]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
0307f791 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
091a364c | 5 | |
1ec57f33 | 6 | <refentry id="systemd-resolved.service" conditional='ENABLE_RESOLVE'> |
091a364c | 7 | |
798d3a52 ZJS |
8 | <refentryinfo> |
9 | <title>systemd-resolved.service</title> | |
10 | <productname>systemd</productname> | |
798d3a52 ZJS |
11 | </refentryinfo> |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-resolved.service</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-resolved.service</refname> | |
20 | <refname>systemd-resolved</refname> | |
21 | <refpurpose>Network Name Resolution manager</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
25 | <para><filename>systemd-resolved.service</filename></para> | |
12b42c76 | 26 | <para><filename>/usr/lib/systemd/systemd-resolved</filename></para> |
798d3a52 ZJS |
27 | </refsynopsisdiv> |
28 | ||
29 | <refsect1> | |
30 | <title>Description</title> | |
31 | ||
b0fb800c ZJS |
32 | <para><command>systemd-resolved</command> is a system service that provides network name resolution to |
33 | local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR | |
34 | and MulticastDNS resolver and responder. Local applications may submit network name resolution requests | |
35 | via three interfaces:</para> | |
b541146b LP |
36 | |
37 | <itemizedlist> | |
ffd10e5a ZJS |
38 | <listitem><para>The native, fully-featured API <command>systemd-resolved</command> exposes on the bus, |
39 | see | |
40 | <citerefentry><refentrytitle>org.freedesktop.resolve1</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
41 | for details. Usage of this API is generally recommended to clients as it is asynchronous and fully | |
42 | featured (for example, properly returns DNSSEC validation status and interface scope for addresses as | |
43 | necessary for supporting link-local networking).</para></listitem> | |
b541146b LP |
44 | |
45 | <listitem><para>The glibc | |
b0fb800c ZJS |
46 | <citerefentry project='man-pages'><refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
47 | API as defined by <ulink url="https://tools.ietf.org/html/rfc3493">RFC3493</ulink> and its related | |
48 | resolver functions, including | |
49 | <citerefentry project='man-pages'><refentrytitle>gethostbyname</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | |
50 | This API is widely supported, including beyond the Linux platform. In its current form it does not | |
51 | expose DNSSEC validation status information however, and is synchronous only. This API is backed by the | |
52 | glibc Name Service Switch | |
53 | (<citerefentry project='man-pages'><refentrytitle>nss</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
54 | Usage of the glibc NSS module | |
55 | <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry> is | |
38b38500 | 56 | required in order to allow glibc's NSS resolver functions to resolve hostnames via |
b541146b LP |
57 | <command>systemd-resolved</command>.</para></listitem> |
58 | ||
b0fb800c ZJS |
59 | <listitem><para>Additionally, <command>systemd-resolved</command> provides a local DNS stub listener on |
60 | IP address 127.0.0.53 on the local loopback interface. Programs issuing DNS requests directly, | |
61 | bypassing any local API may be directed to this stub, in order to connect them to | |
62 | <command>systemd-resolved</command>. Note however that it is strongly recommended that local programs | |
63 | use the glibc NSS or bus APIs instead (as described above), as various network resolution concepts | |
64 | (such as link-local addressing, or LLMNR Unicode domains) cannot be mapped to the unicast DNS | |
65 | protocol.</para></listitem> | |
b541146b | 66 | </itemizedlist> |
798d3a52 | 67 | |
b541146b LP |
68 | <para>The DNS servers contacted are determined from the global settings in |
69 | <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in | |
6cdf635d | 70 | <filename>/etc/systemd/network/*.network</filename> files (in case |
b0fb800c ZJS |
71 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
72 | is used), the per-link dynamic settings received over DHCP, user request made via | |
73 | <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and any | |
74 | DNS server information made available by other system services. See | |
b541146b | 75 | <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and |
b0fb800c ZJS |
76 | <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> for |
77 | details about systemd's own configuration files for DNS servers. To improve compatibility, | |
78 | <filename>/etc/resolv.conf</filename> is read in order to discover configured system DNS servers, but | |
79 | only if it is not a symlink to <filename>/run/systemd/resolve/stub-resolv.conf</filename>, | |
80 | <filename>/usr/lib/systemd/resolv.conf</filename> or | |
81 | <filename>/run/systemd/resolve/resolv.conf</filename> (see below).</para> | |
