Tuesday, 31 May 2016

ANN: DNS resolver changes in yakkety

Hello all,

yesterday I landed [1] in Yakkety which changes how DNS resolution
works -- i. e. how names like "www.ubuntu.com" get translated to an IP
address like

Until now, we used two different approaches for this:

* On desktops and touch, NetworkManager launched "dnsmasq" configured
as effectively a local DNS server which forwards requests to the
"real" DNS servers that get picked up usually via DHCP. Thus
/etc/resolv.conf said "nameserver" and it was rather
non-obvious to show the real DNS servers. (This was one of the
complaints/triggers that led to creating this blueprint). But
dnsmasq does proper rotation and fallback between multiple
nameservers, i. e. if one does not respond it uses the next one
without long timeouts.

* On servers, cloud images etc. we did not have any local DNS server.
Configured DNS servers (via DHCP or static configuration in
/etc/network/interfaces) were put into /etc/resolv.conf, and
every program (via glibc's builtin resolver) directly contacted

This had the major drawback that if the first DNS server does not
respond (or is slow), then *every* DNS lookup suffers from a ~ 10s
timeout, which makes every network operation awfully slow.
Addressing this was the main motivation for the blueprint. On top
of that, there was no local caching, thus requesting the same name
again would do another lookup.

As of today, we now have one local resolver service for all Ubuntu
products; we picked "resolved" as that is small and lightweight,
already present (part of the systemd package), does not require D-Bus
(unlike dnsmasq), supports DNSSEC, provides transparent fallback to
contacting the real DNS servers directly (in case anything goes wrong
with the local resolver), and avoids the first issue above that
/etc/resolv.conf always shows

Now DNS resolution goes via a new "libnss-resolve" NSS module which
talks to resolved [2]. /etc/resolv.conf has the "real" nameservers,
broken name servers are handled efficiently, and we have local DNS
caching. NetworkManager now stops launching a dnsmasq instance.

I've had this running on my laptop for about three weeks now without
noticing problems, but there may well be some corner cases where this
causes problems. If you encounter a regression that causes DNS names
to not get resolved correctly, please do "ubuntu-bug libnss-resolve"
with the details.



[1] https://blueprints.launchpad.net/ubuntu/+spec/foundations-y-local-resolver
[2] This is configured in /etc/nsswitch.conf ("hosts: files ... resolve dns")
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)