tree-wide: use "hostname" spelling everywhere

[thirdparty/systemd.git] / man / systemd-resolved.service.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->

<refentry id="systemd-resolved.service" conditional='ENABLE_RESOLVE'>

  <refentryinfo>
    <title>systemd-resolved.service</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-resolved.service</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-resolved.service</refname>
    <refname>systemd-resolved</refname>
    <refpurpose>Network Name Resolution manager</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>systemd-resolved.service</filename></para>
    <para><filename>/usr/lib/systemd/systemd-resolved</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-resolved</command> is a system service that provides network name resolution to
    local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR
    and MulticastDNS resolver and responder. Local applications may submit network name resolution requests
    via three interfaces:</para>

    <itemizedlist>
      <listitem><para>The native, fully-featured API <command>systemd-resolved</command> exposes on the bus,
      see
      <citerefentry><refentrytitle>org.freedesktop.resolve1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
      for details. Usage of this API is generally recommended to clients as it is asynchronous and fully
      featured (for example, properly returns DNSSEC validation status and interface scope for addresses as
      necessary for supporting link-local networking).</para></listitem>

      <listitem><para>The glibc
      <citerefentry project='man-pages'><refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum></citerefentry>
      API as defined by <ulink url="https://tools.ietf.org/html/rfc3493">RFC3493</ulink> and its related
      resolver functions, including
      <citerefentry project='man-pages'><refentrytitle>gethostbyname</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
      This API is widely supported, including beyond the Linux platform. In its current form it does not
      expose DNSSEC validation status information however, and is synchronous only. This API is backed by the
      glibc Name Service Switch
      (<citerefentry project='man-pages'><refentrytitle>nss</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
      Usage of the glibc NSS module
      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry> is
      required in order to allow glibc's NSS resolver functions to resolve hostnames via
      <command>systemd-resolved</command>.</para></listitem>

      <listitem><para>Additionally, <command>systemd-resolved</command> provides a local DNS stub listener on
      IP address 127.0.0.53 on the local loopback interface. Programs issuing DNS requests directly,
      bypassing any local API may be directed to this stub, in order to connect them to
      <command>systemd-resolved</command>. Note however that it is strongly recommended that local programs
      use the glibc NSS or bus APIs instead (as described above), as various network resolution concepts
      (such as link-local addressing, or LLMNR Unicode domains) cannot be mapped to the unicast DNS
      protocol.</para></listitem>
    </itemizedlist>

    <para>The DNS servers contacted are determined from the global settings in
    <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in
    <filename>/etc/systemd/network/*.network</filename> files (in case
    <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    is used), the per-link dynamic settings received over DHCP, user request made via
    <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and any
    DNS server information made available by other system services. See
    <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
    details about systemd's own configuration files for DNS servers. To improve compatibility,
    <filename>/etc/resolv.conf</filename> is read in order to discover configured system DNS servers, but
    only if it is not a symlink to <filename>/run/systemd/resolve/stub-resolv.conf</filename>,
    <filename>/usr/lib/systemd/resolv.conf</filename> or
    <filename>/run/systemd/resolve/resolv.conf</filename> (see below).</para>

  </refsect1>

  <refsect1>
    <title>Synthetic Records</title>

    <para><command>systemd-resolved</command> synthesizes DNS resource records (RRs) for the following
    cases:</para>

    <itemizedlist>
      <listitem><para>The local, configured hostname is resolved to all locally configured IP addresses
      ordered by their scope, or — if none are configured — the IPv4 address 127.0.0.2 (which is on the local
      loopback) and the IPv6 address ::1 (which is the local host).</para></listitem>

      <listitem><para>The hostnames <literal>localhost</literal> and <literal>localhost.localdomain</literal>
      (as well as any hostname ending in <literal>.localhost</literal> or
      <literal>.localhost.localdomain</literal>) are resolved to the IP addresses 127.0.0.1 and ::1.
      </para></listitem>

      <listitem><para>The hostname <literal>_gateway</literal> is resolved to all current default routing
      gateway addresses, ordered by their metric. This assigns a stable hostname to the current gateway,
      useful for referencing it independently of the current network configuration state.</para></listitem>

      <listitem><para>The mappings defined in <filename>/etc/hosts</filename> are resolved to their
      configured addresses and back, but they will not affect lookups for non-address types (like MX).
      </para></listitem>
    </itemizedlist>
  </refsect1>