396c716c LP |
82 | |
83 | </refsect1> | |
84 | ||
85 | <refsect1> | |
86 | <title>Synthetic Records</title> | |
b541146b | 87 | |
b0fb800c ZJS |
88 | <para><command>systemd-resolved</command> synthesizes DNS resource records (RRs) for the following |
89 | cases:</para> | |
2dc6b11d LP |
90 | |
91 | <itemizedlist> | |
b0fb800c ZJS |
92 | <listitem><para>The local, configured hostname is resolved to all locally configured IP addresses |
93 | ordered by their scope, or — if none are configured — the IPv4 address 127.0.0.2 (which is on the local | |
94 | loopback) and the IPv6 address ::1 (which is the local host).</para></listitem> | |
95 | ||
96 | <listitem><para>The hostnames <literal>localhost</literal> and <literal>localhost.localdomain</literal> | |
97 | (as well as any hostname ending in <literal>.localhost</literal> or | |
98 | <literal>.localhost.localdomain</literal>) are resolved to the IP addresses 127.0.0.1 and ::1. | |
99 | </para></listitem> | |
100 | ||
101 | <listitem><para>The hostname <literal>_gateway</literal> is resolved to all current default routing | |
102 | gateway addresses, ordered by their metric. This assigns a stable hostname to the current gateway, | |
103 | useful for referencing it independently of the current network configuration state.</para></listitem> | |
104 | ||
105 | <listitem><para>The mappings defined in <filename>/etc/hosts</filename> are resolved to their | |
106 | configured addresses and back, but they will not affect lookups for non-address types (like MX). | |
107 | </para></listitem> | |
2dc6b11d | 108 | </itemizedlist> |
396c716c LP |
109 | </refsect1> |
110 | ||
111 | <refsect1> | |
112 | <title>Protocols and Routing</title> | |
2dc6b11d | 113 | |
b0fb800c ZJS |
114 | <para>Lookup requests are routed to the available DNS servers, LLMNR and MulticastDNS interfaces |
115 | according to the following rules:</para> | |
2dc6b11d LP |
116 | |
117 | <itemizedlist> | |
b0fb800c ZJS |
118 | <listitem><para>Lookups for the special hostname <literal>localhost</literal> are never routed to the |
119 | network. (A few other, special domains are handled the same way.)</para></listitem> | |
120 | ||
121 | <listitem><para>Single-label names are routed to all local interfaces capable of IP multicasting, using | |
122 | the LLMNR protocol. Lookups for IPv4 addresses are only sent via LLMNR on IPv4, and lookups for IPv6 | |
38b38500 ZJS |
123 | addresses are only sent via LLMNR on IPv6. Lookups for the locally configured hostname and the |
124 | <literal>_gateway</literal> hostname are never routed to LLMNR.</para></listitem> | |
b0fb800c ZJS |
125 | |
126 | <listitem><para>Multi-label names with the domain suffix <literal>.local</literal> are routed to all | |
127 | local interfaces capable of IP multicasting, using the MulticastDNS protocol. As with LLMNR IPv4 | |
128 | address lookups are sent via IPv4 and IPv6 address lookups are sent via IPv6.</para></listitem> | |
129 | ||
130 | <listitem><para>Other multi-label names are routed to all local interfaces that have a DNS server | |
131 | configured, plus the globally configured DNS server if there is one. Address lookups from the | |
132 | link-local address range are never routed to DNS. Note that by default lookups for domains with the | |
133 | <literal>.local</literal> suffix are not routed to DNS servers, unless the domain is specified | |
134 | explicitly as routing or search domain for the DNS server and interface. This means that on networks | |
135 | where the <literal>.local</literal> domain is defined in a site-specific DNS server, explicit search or | |
136 | routing domains need to be configured to make lookups within this DNS domain work. Note that today it's | |
137 | generally recommended to avoid defining <literal>.local</literal> in a DNS server, as <ulink | |
138 | url="https://tools.ietf.org/html/rfc6762">RFC6762</ulink> reserves this domain for exclusive | |
6cdf635d | 139 | MulticastDNS use.</para></listitem> |
2dc6b11d LP |
140 | </itemizedlist> |
141 | ||
b0fb800c ZJS |
142 | <para>If lookups are routed to multiple interfaces, the first successful response is returned (thus |
143 | effectively merging the lookup zones on all matching interfaces). If the lookup failed on all interfaces, | |
144 | the last failing response is returned.</para> | |
2dc6b11d | 145 | |
b0fb800c ZJS |
146 | <para>Routing of lookups may be influenced by configuring per-interface domain names and other |
147 | settings. See | |
2e88625f | 148 | <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> and |
b0fb800c ZJS |
149 | <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> for |
150 | details. The following query routing logic applies for unicast DNS traffic:</para> | |
2e88625f LP |
151 | |
152 | <itemizedlist> | |
b0fb800c ZJS |
153 | <listitem><para>If a name to look up matches (that is: is equal to or has as suffix) any of the |
