diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-11-22 12:20:05 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-11-22 22:33:24 +0100 |
commit | a8d09063447568d87288a8e868fe386c1da7ce09 (patch) | |
tree | b61ea5adbb8a517ecd64ce2407491eb193f67942 /man | |
parent | socket-util: add helper for generically initializing sockaddr_union from in_a... (diff) | |
download | systemd-a8d09063447568d87288a8e868fe386c1da7ce09.tar.xz systemd-a8d09063447568d87288a8e868fe386c1da7ce09.zip |
resolved: add "proxy-only" stub on 127.0.0.54
This beefs up the DNS stub logic to listen on two IP addresses:
127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact
our stub will operate in "bypass" mode only, i.e we'll try to pass DNS
requests as unmodified upstream as we can (and not do mDNS/LLMNR and
such, also no DNSSEC validation – but we'll still do DNS-over-TLS
wrapping).
This is supposed to be useful for container environments or tethering:
this stub could be exposed (via NAT redirect) to clients of this system
and we'll try to stay out of the way with doing too much DNS magic
ourselves, but still expose whatever the current DNS server is from
upstream under a stable address/port.
How to use this:
# iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53
# echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet
Diffstat (limited to 'man')
-rw-r--r-- | man/resolved.conf.xml | 12 | ||||
-rw-r--r-- | man/systemd-resolved.service.xml | 13 |
2 files changed, 17 insertions, 8 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index c1994604b9..f53af362e8 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -265,11 +265,13 @@ <varlistentry> <term><varname>DNSStubListener=</varname></term> - <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and <literal>tcp</literal>. If - <literal>udp</literal>, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 - port 53. If <literal>tcp</literal>, the stub will listen for TCP requests on the same address and port. If - <literal>yes</literal> (the default), the stub listens for both UDP and TCP requests. If <literal>no</literal>, the stub - listener is disabled.</para> + <listitem><para>Takes a boolean argument or one of <literal>udp</literal> and + <literal>tcp</literal>. If <literal>udp</literal>, a DNS stub resolver will listen for UDP requests + on addresses 127.0.0.53 and 127.0.0.54, port 53. If <literal>tcp</literal>, the stub will listen for + TCP requests on the same addresses and port. If <literal>yes</literal> (the default), the stub listens + for both UDP and TCP requests. If <literal>no</literal>, the stub listener is disabled.</para> + + <xi:include href="systemd-resolved.service.xml" xpointer="proxy-stub" /> <para>Note that the DNS stub listener is turned off implicitly when its listening address and port are already in use.</para></listitem> diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml index 34c1257ab0..a7e08f0c80 100644 --- a/man/systemd-resolved.service.xml +++ b/man/systemd-resolved.service.xml @@ -59,12 +59,19 @@ <command>systemd-resolved</command>.</para></listitem> <listitem><para>Additionally, <command>systemd-resolved</command> provides a local DNS stub listener on - IP address 127.0.0.53 on the local loopback interface. Programs issuing DNS requests directly, - bypassing any local API may be directed to this stub, in order to connect them to + the IP addresses 127.0.0.53 and 127.0.0.54 on the local loopback interface. Programs issuing DNS + requests directly, bypassing any local API may be directed to this stub, in order to connect them to <command>systemd-resolved</command>. Note however that it is strongly recommended that local programs use the glibc NSS or bus APIs instead (as described above), as various network resolution concepts (such as link-local addressing, or LLMNR Unicode domains) cannot be mapped to the unicast DNS - protocol.</para></listitem> + protocol.</para> + + <para id="proxy-stub">The DNS stub resolver on 127.0.0.53 provides the full feature set of the local + resolver, which includes offering LLMNR/MulticastDNS resolution. The DNS stub resolver on 127.0.0.54 + provides a more limited resolver, that operates in "proxy" mode only, i.e. it will pass most DNS + messages relatively unmodified to the current upstream DNS servers and back, but not try to process the + messages locally, and hence does not validate DNSSEC, or offer up LLMNR/MulticastDNS. (It will + translate to DNS-over-TLS communication if needed however.)</para></listitem> </itemizedlist> <para>The DNS servers contacted are determined from the global settings in |