Tuesday, 31 May 2016

Re: ANN: DNS resolver changes in yakkety

Hi,

On my phone and travelling so can't trivially find out the answer to the following question right now.

Is libnss-resolve automatically seeded via a Depends or does it require manual seeding?

Regards, Martin.

On 31 May 2016 11:36, "Martin Pitt" <[email protected]> wrote:
Hello all,

yesterday I landed [1] in Yakkety which changes how DNS resolution
works -- i. e. how names like "www.ubuntu.com" get translated to an IP
address like 1.2.3.4.

Until now, we used two different approaches for this:

 * On desktops and touch, NetworkManager launched "dnsmasq" configured
   as effectively a local DNS server which forwards requests to the
   "real" DNS servers that get picked up usually via DHCP. Thus
   /etc/resolv.conf said "nameserver 127.0.0.1" and it was rather
   non-obvious to show the real DNS servers. (This was one of the
   complaints/triggers that led to creating this blueprint).  But
   dnsmasq does proper rotation and fallback between multiple
   nameservers, i. e. if one does not respond it uses the next one
   without long timeouts.

 * On servers, cloud images etc. we did not have any local DNS server.
   Configured DNS servers (via DHCP or static configuration in
   /etc/network/interfaces) were put into /etc/resolv.conf, and
   every program (via glibc's builtin resolver) directly contacted
   those.

   This had the major drawback that if the first DNS server does not
   respond (or is slow), then *every* DNS lookup suffers from a ~ 10s
   timeout, which makes every network operation awfully slow.
   Addressing this was the main motivation for the blueprint. On top
   of that, there was no local caching, thus requesting the same name
   again would do another lookup.

As of today, we now have one local resolver service for all Ubuntu
products; we picked "resolved" as that is small and lightweight,
already present (part of the systemd package), does not require D-Bus
(unlike dnsmasq), supports DNSSEC, provides transparent fallback to
contacting the real DNS servers directly (in case anything goes wrong
with the local resolver), and avoids the first issue above that
/etc/resolv.conf always shows 127.0.0.1.

Now DNS resolution goes via a new "libnss-resolve" NSS module which
talks to resolved [2]. /etc/resolv.conf has the "real" nameservers,
broken name servers are handled efficiently, and we have local DNS
caching. NetworkManager now stops launching a dnsmasq instance.

I've had this running on my laptop for about three weeks now without
noticing problems, but there may well be some corner cases where this
causes problems. If you encounter a regression that causes DNS names
to not get resolved correctly, please do "ubuntu-bug libnss-resolve"
with the details.

Thanks,

Martin

[1] https://blueprints.launchpad.net/ubuntu/+spec/foundations-y-local-resolver
[2] This is configured in /etc/nsswitch.conf ("hosts: files ... resolve dns")
--
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel