is no longer in use. The HS class is for Hesiod. Hesiod is a way to store things like passwd and group entries in DNS. Hesiod is beyond the scope of this lesson.
Understanding /etc/nsswitch.conf
The best way to learn about this file is to read the man page that is part of the Linux man-pages project. It is available on most systems. It can be accessed with the command man nsswitch.conf
. Alternatively, it can be found at https://man7.org/linux/man-pages/dir_section_5.html
Below is a simple example of /etc/nsswitch.conf
from its man page:
passwd: compat group: compat shadow: compat hosts: dns [!UNAVAIL=return] files networks: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files services: nis [NOTFOUND=return] files # This is a comment. It is ignored by the resolution functions.
The file is organized into columns. The far left column is the type of name database. The rest of the columns are the methods the resolution functions should use to lookup a name. The methods are followed by the functions from left to right. Columns with []
are used to provide some limited conditional logic to the column immediately to the left of it.
Suppose a process is trying to resolve the host name learning.lpi.org
. It would make an appropriate C library call (most likely gethostbyname
). This function will then read /etc/nsswitch.conf
. Since the process is looking up a host name, it will find the line starting with hosts
. It would then attempt to use DNS to resolve the name. The next column, [!UNAVAIL=return]
means that if the service is not unavailable, then do not try the next source, i.e., if DNS is available, stop trying to resolve the host name even if the name servers are unable to. If DNS is unavailable, then continue on to the next source. In this case, the next source is files
.
When you see a column in the format [result=action]
, it means that when a resolver lookup of the column to the left of it is result
, then action
is performed. If result
is preceded with a !
, it means if the result is not result
, then perform action
. For descriptions of the possible results and actions, see the man page.
Now suppose a process is trying to resolve a port number to a service name. It would read the services
line. The first source listed is NIS. NIS stands for Network Information Service (it is sometimes referred to as yellow pages). It is an old service that allowed central management of things such as users. It is rarely used anymore due to its weak security. The next column [NOTFOUND=return]
means that if the lookup succeeded but the service was not found to stop looking. If the aforementioned condition does not apply, use local files.
Anything to the right of #
is a comment and ignored.
The /etc/resolv.conf
File
The file /etc/resolv.conf
is used to configure host resolution via DNS. Some distributions have startup scripts, daemons, and other tools that write to this file. Keep this in mind when manually editing this file. Check your distribution and any network configuration tools documentation if this is the case. Some tools, such as Network Manager will leave a comment in the file letting you know that manual changes will be overwritten.
As with /etc/nsswitch.conf
, there is a man page associated with the file. It can be accessed with the command man resolv.conf
or at https://man7.org/linux/man-pages/man5/resolv.conf.5.html.
The file format is rather straight forward. In the far left column, you have the option name
. The rest of the columns on the same line are the option’s value.
The most common option is the nameserver
option. It is used to specify the IPv4 or IPv6 address of a DNS server. As of the date of this writing, you can specify up to three name servers. If your /etc/resolv.conf
does not have a nameserver
option, your system will by default use the name server on the local machine.
Below is a simple example file that is representative of common configurations:
search lpi.org nameserver 10.0.0.53 nameserver fd00:ffff::2:53
The search
option is used to allow short form searches. In the example, a single search domain of lpi.org
is configured. This means that any attempt to resolve a host name without a domain portion will have .lpi.org
appended before the search. For example, if you were to try to search for a host named learning
, the resolver would search for learning.lpi.org
. You can have up to six search domains configured.
Another common option is the domain
option. This is used to set your local domain name. If this option is missing, this defaults to everything after the first .
in the machine’s host name. If the host name does not contain a .
, it is assumed that the machine is part of the root domain. Like search
, domain
can be used for short name searches.
Keep in mind that domain
and search
are mutually exclusive. If both are present, the last instance in the file is used.
There are several options that can be set to affect the behavior of the resolver. To set these, use the options
keyword, followed by the name of the option to set, and if applicable, a :
followed by the value. Below is an example of setting the timeout option, which is the length of time in seconds the resolver will wait for a name server before giving up:
option timeout:3
There are other options to resolv.conf
, but these are the most common.
The /etc/hosts
File
The file /etc/hosts
is used to resolve names to IP addresses and vice versa. Both IPv4 and IPv6 are supported. The left column is the IP address, the rest are names associated with that address. The most common use for /etc/hosts
is for hosts and addresses where DNS is not possible, such as loop back addresses. In the example below, IP addresses of critical infrastructure components are defined.