154 | configured search or route-only domains of any link (or the globally configured DNS settings), the | |
155 | "best matching" search/route-only domain is determined: the matching one with the most labels. The | |
156 | query is then sent to all DNS servers of any links or the globally configured DNS servers associated | |
157 | with this "best matching" search/route-only domain. (Note that more than one link might have this same | |
158 | "best matching" search/route-only domain configured, in which case the query is sent to all of them in | |
159 | parallel).</para></listitem> | |
160 | ||
161 | <listitem><para>If a query does not match any configured search/route-only domain (neither per-link nor | |
162 | global), it is sent to all DNS servers that are configured on links with the "DNS default route" option | |
163 | set, as well as the globally configured DNS server.</para></listitem> | |
164 | ||
165 | <listitem><para>If there is no link configured as "DNS default route" and no global DNS server | |
166 | configured, the compiled-in fallback DNS server is used.</para></listitem> | |
167 | ||
168 | <listitem><para>Otherwise the query is failed as no suitable DNS servers could be determined. | |
169 | </para></listitem> | |
2e88625f LP |
170 | </itemizedlist> |
171 | ||
b0fb800c ZJS |
172 | <para>The "DNS default route" option is a boolean setting configurable with <command>resolvectl</command> |
173 | or in <filename>.network</filename> files. If not set, it is implicitly determined based on the | |
174 | configured DNS domains for a link: if there's any route-only domain (not matching <literal>~.</literal>) | |
175 | it defaults to false, otherwise to true.</para> | |
2e88625f LP |
176 | |
177 | <para>Effectively this means: in order to preferably route all DNS queries not explicitly matched by | |
b0fb800c ZJS |
178 | search/route-only domain configuration to a specific link, configure a <literal>~.</literal> route-only |
179 | domain on it. This will ensure that other links will not be considered for the queries (unless they too | |
180 | carry such a route-only domain). In order to route all such DNS queries to a specific link only in case | |
181 | no other link is preferable, then set the "DNS default route" option for the link to true, and do not | |
182 | configure a <literal>~.</literal> route-only domain on it. Finally, in order to ensure that a specific | |
183 | link never receives any DNS traffic not matching any of its configured search/route-only domains, set the | |
184 | "DNS default route" option for it to false.</para> | |
185 | ||
186 | <para>See the <ulink url="https://www.freedesktop.org/wiki/Software/systemd/resolved">resolved D-Bus API | |
187 | Documentation</ulink> for information about the APIs <filename>systemd-resolved</filename> provides. | |
188 | </para> | |
798d3a52 ZJS |
189 | </refsect1> |
190 | ||
b541146b LP |
191 | <refsect1> |
192 | <title><filename>/etc/resolv.conf</filename></title> | |
193 | ||
e6b2d948 | 194 | <para>Four modes of handling <filename>/etc/resolv.conf</filename> (see |
0a07667d | 195 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) are |
b541146b LP |
196 | supported:</para> |
197 | ||
198 | <itemizedlist> | |
e6b2d948 | 199 | <listitem><para><command>systemd-resolved</command> maintains the |
b0fb800c ZJS |
200 | <filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional |
201 | Linux programs. This file may be symlinked from <filename>/etc/resolv.conf</filename>. This file lists | |
202 | the 127.0.0.53 DNS stub (see above) as the only DNS server. It also contains a list of search domains | |
203 | that are in use by systemd-resolved. The list of search domains is always kept up-to-date. Note that | |
204 | <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications, | |
205 | but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from | |
206 | <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs | |
207 | to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is | |
e6b2d948 DJL |
208 | recommended.</para></listitem> |
209 | ||
b541146b LP |
210 | <listitem><para>A static file <filename>/usr/lib/systemd/resolv.conf</filename> is provided that lists |
211 | the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from | |
b0fb800c ZJS |
212 | <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs |
213 | to <command>systemd-resolved</command>. This file does not contain any search domains. | |
214 | </para></listitem> | |
b541146b LP |
215 | |
216 | <listitem><para><command>systemd-resolved</command> maintains the | |
217 | <filename>/run/systemd/resolve/resolv.conf</filename> file for compatibility with traditional Linux | |
b0fb800c ZJS |
218 | programs. This file may be symlinked from <filename>/etc/resolv.conf</filename> and is always kept |
