nss-resolve
systemd
nss-resolve
8
nss-resolve
libnss_resolve.so.2
Hostname resolution via systemd-resolved.service
libnss_resolve.so.2
Description
nss-resolve is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
GNU C Library (glibc) enabling it to resolve hostnames via the
systemd-resolved8 local network
name resolution service. It replaces the nss-dns plug-in module that traditionally resolves
hostnames via DNS.
To activate the NSS module, add resolve [!UNAVAIL=return] to the line starting
with hosts: in /etc/nsswitch.conf. Specifically, it is
recommended to place resolve early in /etc/nsswitch.conf's
hosts: line. It should be before the files entry, since
systemd-resolved supports /etc/hosts internally, but with
caching. To the contrary, it should be after mymachines, to give hostnames given to
local VMs and containers precedence over names received over DNS. Finally, we recommend placing
dns somewhere after resolve, to fall back to
nss-dns if systemd-resolved.service is not available.
Note that systemd-resolved will synthesize DNS resource records in a few cases,
for example for localhost and the current local hostname, see
systemd-resolved8 for
the full list. This duplicates the functionality of
nss-myhostname8, but
it is still recommended (see examples below) to keep nss-myhostname configured in
/etc/nsswitch.conf, to keep those names resolveable if
systemd-resolved is not running.
Please keep in mind that nss-myhostname (and nss-resolve) also resolve
in the other direction — from locally attached IP addresses to
hostnames. If you rely on that lookup being provided by DNS, you might
want to order things differently.
Communication between nss-resolve and
systemd-resolved.service takes place via the
/run/systemd/resolve/io.systemd.Resolve AF_UNIX socket.
Environment variables
$SYSTEMD_NSS_RESOLVE_VALIDATE
Takes a boolean argument. When false, cryptographic validation of resource records
via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
unreliable.
$SYSTEMD_NSS_RESOLVE_SYNTHESIZE
Takes a boolean argument. When false, synthetic records, e.g. for the local host
name, will not be returned. See section SYNTHETIC RECORDS in
systemd-resolved.service8
for more information. This may be useful to query the "public" resource records, independent of the
configuration of the local machine.
$SYSTEMD_NSS_RESOLVE_CACHE
Takes a boolean argument. When false, the cache of previously queried records will
not be used by
systemd-resolved8.
$SYSTEMD_NSS_RESOLVE_ZONE
Takes a boolean argument. When false, answers using locally registered public
LLMNR/mDNS resource records will not be returned.
$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR
Takes a boolean argument. When false, answers using locally configured trust anchors
will not be used.
$SYSTEMD_NSS_RESOLVE_NETWORK
Takes a boolean argument. When false, answers will be returned without using the
network, i.e. either from local sources or the cache in
systemd-resolved8.
Example
Here is an example /etc/nsswitch.conf file that enables
nss-resolve correctly:
passwd: files systemd
group: files [SUCCESS=merge] systemd
shadow: files systemd
gshadow: files systemd
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
See Also
systemd1
systemd-resolved8
nss-systemd8
nss-myhostname8
nss-mymachines8
nsswitch.conf5
systemd.syntax7