  <refsect1>
    <title>Protocols and Routing</title>

    <para>Lookup requests are routed to the available DNS servers, LLMNR and MulticastDNS interfaces
    according to the following rules:</para>

    <itemizedlist>
      <listitem><para>Lookups for the special hostname <literal>localhost</literal> are never routed to the
      network. (A few other, special domains are handled the same way.)</para></listitem>

      <listitem><para>Single-label names are routed to all local interfaces capable of IP multicasting, using
      the LLMNR protocol. Lookups for IPv4 addresses are only sent via LLMNR on IPv4, and lookups for IPv6
      addresses are only sent via LLMNR on IPv6. Lookups for the locally configured hostname and the
      <literal>_gateway</literal> hostname are never routed to LLMNR.</para></listitem>

      <listitem><para>Multi-label names with the domain suffix <literal>.local</literal> are routed to all
      local interfaces capable of IP multicasting, using the MulticastDNS protocol. As with LLMNR IPv4
      address lookups are sent via IPv4 and IPv6 address lookups are sent via IPv6.</para></listitem>

      <listitem><para>Other multi-label names are routed to all local interfaces that have a DNS server
      configured, plus the globally configured DNS server if there is one. Address lookups from the
      link-local address range are never routed to DNS. Note that by default lookups for domains with the
      <literal>.local</literal> suffix are not routed to DNS servers, unless the domain is specified
      explicitly as routing or search domain for the DNS server and interface. This means that on networks
      where the <literal>.local</literal> domain is defined in a site-specific DNS server, explicit search or
      routing domains need to be configured to make lookups within this DNS domain work. Note that today it's
      generally recommended to avoid defining <literal>.local</literal> in a DNS server, as <ulink
      url="https://tools.ietf.org/html/rfc6762">RFC6762</ulink> reserves this domain for exclusive
      MulticastDNS use.</para></listitem>
    </itemizedlist>

    <para>If lookups are routed to multiple interfaces, the first successful response is returned (thus
    effectively merging the lookup zones on all matching interfaces). If the lookup failed on all interfaces,
    the last failing response is returned.</para>

    <para>Routing of lookups may be influenced by configuring per-interface domain names and other
    settings. See
    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
    <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
    details. The following query routing logic applies for unicast DNS traffic:</para>

    <itemizedlist>
      <listitem><para>If a name to look up matches (that is: is equal to or has as suffix) any of the
      configured search or route-only domains of any link (or the globally configured DNS settings), the
      "best matching" search/route-only domain is determined: the matching one with the most labels. The
      query is then sent to all DNS servers of any links or the globally configured DNS servers associated
      with this "best matching" search/route-only domain. (Note that more than one link might have this same
      "best matching" search/route-only domain configured, in which case the query is sent to all of them in
      parallel).</para></listitem>

      <listitem><para>If a query does not match any configured search/route-only domain (neither per-link nor
      global), it is sent to all DNS servers that are configured on links with the "DNS default route" option
      set, as well as the globally configured DNS server.</para></listitem>

      <listitem><para>If there is no link configured as "DNS default route" and no global DNS server
      configured, the compiled-in fallback DNS server is used.</para></listitem>

      <listitem><para>Otherwise the query is failed as no suitable DNS servers could be determined.
      </para></listitem>
    </itemizedlist>

    <para>The "DNS default route" option is a boolean setting configurable with <command>resolvectl</command>
    or in <filename>.network</filename> files. If not set, it is implicitly determined based on the
    configured DNS domains for a link: if there's any route-only domain (not matching <literal>~.</literal>)
    it defaults to false, otherwise to true.</para>

    <para>Effectively this means: in order to preferably route all DNS queries not explicitly matched by
    search/route-only domain configuration to a specific link, configure a <literal>~.</literal> route-only
    domain on it. This will ensure that other links will not be considered for the queries (unless they too
    carry such a route-only domain). In order to route all such DNS queries to a specific link only in case
    no other link is preferable, then set the "DNS default route" option for the link to true, and do not
    configure a <literal>~.</literal> route-only domain on it. Finally, in order to ensure that a specific
    link never receives any DNS traffic not matching any of its configured search/route-only domains, set the
    "DNS default route" option for it to false.</para>