Here is a realistic example of an /etc/hosts
file:
127.0.0.1 localhost 127.0.1.1 proxy ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.0.0.1 gateway.lpi.org gateway gw fd00:ffff::1 gateway.lpi.org gateway gw 10.0.1.53 dns1.lpi.org fd00:ffff::1:53 dns1.lpi.org 10.0.2.53 dns2.lpi.org fd00:ffff::2:53 dns2.lpi.org
systemd-resolved
Systemd provides a service called systemd-resolved
. It provides mDNS, DNS, and LLMNR. When it is running, it listens for DNS requests on 127.0.0.53
. It does not provide a full fledged DNS server. Any DNS requests it receives are looked up by querying servers configured in /etc/systemd/resolv.conf
or /etc/resolv.conf
. If you wish to use this, use resolve
for hosts
in /etc/nsswitch.conf
. Keep in mind that the OS package that has the systemd-resolved
library may not be installed by default.
Name Resolution Tools
There are many tools available to Linux users for name resolution. This lesson covers three. One, getent
, is useful for seeing how real world requests will resolve. Another command is host
, which is useful for simple DNS queries. A program called dig
is useful for complex DNS operations that can aid with troubleshooting DNS server problems.
The getent
Command
The getent
utility is used to display entries from name service databases. It can retrieve records from any source configurable by /etc/nsswitch.conf
.
To use getent
, follow the command with the type of name you wish to resolve and optionally a specific entry to lookup. If you only specify the type of name, getent
will attempt to display all entries of that data type:
$ getent hosts 127.0.0.1 localhost 127.0.1.1 proxy 10.0.1.53 dns1.lpi.org 10.0.2.53 dns2.lpi.org 127.0.0.1 localhost ip6-localhost ip6-loopback $ getent hosts dns1.lpi.org fd00:ffff::1:53 dns1.lpi.org
Starting with glibc version 2.2.5, you can force getent
to use a specific data source with the -s
option. The example below demonstrates this:
$ getent -s files hosts learning.lpi.org ::1 learning.lpi.org $ getent -s dns hosts learning.lpi.org 208.94.166.198 learning.lpi.org
The host
Command
host
is a simple program for looking up DNS entries. With no options, if host
is given a name, it returns the A, AAAA, and MX record sets. If given an IPv4 or IPv6 address, it outputs the PTR record if one is available:
$ host wikipedia.org wikipedia.org has address 208.80.154.224 wikipedia.org has IPv6 address 2620:0:861:ed1a::1 wikipedia.org mail is handled by 10 mx1001.wikimedia.org. wikipedia.org mail is handled by 50 mx2001.wikimedia.org. $ host 208.80.154.224 224.154.80.208.in-addr.arpa domain name pointer text-lb.eqiad.wikimedia.org.
If you are looking for a specific record type, you can use host -t
:
$ host -t NS lpi.org lpi.org name server dns1.easydns.com. lpi.org name server dns3.easydns.ca. lpi.org name server dns2.easydns.net. $ host -t SOA lpi.org lpi.org has SOA record dns1.easydns.com. zone.easydns.com. 1593109612 3600 600 1209600 300
host
can also be used to query a specific name server if you do not wish to use the ones in /etc/resolv.conf
. Simply add the IP address or host name of the server you wish to use as the last argument:
$ host -t MX lpi.org dns1.easydns.com Using domain server: Name: dns1.easydns.com Address: 64.68.192.10#53 Aliases: lpi.org mail is handled by 10 aspmx4.googlemail.com. lpi.org mail is handled by 10 aspmx2.googlemail.com. lpi.org mail is handled by 5 alt1.aspmx.l.google.com. lpi.org mail is handled by 0 aspmx.l.google.com. lpi.org mail is handled by 10 aspmx5.googlemail.com. lpi.org mail is handled by 10 aspmx3.googlemail.com. lpi.org mail is handled by 5 alt2.aspmx.l.google.com.
