[thirdparty/systemd.git] / man / nss-resolve.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'
          xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>nss-resolve</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>nss-resolve</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>nss-resolve</refname>
    <refname>libnss_resolve.so.2</refname>
    <refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>libnss_resolve.so.2</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
    GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
    name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
    hostnames via DNS.</para>

    <para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
    with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
    recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
    <literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
    <filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
    caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
    local VMs and containers precedence over names received over DNS. Finally, we recommend placing
    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>

    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
    for example for <literal>localhost</literal> and the current local hostname, see
    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
    the full list. This duplicates the functionality of
    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
    <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
    <command>systemd-resolved</command> is not running.</para>

    <para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
    in the other direction — from locally attached IP addresses to
    hostnames. If you rely on that lookup being provided by DNS, you might
    want to order things differently.
    </para>

    <para>Communication between <command>nss-resolve</command> and
    <filename>systemd-resolved.service</filename> takes place via the
    <filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
  </refsect1>

  <refsect1>
    <title>Environment variables</title>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>

        <listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
        via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
        unreliable.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>

        <listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
        name, will not be returned. See section SYNTHETIC RECORDS in
        <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        for more information. This may be useful to query the "public" resource records, independent of the
        configuration of the local machine.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>

        <listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
        not be used by
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally registered public
        LLMNR/mDNS resource records will not be returned.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
        will not be used.</para></listitem>
      </varlistentry>
    </variablelist>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>

        <listitem><para>Takes a boolean argument. When false, answers will be returned without using the
        network, i.e. either from local sources or the cache in
        <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
        </para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
    <command>nss-resolve</command> correctly:</para>

    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
<programlisting>passwd:         compat systemd
group:          compat [SUCCESS=merge] systemd
shadow:         compat systemd
gshadow:        files systemd

hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
514094f9	1	<?xml version='1.0'?>
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
0d6868f9	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
0d6868f9	5
4623eecb AK	6	<refentry id="nss-resolve" conditional='ENABLE_NSS_RESOLVE'
4623eecb AK	7	xmlns:xi="http://www.w3.org/2001/XInclude">
0d6868f9 LP	8
	9	<refentryinfo>
	10	<title>nss-resolve</title>
	11	<productname>systemd</productname>
0d6868f9 LP	12	</refentryinfo>
	13
	14	<refmeta>
	15	<refentrytitle>nss-resolve</refentrytitle>
	16	<manvolnum>8</manvolnum>
	17	</refmeta>
	18
	19	<refnamediv>
	20	<refname>nss-resolve</refname>
	21	<refname>libnss_resolve.so.2</refname>
e9dd6984	22	<refpurpose>Hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
0d6868f9 LP	23	</refnamediv>
	24
	25	<refsynopsisdiv>
	26	<para><filename>libnss_resolve.so.2</filename></para>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
9053aaad	32	<para><command>nss-resolve</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
38b38500	33	GNU C Library (<command>glibc</command>) enabling it to resolve hostnames via the
9053aaad LP	34	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> local network
	35	name resolution service. It replaces the <command>nss-dns</command> plug-in module that traditionally resolves
	36	hostnames via DNS.</para>
	37
44b7aedb ZJS	38	<para>To activate the NSS module, add <literal>resolve [!UNAVAIL=return]</literal> to the line starting
	39	with <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>. Specifically, it is
	40	recommended to place <literal>resolve</literal> early in <filename>/etc/nsswitch.conf</filename>'s
	41	<literal>hosts:</literal> line. It should be before the <literal>files</literal> entry, since
	42	<filename>systemd-resolved</filename> supports <filename>/etc/hosts</filename> internally, but with
	43	caching. To the contrary, it should be after <literal>mymachines</literal>, to give hostnames given to
	44	local VMs and containers precedence over names received over DNS. Finally, we recommend placing
	45	<literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
	46	<command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
2b015ea4	47
d296c20f LP	48	<para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
	49	for example for <literal>localhost</literal> and the current local hostname, see
	50	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
	51	the full list. This duplicates the functionality of
	52	<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
	53	it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
2b015ea4 ZJS	54	<filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
2b015ea4 ZJS	55	<command>systemd-resolved</command> is not running.</para>
946f7ce3 FK	56
946f7ce3 FK	57	<para>Please keep in mind that <command>nss-myhostname</command> (and <command>nss-resolve</command>) also resolve
bdbb61f6	58	in the other direction — from locally attached IP addresses to
946f7ce3 FK	59	hostnames. If you rely on that lookup being provided by DNS, you might
	60	want to order things differently.
	61	</para>
1d697549 LP	62
	63	<para>Communication between <command>nss-resolve</command> and
	64	<filename>systemd-resolved.service</filename> takes place via the
	65	<filename>/run/systemd/resolve/io.systemd.Resolve</filename> <constant>AF_UNIX</constant> socket.</para>
0d6868f9 LP	66	</refsect1>
0d6868f9 LP	67
1c4539af ZJS	68	<refsect1>
	69	<title>Environment variables</title>
	70
	71	<variablelist class='environment-variables'>
	72	<varlistentry>
	73	<term><varname>$SYSTEMD_NSS_RESOLVE_VALIDATE</varname></term>
	74
	75	<listitem><para>Takes a boolean argument. When false, cryptographic validation of resource records
	76	via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be
	77	unreliable.</para></listitem>
	78	</varlistentry>
	79	</variablelist>
8ef114c6 ZJS	80
	81	<variablelist class='environment-variables'>
	82	<varlistentry>
	83	<term><varname>$SYSTEMD_NSS_RESOLVE_SYNTHESIZE</varname></term>
	84
	85	<listitem><para>Takes a boolean argument. When false, synthetic records, e.g. for the local host
	86	name, will not be returned. See section SYNTHETIC RECORDS in
	87	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	88	for more information. This may be useful to query the "public" resource records, independent of the
	89	configuration of the local machine.</para></listitem>
	90	</varlistentry>
	91	</variablelist>
	92
	93	<variablelist class='environment-variables'>
	94	<varlistentry>
	95	<term><varname>$SYSTEMD_NSS_RESOLVE_CACHE</varname></term>
	96
	97	<listitem><para>Takes a boolean argument. When false, the cache of previously queried records will
8fb35004 ZJS	98	not be used by
	99	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
	100	</para></listitem>
8ef114c6 ZJS	101	</varlistentry>
	102	</variablelist>
	103
	104	<variablelist class='environment-variables'>
	105	<varlistentry>
	106	<term><varname>$SYSTEMD_NSS_RESOLVE_ZONE</varname></term>
	107
	108	<listitem><para>Takes a boolean argument. When false, answers using locally registered public
	109	LLMNR/mDNS resource records will not be returned.</para></listitem>
	110	</varlistentry>
	111	</variablelist>
	112
	113	<variablelist class='environment-variables'>
	114	<varlistentry>
	115	<term><varname>$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR</varname></term>
	116
	117	<listitem><para>Takes a boolean argument. When false, answers using locally configured trust anchors
	118	will not be used.</para></listitem>
	119	</varlistentry>
	120	</variablelist>
	121
	122	<variablelist class='environment-variables'>
	123	<varlistentry>
	124	<term><varname>$SYSTEMD_NSS_RESOLVE_NETWORK</varname></term>
	125
	126	<listitem><para>Takes a boolean argument. When false, answers will be returned without using the
8fb35004 ZJS	127	network, i.e. either from local sources or the cache in
8fb35004 ZJS	128	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
8ef114c6 ZJS	129	</para></listitem>
	130	</varlistentry>
	131	</variablelist>
1c4539af ZJS	132	</refsect1>
1c4539af ZJS	133
0d6868f9 LP	134	<refsect1>
	135	<title>Example</title>
	136
fe003f02 ZJS	137	<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
fe003f02 ZJS	138	<command>nss-resolve</command> correctly:</para>
0d6868f9	139
94f760ec	140	<!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
38ccb557	141	<programlisting>passwd: compat systemd
d296c20f	142	group: compat [SUCCESS=merge] systemd
f43a19ec LP	143	shadow: compat systemd
f43a19ec LP	144	gshadow: files systemd
0d6868f9	145
d296c20f	146	hosts: mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
0d6868f9 LP	147	networks: files
	148
	149	protocols: db files
	150	services: db files
	151	ethers: db files
	152	rpc: db files
	153
	154	netgroup: nis</programlisting>
0d6868f9 LP	155	</refsect1>
	156
	157	<refsect1>
	158	<title>See Also</title>
	159	<para>
	160	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	161	<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
409093fe	162	<citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
0d6868f9	163	<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
409093fe	164	<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1c4539af ZJS	165	<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1c4539af ZJS	166	<citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
0d6868f9 LP	167	</para>
	168	</refsect1>
	169
	170	</refentry>