Resolved 介绍

systemd-resolved.service 服务为本地应用程序提供网络名称解析服务。

介绍

systemd-resolved 不但提供了传统的 DNS/DNSSEC 解析与本地缓存功能，还提供了 LLMNR 与 MulticastDNS 的解析(resolver)与应答(responder)的功能

Linux 应用程序通过一下方式获取名称解析：

• systemd-resolved 服务
• glibc 的 getaddrinfo、gethostbyname API
  • 此方法通过 glibc Name Service Switch 实现
  • glibc NSS 通过 nss-resolve 模块才能让 glibc NSS 使用 systemd-resolved 提供的名字解析功能
• systemd-resolved 在本地 127.0.0.53 上提供的本地DNS服务器

使用

配置文件

• /etc/systemd/resolved.conf

[Resolve]
DNS=223.5.5.5 223.6.6.6    # 配置 DNS，多个使用空格分隔
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes

启动服务

# 启动服务，通过解析配置文件，实时更新 /run/systemd/resolve/resolv.conf、 /run/systemd/resolve/stub-resolv.conf
systemctl start systemd-resolved.service
systemctl restart systemd-resolved.service

实现原理

$ ls -lhart /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Jan 13  2022 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

# 文件内容兼容 /etc/resolv.conf 的格式
$ cat /run/systemd/resolve/stub-resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search localdomain

resolvectl 工具

• resolvectl 用来解析主机名、IP地址、域名、DNS 记录等
• resolvectl 通过 systemd-resolved.service 实现相关功能

help

$ resolvectl --help
resolvectl [OPTIONS...] COMMAND ...

Send control commands to the network name resolution manager, or
resolve domain names, IPv4 and IPv6 addresses, DNS records, and services.

Commands:
  query HOSTNAME|ADDRESS...    Resolve domain names, IPv4 and IPv6 addresses
  service [[NAME] TYPE] DOMAIN Resolve service (SRV)
  openpgp EMAIL@DOMAIN...      Query OpenPGP public key
  tlsa DOMAIN[:PORT]...        Query TLS public key
  status [LINK...]             Show link and server status
  statistics                   Show resolver statistics
  reset-statistics             Reset resolver statistics
  flush-caches                 Flush all local DNS caches
  reset-server-features        Forget learnt DNS server feature levels
  dns [LINK [SERVER...]]       Get/set per-interface DNS server address
  domain [LINK [DOMAIN...]]    Get/set per-interface search domain
  default-route [LINK [BOOL]]  Get/set per-interface default route flag
  llmnr [LINK [MODE]]          Get/set per-interface LLMNR mode
  mdns [LINK [MODE]]           Get/set per-interface MulticastDNS mode
  dnsovertls [LINK [MODE]]     Get/set per-interface DNS-over-TLS mode
  dnssec [LINK [MODE]]         Get/set per-interface DNSSEC mode
  nta [LINK [DOMAIN...]]       Get/set per-interface DNSSEC NTA
  revert LINK                  Revert per-interface configuration

Options:
  -h --help                    Show this help
     --version                 Show package version
     --no-pager                Do not pipe output into a pager
  -4                           Resolve IPv4 addresses
  -6                           Resolve IPv6 addresses
  -i --interface=INTERFACE     Look on interface
  -p --protocol=PROTO|help     Look via protocol
  -t --type=TYPE|help          Query RR with DNS type
  -c --class=CLASS|help        Query RR with DNS class
     --service-address=BOOL    Resolve address for services (default: yes)
     --service-txt=BOOL        Resolve TXT records for services (default: yes)
     --cname=BOOL              Follow CNAME redirects (default: yes)
     --search=BOOL             Use search domains for single-label names
                                                              (default: yes)
     --raw[=payload|packet]    Dump the answer as binary data
     --legend=BOOL             Print headers and additional info (default: yes)

See the resolvectl(1) man page for details.

常用命令

• resolvectl status Show link and server status
• resolvectl query <domain> 查询解析信息，类似于 nslookup、dig

# 查域名解析
$ resolvectl query www.xiexianbin.cn
www.xiexianbin.cn: 60.200.32.109               -- link: ens33
                   60.200.32.108               -- link: ens33
                   60.200.32.115               -- link: ens33
                   60.200.32.114               -- link: ens33
                   60.200.32.113               -- link: ens33
                   60.200.32.112               -- link: ens33
                   60.200.32.111               -- link: ens33
                   60.200.32.110               -- link: ens33
                   (www.xiexianbin.cn.w.cdngslb.com)

# 查 IP
$ resolvectl query 223.5.5.5
223.5.5.5: public1.alidns.com                  -- link: ens33

# 查 MX 记录
$ resolvectl --legend=no -t MX query xiexianbin.cn
xiexianbin.cn IN MX 10 mxw.mxhichina.com                    -- link: ens33
xiexianbin.cn IN MX 5 mxn.mxhichina.com                     -- link: ens33

# tlsa
$ resolvectl tlsa tcp fedoraproject.org:443
_443._tcp.fedoraproject.org IN TLSA 3 1 1 5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09
        -- Cert. usage: Domain-issued certificate
        -- Selector: SubjectPublicKeyInfo
        -- Matching type: SHA-256 -- link: ens33

• resolvectl flush-caches 刷新 DNS 缓存
• resolvectl statistics 查询统计
• resolvectl openpgp me@xiexianbin.cn 查看 openpgp 公钥
• resolvectl service 查找 SRV 服务

扩展

• localhost 不会路由到网络上
• 不包含 . 的名称，使用 LLMNR 协议路由到所有支持 IP 多播的本地接口
• .local 后缀的名称，使用多播 DNS(MulticastDNS)协议路由到所有支持 IP 多播的本地接口
• _gateway 路由到默认网关（多网关到字典序第一个）

F&Q

• systemd resolved First DNS resolve takes 20s

systemd-resolved[]: Failed to add DNS server address

• journalctl -u systemd-resolved 出现如上错误日志
• 原因：/etc/systemd/resolved.conf 中 DNS 字段配置异常导致，注意多个 DNS 使用空格分隔