219 | up-to-date, containing information about all known DNS servers. Note the file format's limitations: it | |
220 | does not know a concept of per-interface DNS servers and hence only contains system-wide DNS server | |
221 | definitions. Note that <filename>/run/systemd/resolve/resolv.conf</filename> should not be used | |
222 | directly by applications, but only through a symlink from <filename>/etc/resolv.conf</filename>. If | |
223 | this mode of operation is used local clients that bypass any local DNS API will also bypass | |
224 | <command>systemd-resolved</command> and will talk directly to the known DNS servers.</para></listitem> | |
225 | ||
226 | <listitem><para>Alternatively, <filename>/etc/resolv.conf</filename> may be managed by other packages, | |
227 | in which case <command>systemd-resolved</command> will read it for DNS configuration data. In this mode | |
228 | of operation <command>systemd-resolved</command> is consumer rather than provider of this configuration | |
b541146b LP |
229 | file. </para></listitem> |
230 | </itemizedlist> | |
231 | ||
b0fb800c ZJS |
232 | <para>Note that the selected mode of operation for this file is detected fully automatically, depending |
233 | on whether <filename>/etc/resolv.conf</filename> is a symlink to | |
234 | <filename>/run/systemd/resolve/resolv.conf</filename> or lists 127.0.0.53 as DNS server.</para> | |
b541146b LP |
235 | </refsect1> |
236 | ||
2c7284a9 LP |
237 | <refsect1> |
238 | <title>Signals</title> | |
239 | ||
240 | <variablelist> | |
241 | <varlistentry> | |
242 | <term><constant>SIGUSR1</constant></term> | |
243 | ||
d55b0463 | 244 | <listitem><para>Upon reception of the <constant>SIGUSR1</constant> process signal |
b0fb800c ZJS |
245 | <command>systemd-resolved</command> will dump the contents of all DNS resource record caches it |
246 | maintains, as well as all feature level information it learnt about configured DNS servers into the | |
247 | system logs.</para></listitem> | |
2c7284a9 LP |
248 | </varlistentry> |
249 | ||
250 | <varlistentry> | |
251 | <term><constant>SIGUSR2</constant></term> | |
252 | ||
d55b0463 | 253 | <listitem><para>Upon reception of the <constant>SIGUSR2</constant> process signal |
b0fb800c ZJS |
254 | <command>systemd-resolved</command> will flush all caches it maintains. Note that it should normally |
255 | not be necessary to request this explicitly – except for debugging purposes – as | |
256 | <command>systemd-resolved</command> flushes the caches automatically anyway any time the host's | |
257 | network configuration changes. Sending this signal to <command>systemd-resolved</command> is | |
258 | equivalent to the <command>resolvectl flush-caches</command> command, however the latter is | |
259 | recommended since it operates in a synchronous way.</para></listitem> | |
d55b0463 LP |
260 | </varlistentry> |
261 | ||
262 | <varlistentry> | |
263 | <term><constant>SIGRTMIN+1</constant></term> | |
264 | ||
265 | <listitem><para>Upon reception of the <constant>SIGRTMIN+1</constant> process signal | |
266 | <command>systemd-resolved</command> will forget everything it learnt about the configured DNS | |
b0fb800c ZJS |
267 | servers. Specifically any information about server feature support is flushed out, and the server |
268 | feature probing logic is restarted on the next request, starting with the most fully featured | |
269 | level. Note that it should normally not be necessary to request this explicitly – except for | |
270 | debugging purposes – as <command>systemd-resolved</command> automatically forgets learnt information | |
271 | any time the DNS server configuration changes. Sending this signal to | |
272 | <command>systemd-resolved</command> is equivalent to the <command>resolvectl | |
273 | reset-server-features</command> command, however the latter is recommended since it operates in a | |
274 | synchronous way.</para></listitem> | |
2c7284a9 LP |
275 | </varlistentry> |
276 | </variablelist> | |
d55b0463 | 277 | |
2c7284a9 LP |
278 | </refsect1> |
279 | ||
798d3a52 ZJS |
280 | <refsect1> |
281 | <title>See Also</title> | |
282 | <para> | |
283 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
284 | <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
b5a8703f | 285 | <citerefentry><refentrytitle>dnssec-trust-anchors.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
437293cf | 286 | <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
b69f810c | 287 | <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
1c18f60a | 288 | <citerefentry project='man-pages'><refentrytitle>resolv.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
394bac4f | 289 | <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
798d3a52 ZJS |
290 | <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
291 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
292 | </para> | |
293 | </refsect1> | |
091a364c TG |
294 | |
295 | </refentry> |