[systemd-devel] Nonstandard port for systemd-resolved DNS forwarded queries
jimc
jimc at jfcarter.net
Thu Jul 4 01:04:33 UTC 2019
Version: systemd-242-2.2.x86_64, dnsmasq-2.80-4.1.x86_64,
bind-9.11.2-44.3.x86_64, avahi-0.7-7.3.x86_64 from OpenSuSE Tumbleweed.
Here's my use case: There's a master directory server, two slaves, and a
bunch of leaf nodes. All support IPv4 and IPv6. All the Linux boxes
run systemd and systemd-resolved; the latter synthesizes DNS RR's from
/etc/hosts (which is kept up to date by the same script that maintains
our DNS zone files). The master has dnsmasq with DHCP service for nodes
with centrally assigned fixed IPs, and for aleatory guest nodes. Dnsmasq
also sends out DNS RR's from /etc/hosts and /etc/ethers (RFC 4862
addresses). Multicast DNS (by Avahi) on each node provides $HOST.local
(but this is not used heavily). The master and the slaves have Berkeley
Bind ("named"), which is authoritative for my internal domain and which
provides recursive service to internal clients, to forward queries to
offsite DNS servers.
In the present setup, a leaf node's app calls gethostinfo from glibc,
which obeys /etc/nsswitch.conf and (not finding info in /etc/hosts) uses
the D-Bus API to contact systemd-resolved, which forwards the offsite
query to the master's port 53 (dnsmasq), which forwards it to the
master's "named" running on nonstandard port 4253. The slave dirsvrs'
"named" shares port 53 on all interfaces, competing with
systemd-resolved and causing a race condition at startup
(systemd-resolved will die if "named" has already opened the port) plus
other odd behavior.
I would like to move the slaves' "named" to port 4253 same as on the
master, but I see no simple and non-kludgey way to get systemd-resolved
to query a nameserver (local or remote) on a nonstandard port. My next
kludge is going to be to write a forwarder that listens on 127.0.0.253
port 53/udp and forwards to one of the dirsvrs on port 4253, failing
over to different ones during system downtime.
What do you guys recommends for this use case?
What I would really like to see, which I'm going to implement in my
kludge, is syntax in /etc/systemd/resolved.conf where you could say
something like
DNS=192.9.200.193#53 (192.9.200.194#4253 192.9.200.195#4253)
meaning: Try the master, but if it's down use whichever slave is
responding. And speculatively retry the master occasionally, reverting
to it when it's up again. For me it's important to go through the
master's dnsmasq on port 53, to get hosts which have names but which
have non-fixed IPs from the DhCP pool or RFC 4862 addresses. But of
course the slaves have no dnsmasq (I wish that were possible).
By the way, the dirsvrs' IP addresses all are in /etc/hosts...
--
James F. Carter Email: jimc at jfcarter.net
Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190704/56fedb7b/attachment.sig>
More information about the systemd-devel
mailing list