The dig
Command
Another tool for querying DNS servers is dig
. This command is much more verbose than host
. By default, dig
queries for A records. It is probably too verbose for simply looking up an IP address or host name. dig
will work for simple lookups, but it is more suited for troubleshooting DNS server configuration:
$ dig learning.lpi.org ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> learning.lpi.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63004 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ca7a415be1cec45592b082665ef87f3483b81ddd61063c30 (good) ;; QUESTION SECTION: ;learning.lpi.org. IN A ;; ANSWER SECTION: learning.lpi.org. 600 IN A 208.94.166.198 ;; AUTHORITY SECTION: lpi.org. 86400 IN NS dns2.easydns.net. lpi.org. 86400 IN NS dns1.easydns.com. lpi.org. 86400 IN NS dns3.easydns.ca. ;; ADDITIONAL SECTION: dns1.easydns.com. 172682 IN A 64.68.192.10 dns2.easydns.net. 170226 IN A 198.41.222.254 dns1.easydns.com. 172682 IN AAAA 2400:cb00:2049:1::a29f:1835 dns2.easydns.net. 170226 IN AAAA 2400:cb00:2049:1::c629:defe ;; Query time: 135 msec ;; SERVER: 192.168.1.20#53(192.168.1.20) ;; WHEN: Sun Jun 28 07:29:56 EDT 2020 ;; MSG SIZE rcvd: 266
As you can see, dig
provides a lot of information. The output is divided into sections. The first section displays information about the version of dig
installed and the query sent, along with any options used for the command. Next it shows information about the query and the response.
The next section shows information about EDNS extensions used and the query. In the example, the cookie extension is used. dig
is looking for an A record for learning.lpi.org
.
The next section shows the result of the query. The number in the second column is the TTL of the resource in seconds.
The rest of the output provides information about the domain’s name servers, including the NS records for the server along with the A and AAAA records of the servers in the domain’s NS record.
Like host
, you can specify a record type with the -t
option:
$ dig -t SOA lpi.org ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> -t SOA lpi.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16695 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 185c67140a63baf46c4493215ef8906f7bfbe15bdca3b01a (good) ;; QUESTION SECTION: ;lpi.org. IN SOA ;; ANSWER SECTION: lpi.org. 600 IN SOA dns1.easydns.com. zone.easydns.com. 1593109612 3600 600 1209600 300 ;; AUTHORITY SECTION: lpi.org. 81989 IN NS dns1.easydns.com. lpi.org. 81989 IN NS dns2.easydns.net. lpi.org. 81989 IN NS dns3.easydns.ca. ;; ADDITIONAL SECTION: dns1.easydns.com. 168271 IN A 64.68.192.10 dns2.easydns.net. 165815 IN A 198.41.222.254 dns3.easydns.ca. 107 IN A 64.68.196.10 dns1.easydns.com. 168271 IN AAAA 2400:cb00:2049:1::a29f:1835 dns2.easydns.net. 165815 IN AAAA 2400:cb00:2049:1::c629:defe ;; Query time: 94 msec ;; SERVER: 192.168.1.20#53(192.168.1.20) ;; WHEN: Sun Jun 28 08:43:27 EDT 2020 ;; MSG SIZE rcvd: 298
Dig has many options to fine tune both the output and query sent to the server. These options begin with +
. One option is the short
option, which suppresses all output except the result:
$ dig +short lpi.org 65.39.134.165 $ dig +short -t SOA lpi.org dns1.easydns.com. zone.easydns.com. 1593109612 3600 600 1209600 300
Here is an example of turning off the cookie EDNS extension:
$ dig +nocookie -t MX lpi.org ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +nocookie -t MX lpi.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47774 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lpi.org. IN MX ;; ANSWER SECTION: lpi.org. 468 IN MX 0 aspmx.l.google.com. lpi.org. 468 IN MX 10 aspmx4.googlemail.com. lpi.org. 468 IN MX 10 aspmx5.googlemail.com. lpi.org. 468 IN MX 10 aspmx2.googlemail.com. lpi.org. 468 IN MX 10 aspmx3.googlemail.com. lpi.org. 468 IN MX 5 alt2.aspmx.l.google.com. lpi.org. 468 IN MX 5 alt1.aspmx.l.google.com. ;; AUTHORITY SECTION: lpi.org. 77130 IN NS dns2.easydns.net. lpi.org. 77130 IN NS dns3.easydns.ca. lpi.org. 77130 IN NS dns1.easydns.com. ;; ADDITIONAL SECTION: dns1.easydns.com. 76140 IN A 64.68.192.10 dns2.easydns.net. 73684 IN A 198.41.222.254 dns1.easydns.com. 76140 IN AAAA 2400:cb00:2049:1::a29f:1835 dns2.easydns.net. 73684 IN AAAA 2400:cb00:2049:1::c629:defe ;; Query time: 2 msec ;; SERVER: 192.168.1.20#53(192.168.1.20) ;; WHEN: Mon Jun 29 10:18:58 EDT 2020 ;; MSG SIZE rcvd: 389
Guided Exercises
-
What will the command below do?
getent group openldap
-
What is the biggest difference between
getent
and the other tools covered,host
anddig
? -
Which option to
dig
andhost
is used to specify the type of record you wish to retrieve? -
Which of the following is a proper
/etc/hosts
entry?::1 localhost
localhost 127.0.0.1
-
Which option to
getent
is used to specify which data source should be used to perform a lookup?
