[thirdparty/systemd.git] / man / nss-resolve.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'
          xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>nss-resolve</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-resolve</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-resolve</refname>
    <refname>libnss_resolve.so.2</refname>
    <refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_resolve.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
    GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
    name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
    hostnames via DNS.</para>

    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
    for example for <literal>localhost</literal> and the current local hostname, see
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
    the full list. This duplicates the functionality of
    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
    <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
    <command>systemd-resolved</command> is not running.</para>

    <para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
    in the other direction — from locally attached IP addresses to
    hostnames. If you rely on that lookup being provided by DNS, you might
    want to order things differently.
    </para>

    <para>Communication between <command>nss-resolve</command> and
    <filename>systemd-resolved.service</filename> takes place via the
    <filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
  </refsect1>

  <refsect1>
    <title>Environment variables</title>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>

        <listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
        via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
        unreliable.</para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>

        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
        name, will not be returned. See section SYNTHETIC RECORDS in
        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        for more information. This may be useful to query the "public" resource records, independent of the
        configuration of the local machine.</para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>

        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
        not be used by
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
        LLMNR/mDNS resource records will not be returned.</para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
        will not be used.</para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
        network, i.e. either from local sources or the cache in
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-resolve</command> correctly:</para>

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd:         files systemd
group:          files [SUCCESS=merge] systemd
shadow:         files systemd
gshadow:        files systemd

hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>

</refentry>
Commit	Line	Data
514094f9	1	<?xml version='1.0'?>
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
0d6868f9	5
4623eecb AK	6	<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'
4623eecb AK	7	xmlns:xi="http://www.w3.org/2001/XInclude">
0d6868f9 LP	8
	9	<refentryinfo>
	10	<title>nss-resolve</title>
	11	<productname>systemd</productname>
0d6868f9 LP	12	</refentryinfo>
	13
	14	<refmeta>
	15	<refentrytitle>nss-resolve</refentrytitle>
	16	<manvolnum>8</manvolnum>
	17	</refmeta>
	18
	19	<refnamediv>
	20	<refname>nss-resolve</refname>
	21	<refname>libnss_resolve.so.2</refname>
e9dd6984	22	<refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
0d6868f9 LP	23	</refnamediv>
	24
	25	<refsynopsisdiv>
	26	<para><filename>libnss_resolve.so.2</filename></para>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
9053aaad	32	<para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
38b38500	33	GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
9053aaad LP	34	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
	35	name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
	36	hostnames via DNS.</para>
	37
44b7aedb ZJS	38	<para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
	39	with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
	40	recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
	41	<literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
	42	<filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
	43	caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
	44	local VMs and containers precedence over names received over DNS. Finally, we recommend placing
	45	<literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
	46	<command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
2b015ea4	47
d296c20f LP	48	<para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
	49	for example for <literal>localhost</literal> and the current local hostname, see
	50	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
	51	the full list. This duplicates the functionality of
	52	<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
	53	it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
2b015ea4 ZJS	54	<filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
2b015ea4 ZJS	55	<command>systemd-resolved</command> is not running.</para>
946f7ce3 FK	56
946f7ce3 FK	57	<para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
bdbb61f6	58	in the other direction — from locally attached IP addresses to
946f7ce3 FK	59	hostnames. If you rely on that lookup being provided by DNS, you might
	60	want to order things differently.
	61	</para>
1d697549 LP	62
	63	<para>Communication between <command>nss-resolve</command> and
	64	<filename>systemd-resolved.service</filename> takes place via the
	65	<filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
0d6868f9 LP	66	</refsect1>
0d6868f9 LP	67
1c4539af ZJS	68	<refsect1>
	69	<title>Environment variables</title>
	70
	71	<variablelist class='environment-variables'>
	72	<varlistentry>
	73	<term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>
	74
	75	<listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
	76	via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
ec07c3c8 AK	77	unreliable.</para>
	78
	79	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
1c4539af ZJS	80	</varlistentry>
1c4539af ZJS	81	</variablelist>
8ef114c6 ZJS	82
	83	<variablelist class='environment-variables'>
	84	<varlistentry>
	85	<term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
	86
	87	<listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
	88	name, will not be returned. See section SYNTHETIC RECORDS in
	89	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	90	for more information. This may be useful to query the "public" resource records, independent of the
ec07c3c8 AK	91	configuration of the local machine.</para>
	92
	93	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
8ef114c6 ZJS	94	</varlistentry>
	95	</variablelist>
	96
	97	<variablelist class='environment-variables'>
	98	<varlistentry>
	99	<term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
	100
	101	<listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
8fb35004 ZJS	102	not be used by
8fb35004 ZJS	103	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
ec07c3c8 AK	104	</para>
	105
	106	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
8ef114c6 ZJS	107	</varlistentry>
	108	</variablelist>
	109
	110	<variablelist class='environment-variables'>
	111	<varlistentry>
	112	<term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
	113
	114	<listitem><para>Takes a boolean argument. When false, answers using locally registered public
ec07c3c8 AK	115	LLMNR/mDNS resource records will not be returned.</para>
	116
	117	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
8ef114c6 ZJS	118	</varlistentry>
	119	</variablelist>
	120
	121	<variablelist class='environment-variables'>
	122	<varlistentry>
	123	<term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
	124
	125	<listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
ec07c3c8 AK	126	will not be used.</para>
	127
	128	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
8ef114c6 ZJS	129	</varlistentry>
	130	</variablelist>
	131
	132	<variablelist class='environment-variables'>
	133	<varlistentry>
	134	<term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
	135
	136	<listitem><para>Takes a boolean argument. When false, answers will be returned without using the
8fb35004 ZJS	137	network, i.e. either from local sources or the cache in
8fb35004 ZJS	138	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
ec07c3c8 AK	139	</para>
	140
	141	<xi:include href="version-info.xml" xpointer="v250"/></listitem>
8ef114c6 ZJS	142	</varlistentry>
8ef114c6 ZJS	143	</variablelist>
1c4539af ZJS	144	</refsect1>
1c4539af ZJS	145
0d6868f9 LP	146	<refsect1>
	147	<title>Example</title>
	148
fe003f02 ZJS	149	<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
fe003f02 ZJS	150	<command>nss-resolve</command> correctly:</para>
0d6868f9	151
94f760ec	152	<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
02e93087 LP	153	<programlisting>passwd: files systemd
	154	group: files [SUCCESS=merge] systemd
	155	shadow: files systemd
f43a19ec	156	gshadow: files systemd
0d6868f9	157
d296c20f	158	hosts: mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
0d6868f9 LP	159	networks: files
	160
	161	protocols: db files
	162	services: db files
	163	ethers: db files
	164	rpc: db files
	165
	166	netgroup: nis</programlisting>
0d6868f9 LP	167	</refsect1>
	168
	169	<refsect1>
	170	<title>See Also</title>
13a69c12 DT	171	<para><simplelist type="inline">
	172	<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	173	<member><citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	174	<member><citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	175	<member><citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	176	<member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	177	<member><citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
	178	<member><citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
	179	</simplelist></para>
0d6868f9 LP	180	</refsect1>
	181
	182	</refentry>