[systemd-devel] Resolved as stub listener on network and hosts in /etc/hosts

Dmitri Kourennyi dkour at mykolab.com
Fri Apr 5 02:12:51 UTC 2024 

I manage a home router that runs a number of services that I want 
accessible over the local network. I would like to access these services 
via domain name, and have been using mDNS for a while, but it doesn't 
always work (e.g. over a wireguard tunnel). I recently switched the 
router's DNS server from unbound to resolved, and I figured I could add 
some simple static names in the process. So I added some IPv4 and IPv6 
entries in the router's /etc/hosts file, using ".home.arpa" and 
".internal" domains as these are LAN-only resources. And this does seem 
to work at first, with A and AAAA queries returning the fixed IPs I have 
assigned as expected. Note that I am using resolved as a DNS client on 
my end machines too. However, when I went to use the names in a browser, 
I ran into an issue. Watching wireshark, I see that the browser first 
queries a HTTPS record type (even if I specify http://), to which 
resolved will respond with a 'no such domain'. At this point, it appears 
that the local resolved will cache that negative result, and subsequent 
queries for A or AAAA records will fail until the cache is flushed. To 
verify this, I can re-create the process on the cli:

$ resolvectl flush-caches
$ resolvectl query -t AAAA hass.internal
hass.internal IN AAAA fc00::6861:7373                       -- link: 
eth0

-- Information acquired via protocol DNS in 1.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted 
transport: no
-- Data from: network
$ resolvectl query -t HTTPS hass.internal
hass.internal: resolve call failed: Name 'hass.internal' not found
$ resolvectl query -t AAAA hass.internal
hass.internal: resolve call failed: Name 'hass.internal' not found
$ resolvectl flush-caches
# resolvectl query -t AAAA hass.internal
hass.internal IN AAAA fc00::6861:7373                       -- link: 
eth0

-- Information acquired via protocol DNS in 1.7ms.
-- Data is authenticated: no; Data was acquired via local or encrypted 
transport: no
-- Data from: network

I figure I can probably set Cache="no-negative" on the client machines 
to work around this, but ideally I'd like to do this without too much 
custom client-side setup (especially to account for clients where I have 
less control, like Android). It feels like a nice solution would be if 
resolved on router could respond somehow respond with a 'no such RR' for 
hosts listed in /etc/hosts.

However, I am unsure if the existing behavior can be considered a bug, I 
am doing something wrong or misunderstanding something (my DNS knowledge 
is a little shaky), or this use case is not supported with resolved, so 
I'm looking for some guidance.

Thanks,
-Dmitri

More information about the systemd-devel mailing list