Explorational Exercises
-
If you were to edit the
/etc/resolv.conf
below with a text editor, what is likely to happen?# Generated by NetworkManager nameserver 192.168.1.20
The changes will be overwritten by NetworkManager.
NetworkManager will update its configuration with your changes.
Your changes won’t affect the system.
NetworkManager will be disabled.
-
What does the following line in
/etc/nsswitch.conf
mean:hosts: files [SUCCESS=continue] dns
-
Considering the following
/etc/resolv.conf
why isn’t the system resolving names through DNS?search lpi.org #nameserver fd00:ffff::1:53 #nameserver 10.0.1.53
-
What does the command
dig +noall +answer +question lpi.org
do? -
How can you override the defaults of
dig
without specifying them on the command line?
Summary
The getent
command is a great tool to see the results of resolver calls. For simple DNS queries, host
is easy to use and produces straightforward output. If you need detailed information or need to fine tune a DNS query, dig
is most likely your best bet.
Due to the ability to add shared library plugins and configure the resolver behavior, Linux has excellent support for name and number resolution of various types. The getent
program can be used to resolve names using the resolver libraries. host
and dig
can be used to query DNS servers.
The file /etc/nsswitch.conf
is used to configure the resolver behavior. You are able to change data sources and add some simple conditional logic for name types with multiple sources.
DNS is configured by editing /etc/resolv.conf
. Many distributions have tools that manage this file for you, so make sure to check your system’s documentation if manual changes aren’t persisting.
The /etc/hosts
file is used to resolve host names to IPs and vice versa. It is typically used to define names, such as localhost
, that aren’t available through DNS.
It is possible to leave comments in the configuration files covered in this lesson. Any text to the right of #
is ignored by the system.
Answers to Guided Exercises
-
What will the command below do?
getent group openldap
It will read
/etc/nsswitch.conf
, lookup theopenldap
group from the sources listed, and display information about it if it is found. -
What is the biggest difference between
getent
and the other tools covered,host
anddig
?getent
looks up names using the resolver libraries, the others just query DNS.getent
can be used to troubleshoot your/etc/nsswitch.conf
and the configuration of name resolution libraries your system is configured to use.host
anddig
are used to lookup DNS records. -
Which option to
dig
andhost
is used to specify the type of record you wish to retrieve?Both programs use
-t
to specify the type of record you wish to look up. -
Which of the following is a proper
/etc/hosts
entry?::1 localhost
X
localhost 127.0.0.1
::1 localhost
is the correct line. The left column is always an IPv4 or IPv6 address. -
Which option to
getent
is used to specify which data source should be used to perform a lookup?The
-s
option is used to specify the data source. For example:$ getent -s files hosts learning.lpi.org 192.168.10.25 learning.lpi.org $ getent -s dns hosts learning.lpi.org 208.94.166.198 learning.lpi.org
Answers to Explorational Exercises
-
If you were to edit the
/etc/resolv.conf
below with a text editor, what is likely to happen?# Generated by NetworkManager nameserver 192.168.1.20
The changes will be overwritten by NetworkManager.
X
NetworkManager will update its configuration with your changes.
Your changes won’t affect the system.
NetworkManager will be disabled.
-
What does the following line in
/etc/nsswitch.conf
mean:hosts: files [SUCCESS=continue] dns
Lookups for host names will check your
/etc/hosts
files first and then DNS. If an entry found is found in files and DNS, the entry in DNS will be used. -
Considering the following
/etc/resolv.conf
why isn’t the system resolving names through DNS?search lpi.org #nameserver fd00:ffff::1:53 #nameserver 10.0.1.53
Both DNS servers are commented out and there is no DNS server running on the local host.
-
What does the command
dig +noall +answer +question lpi.org
do?It looks up the A record for
lpi.org
and displays only the query and response. -
How can you override the defaults of
dig
without specifying them on the command line?You create a
.digrc
file in your home directory.