    <para>See the <ulink url="https://www.freedesktop.org/wiki/Software/systemd/resolved">resolved D-Bus API
    Documentation</ulink> for information about the APIs <filename>systemd-resolved</filename> provides.
    </para>
  </refsect1>

  <refsect1>
    <title><filename>/etc/resolv.conf</filename></title>

    <para>Four modes of handling <filename>/etc/resolv.conf</filename> (see
    <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) are
    supported:</para>

    <itemizedlist>
      <listitem><para><command>systemd-resolved</command> maintains the
      <filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
      Linux programs. This file may be symlinked from <filename>/etc/resolv.conf</filename>. This file lists
      the 127.0.0.53 DNS stub (see above) as the only DNS server. It also contains a list of search domains
      that are in use by systemd-resolved. The list of search domains is always kept up-to-date. Note that
      <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications,
      but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from
      <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
      to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
      recommended.</para></listitem>

      <listitem><para>A static file <filename>/usr/lib/systemd/resolv.conf</filename> is provided that lists
      the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from
      <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
      to <command>systemd-resolved</command>. This file does not contain any search domains.
      </para></listitem>

      <listitem><para><command>systemd-resolved</command> maintains the
      <filename>/run/systemd/resolve/resolv.conf</filename> file for compatibility with traditional Linux
      programs. This file may be symlinked from <filename>/etc/resolv.conf</filename> and is always kept
      up-to-date, containing information about all known DNS servers. Note the file format's limitations: it
      does not know a concept of per-interface DNS servers and hence only contains system-wide DNS server
      definitions. Note that <filename>/run/systemd/resolve/resolv.conf</filename> should not be used
      directly by applications, but only through a symlink from <filename>/etc/resolv.conf</filename>. If
      this mode of operation is used local clients that bypass any local DNS API will also bypass
      <command>systemd-resolved</command> and will talk directly to the known DNS servers.</para></listitem>

      <listitem><para>Alternatively, <filename>/etc/resolv.conf</filename> may be managed by other packages,
      in which case <command>systemd-resolved</command> will read it for DNS configuration data. In this mode
      of operation <command>systemd-resolved</command> is consumer rather than provider of this configuration
      file. </para></listitem>
    </itemizedlist>

    <para>Note that the selected mode of operation for this file is detected fully automatically, depending
    on whether <filename>/etc/resolv.conf</filename> is a symlink to
    <filename>/run/systemd/resolve/resolv.conf</filename> or lists 127.0.0.53 as DNS server.</para>
  </refsect1>

  <refsect1>
    <title>Signals</title>

    <variablelist>
      <varlistentry>
        <term><constant>SIGUSR1</constant></term>

        <listitem><para>Upon reception of the <constant>SIGUSR1</constant> process signal
        <command>systemd-resolved</command> will dump the contents of all DNS resource record caches it
        maintains, as well as all feature level information it learnt about configured DNS servers into the
        system logs.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>SIGUSR2</constant></term>

        <listitem><para>Upon reception of the <constant>SIGUSR2</constant> process signal
        <command>systemd-resolved</command> will flush all caches it maintains. Note that it should normally
        not be necessary to request this explicitly – except for debugging purposes – as
        <command>systemd-resolved</command> flushes the caches automatically anyway any time the host's
        network configuration changes. Sending this signal to <command>systemd-resolved</command> is
        equivalent to the <command>resolvectl flush-caches</command> command, however the latter is
        recommended since it operates in a synchronous way.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>SIGRTMIN+1</constant></term>

        <listitem><para>Upon reception of the <constant>SIGRTMIN+1</constant> process signal
        <command>systemd-resolved</command> will forget everything it learnt about the configured DNS
        servers. Specifically any information about server feature support is flushed out, and the server
        feature probing logic is restarted on the next request, starting with the most fully featured
        level. Note that it should normally not be necessary to request this explicitly – except for
        debugging purposes – as <command>systemd-resolved</command> automatically forgets learnt information
        any time the DNS server configuration changes. Sending this signal to
        <command>systemd-resolved</command> is equivalent to the <command>resolvectl
        reset-server-features</command> command, however the latter is recommended since it operates in a
        synchronous way.</para></listitem>
      </varlistentry>
    </variablelist>

  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>