[thirdparty/systemd.git] / man / nss-resolve.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'>

  <refentryinfo>
    <title>nss-resolve</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-resolve</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-resolve</refname>
    <refname>libnss_resolve.so.2</refname>
    <refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_resolve.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
    GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
    name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
    hostnames via DNS.</para>

    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
    for example for <literal>localhost</literal> and the current local hostname, see
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
    the full list. This duplicates the functionality of
    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
    <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
    <command>systemd-resolved</command> is not running.</para>

    <para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
    in the other direction — from locally attached IP addresses to
    hostnames. If you rely on that lookup being provided by DNS, you might
    want to order things differently.
    </para>

    <para>Communication between <command>nss-resolve</command> and
    <filename>systemd-resolved.service</filename> takes place via the
    <filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
  </refsect1>

  <refsect1>
    <title>Environment variables</title>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>

        <listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
        via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
        unreliable.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>

        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
        name, will not be returned. See section SYNTHETIC RECORDS in
        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        for more information. This may be useful to query the "public" resource records, independent of the
        configuration of the local machine.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>

        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
        not be used by
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
        LLMNR/mDNS resource records will not be returned.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
        will not be used.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
        network, i.e. either from local sources or the cache in
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-resolve</command> correctly:</para>

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd:         compat systemd
group:          compat [SUCCESS=merge] systemd
shadow:         compat systemd
gshadow:        files systemd

hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
514094f9	1	<?xml version='1.0'?>
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
0d6868f9	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
0d6868f9	5
08540a95	6	<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'>
0d6868f9 LP	7
	8	<refentryinfo>
	9	<title>nss-resolve</title>
	10	<productname>systemd</productname>
0d6868f9 LP	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>nss-resolve</refentrytitle>
	15	<manvolnum>8</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>nss-resolve</refname>
	20	<refname>libnss_resolve.so.2</refname>
e9dd6984	21	<refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
0d6868f9 LP	22	</refnamediv>
	23
	24	<refsynopsisdiv>
	25	<para><filename>libnss_resolve.so.2</filename></para>
	26	</refsynopsisdiv>
	27
	28	<refsect1>
	29	<title>Description</title>
	30
9053aaad	31	<para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
38b38500	32	GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
9053aaad LP	33	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
	34	name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
	35	hostnames via DNS.</para>
	36
44b7aedb ZJS	37	<para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
	38	with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
	39	recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
	40	<literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
	41	<filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
	42	caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
	43	local VMs and containers precedence over names received over DNS. Finally, we recommend placing
	44	<literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
	45	<command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
2b015ea4	46
d296c20f LP	47	<para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
	48	for example for <literal>localhost</literal> and the current local hostname, see
	49	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
	50	the full list. This duplicates the functionality of
	51	<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
	52	it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
2b015ea4 ZJS	53	<filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
2b015ea4 ZJS	54	<command>systemd-resolved</command> is not running.</para>
946f7ce3 FK	55
946f7ce3 FK	56	<para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
bdbb61f6	57	in the other direction — from locally attached IP addresses to
946f7ce3 FK	58	hostnames. If you rely on that lookup being provided by DNS, you might
	59	want to order things differently.
	60	</para>
1d697549 LP	61
	62	<para>Communication between <command>nss-resolve</command> and
	63	<filename>systemd-resolved.service</filename> takes place via the
	64	<filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
0d6868f9 LP	65	</refsect1>
0d6868f9 LP	66
1c4539af ZJS	67	<refsect1>
	68	<title>Environment variables</title>
	69
	70	<variablelist class='environment-variables'>
	71	<varlistentry>
	72	<term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>
	73
	74	<listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
	75	via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
	76	unreliable.</para></listitem>
	77	</varlistentry>
	78	</variablelist>
8ef114c6 ZJS	79
	80	<variablelist class='environment-variables'>
	81	<varlistentry>
	82	<term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
	83
	84	<listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
	85	name, will not be returned. See section SYNTHETIC RECORDS in
	86	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	87	for more information. This may be useful to query the "public" resource records, independent of the
	88	configuration of the local machine.</para></listitem>
	89	</varlistentry>
	90	</variablelist>
	91
	92	<variablelist class='environment-variables'>
	93	<varlistentry>
	94	<term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
	95
	96	<listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
8fb35004 ZJS	97	not be used by
	98	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
	99	</para></listitem>
8ef114c6 ZJS	100	</varlistentry>
	101	</variablelist>
	102
	103	<variablelist class='environment-variables'>
	104	<varlistentry>
	105	<term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
	106
	107	<listitem><para>Takes a boolean argument. When false, answers using locally registered public
	108	LLMNR/mDNS resource records will not be returned.</para></listitem>
	109	</varlistentry>
	110	</variablelist>
	111
	112	<variablelist class='environment-variables'>
	113	<varlistentry>
	114	<term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
	115
	116	<listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
	117	will not be used.</para></listitem>
	118	</varlistentry>
	119	</variablelist>
	120
	121	<variablelist class='environment-variables'>
	122	<varlistentry>
	123	<term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
	124
	125	<listitem><para>Takes a boolean argument. When false, answers will be returned without using the
8fb35004 ZJS	126	network, i.e. either from local sources or the cache in
8fb35004 ZJS	127	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
8ef114c6 ZJS	128	</para></listitem>
	129	</varlistentry>
	130	</variablelist>
1c4539af ZJS	131	</refsect1>
1c4539af ZJS	132
0d6868f9 LP	133	<refsect1>
	134	<title>Example</title>
	135
fe003f02 ZJS	136	<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
fe003f02 ZJS	137	<command>nss-resolve</command> correctly:</para>
0d6868f9	138
94f760ec	139	<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
38ccb557	140	<programlisting>passwd: compat systemd
d296c20f	141	group: compat [SUCCESS=merge] systemd
f43a19ec LP	142	shadow: compat systemd
f43a19ec LP	143	gshadow: files systemd
0d6868f9	144
d296c20f	145	hosts: mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
0d6868f9 LP	146	networks: files
	147
	148	protocols: db files
	149	services: db files
	150	ethers: db files
	151	rpc: db files
	152
	153	netgroup: nis</programlisting>
0d6868f9 LP	154	</refsect1>
	155
	156	<refsect1>
	157	<title>See Also</title>
	158	<para>
	159	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	160	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
409093fe	161	<citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
0d6868f9	162	<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
409093fe	163	<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1c4539af ZJS	164	<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1c4539af ZJS	165	<citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
0d6868f9 LP	166	</para>
	167	</refsect1>
	168
	169	</refentry>