systemd-resolved.service
服务为本地应用程序提供网络名称解析服务。
介绍
systemd-resolved
不但提供了传统的 DNS/DNSSEC
解析与本地缓存功能,还提供了 LLMNR
与 MulticastDNS
的解析(resolver)
与应答(responder)
的功能
Linux 应用程序通过一下方式获取名称解析:
- systemd-resolved 服务
- glibc 的
getaddrinfo
、gethostbyname
API- 此方法通过
glibc Name Service Switch
实现 glibc NSS
通过 nss-resolve
模块才能让 glibc NSS
使用 systemd-resolved
提供的名字解析功能
systemd-resolved
在本地 127.0.0.53
上提供的本地DNS
服务器
Linux resolv.conf 配置说明
$ cat /etc/resolv.conf
options timeout:1 attempts:1 rotate
nameserver 223.5.5.5
nameserver 1.1.1.1
options
参数说明rotate
随机选取一个 nameserver 查询 dns 记录timeout
查询 nameserver 的超时时间,单位是秒attempts
查询尝试次数
options
参数可以通过 RES_OPTIONS
环境变量配置(如在程序中指定,参考),示例RES_OPTIONS="rotate timeout:1 retries:1"
nameserver
DNS 的 IP 地址
使用
配置文件
/etc/systemd/resolved.conf
[Resolve]
DNS=223.5.5.5 223.6.6.6 # 配置 DNS,多个使用空格分隔
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes
启动服务
# 启动服务,通过解析配置文件,实时更新 /run/systemd/resolve/resolv.conf、 /run/systemd/resolve/stub-resolv.conf
systemctl start systemd-resolved.service
systemctl restart systemd-resolved.service
实现原理
$ ls -lhart /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Jan 13 2022 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
# 文件内容兼容 /etc/resolv.conf 的格式
$ cat /run/systemd/resolve/stub-resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search localdomain
# 本地监听 53 端口,代理到 DNS 配置的地址
$ ss -lpn | grep 53
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=668,fd=16))
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=668,fd=14))
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=668,fd=17))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=668,fd=15))
resolvectl 工具
resolvectl
用来解析主机名、IP地址、域名、DNS 记录等resolvectl
通过 systemd-resolved.service
实现相关功能
help
$ resolvectl --help
resolvectl [OPTIONS...] COMMAND ...
Send control commands to the network name resolution manager, or
resolve domain names, IPv4 and IPv6 addresses, DNS records, and services.
Commands:
query HOSTNAME|ADDRESS... Resolve domain names, IPv4 and IPv6 addresses
service [[NAME] TYPE] DOMAIN Resolve service (SRV)
openpgp EMAIL@DOMAIN... Query OpenPGP public key
tlsa DOMAIN[:PORT]... Query TLS public key
status [LINK...] Show link and server status
statistics Show resolver statistics
reset-statistics Reset resolver statistics
flush-caches Flush all local DNS caches
reset-server-features Forget learnt DNS server feature levels
dns [LINK [SERVER...]] Get/set per-interface DNS server address
domain [LINK [DOMAIN...]] Get/set per-interface search domain
default-route [LINK [BOOL]] Get/set per-interface default route flag
llmnr [LINK [MODE]] Get/set per-interface LLMNR mode
mdns [LINK [MODE]] Get/set per-interface MulticastDNS mode
dnsovertls [LINK [MODE]] Get/set per-interface DNS-over-TLS mode
dnssec [LINK [MODE]] Get/set per-interface DNSSEC mode
nta [LINK [DOMAIN...]] Get/set per-interface DNSSEC NTA
revert LINK Revert per-interface configuration
Options:
-h --help Show this help
--version Show package version
--no-pager Do not pipe output into a pager
-4 Resolve IPv4 addresses
-6 Resolve IPv6 addresses
-i --interface=INTERFACE Look on interface
-p --protocol=PROTO|help Look via protocol
-t --type=TYPE|help Query RR with DNS type
-c --class=CLASS|help Query RR with DNS class
--service-address=BOOL Resolve address for services (default: yes)
--service-txt=BOOL Resolve TXT records for services (default: yes)
--cname=BOOL Follow CNAME redirects (default: yes)
--search=BOOL Use search domains for single-label names
(default: yes)
--raw[=payload|packet] Dump the answer as binary data
--legend=BOOL Print headers and additional info (default: yes)
See the resolvectl(1) man page for details.
常用命令
resolvectl status
Show link and server statusresolvectl query <domain>
查询解析信息,类似于 nslookup
、dig
# 查域名解析
$ resolvectl query www.xiexianbin.cn
www.xiexianbin.cn: 60.200.32.109 -- link: ens33
60.200.32.108 -- link: ens33
60.200.32.115 -- link: ens33
60.200.32.114 -- link: ens33
60.200.32.113 -- link: ens33
60.200.32.112 -- link: ens33
60.200.32.111 -- link: ens33
60.200.32.110 -- link: ens33
(www.xiexianbin.cn.w.cdngslb.com)
# 查 IP
$ resolvectl query 223.5.5.5
223.5.5.5: public1.alidns.com -- link: ens33
# 查 MX 记录
$ resolvectl --legend=no -t MX query xiexianbin.cn
xiexianbin.cn IN MX 10 mxw.mxhichina.com -- link: ens33
xiexianbin.cn IN MX 5 mxn.mxhichina.com -- link: ens33
# tlsa
$ resolvectl tlsa tcp fedoraproject.org:443
_443._tcp.fedoraproject.org IN TLSA 3 1 1 5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09
-- Cert. usage: Domain-issued certificate
-- Selector: SubjectPublicKeyInfo
-- Matching type: SHA-256 -- link: ens33
resolvectl flush-caches
刷新 DNS 缓存resolvectl statistics
查询统计resolvectl openpgp me@xiexianbin.cn
查看 openpgp 公钥resolvectl service
查找 SRV 服务
扩展
localhost
不会路由到网络上- 不包含
.
的名称,使用 LLMNR 协议路由到所有支持 IP 多播的本地接口 .local
后缀的名称,使用多播 DNS(MulticastDNS)协议路由到所有支持 IP 多播的本地接口_gateway
路由到默认网关(多网关到字典序第一个)
F&Q
systemd-resolved[]: Failed to add DNS server address
journalctl -u systemd-resolved
出现如上错误日志- 原因:
/etc/systemd/resolved.conf
中 DNS
字段配置异常导致,注意多个 DNS 使用空格分隔