Anyone who’s been using 12.04 over the past month or so may have noticed some pretty significant changes in the way we do DNS resolving in Ubuntu.
This is the result of the implementation of: foundations-p-dns-resolving
Here is a description of the two big changes that happened:
Switch to resolvconf for /etc/resolv.conf management
resolvconf is a set of script and hooks managing DNS resolution. The most notable difference for the user is that any change manually done to /etc/resolv.conf will be lost as it gets overwritten next time something triggers resolvconf. Instead, resolvconf uses DHCP client hooks, a Network Manager plugin and /etc/network/interfaces to generate a list of nameservers and domain to put in /etc/resolv.conf.
For more details, I’d highly encourage you to read resolvconf’s manpage but here are a few answers to common questions:
- I use static IP configuration, where should I put my DNS configuration?
The DNS configuration for a static interface should go as “dns-nameservers”, “dns-search” and “dns-domain” entries added to the interface in /etc/network/interfaces - How can I override resolvconf’s configuration or append some entries to it?
Resolvconf has a /etc/resolvconf/resolv.conf.d/ directory that can contain “base”, “head”, “original” and “tail” files. All in resolv.conf format.
- base: Used when no other data can be found
- head: Used for the header of resolv.conf, can be used to ensure a DNS server is always the first one in the list
- original: Just a backup of your resolv.conf at the time of resolvconf installation
- tail: Any entry in tail is appended at the end of the resulting resolv.conf. In some cases, upgrading from a previous Ubuntu release, will make tail a symlink to original (when we think you manually modified resolv.conf in the past)
- I really don’t want resolvconf, how can I disable it?
I certainly wouldn’t recommend disabling resolvconf but you can do it by making /etc/resolv.conf a regular file instead of a symlink.
Though please note that you may then be getting inconsistent /etc/resolv.conf when multiple software are fighting to change it.
This change affects all Ubuntu installs except for Ubuntu core.
Using dnsmasq as local resolver by default on desktop installations
That’s the second big change of this release. On a desktop install, your DNS server is going to be “127.0.0.1” which points to a NetworkManager-managed dnsmasq server.
This was done to better support split DNS for VPN users and to better handle DNS failures and fallbacks. This dnsmasq server isn’t a caching server for security reason to avoid risks related to local cache poisoning and users eavesdropping on other’s DNS queries on a multi-user system.
The big advantage is that if you connect to a VPN, instead of having all your DNS traffic be routed through the VPN like in the past, you’ll instead only send DNS queries related to the subnet and domains announced by that VPN. This is especially interesting for high latency VPN links where everything would be slowed down in the past.
As for dealing with DNS failures, dnsmasq often sends the DNS queries to more than one DNS servers (if you received multiple when establishing your connection) and will detect bogus/dead ones and simply ignore them until they start returning sensible information again. This is to compare against the libc’s way of doing DNS resolving where the state of the DNS servers can’t be saved (as it’s just a library) and so every single application has to go through the same, trying the first DNS, waiting for it to timeout, using the next one.
Now for the most common questions:
- How to know what DNS servers I’m using (since I can’t just “cat /etc/resolv.conf”)?
“nm-tool” can be used to get information about your existing connections in Network Manager. It’s roughly the same data you’d get in the GUI “connection information”.
Alternatively, you can also read dnsmasq’s configuration from /run/nm-dns-dnsmasq.conf - I really don’t want a local resolver, how can I turn it off?
To turn off dnsmasq in Network Manager, you need to edit /etc/NetworkManager/NetworkManager.conf and comment the “dns=dnsmasq” line (put a # in front of it) then do a “sudo restart network-manager”.
Bugs and feedback
Although we’ve been doing these changes more than a month ago and we’ve been looking pretty closely at bug reports, there may be some we haven’t found yet.
Issues related to resolvconf should be reported with:
ubuntu-bug resolvconf
Issues related to the dnsmasq configuration should be reported with:
ubuntu-bug network-manager
And finally, actual dnsmasq bugs and crashed should be reported with:
ubuntu-bug dnsmasq
In all cases, please try to include the following information:
- How was your system installed (desktop, alternate, netinstall, …)?
- Whether it’s a clean install or an upgrade?
- Tarball of /etc/resolvconf and /run/resolvconf
- Content of /run/nm-dns-dnsmasq.conf
- Your /var/log/syslog
- Your /etc/network/interfaces
- And obviously a detailed description of your problem
Does this in any way change the existing limitation of 256 characters and six domains in the Search keyword for resolv.conf?
The ‘limitation’ of 6 domains is not really there, but the 256 characters seems to be pretty much hard coded into the resolver process for Ubuntu. It’s not a problem in Windows. It doesn’t seem to be a problem in RedHat, but I keep running into this as a limitation that causes me problems in Ubuntu. The company I work for has merged several times in the past couple of decades, but has not merged to a single domain. Additionally within several domains there are sub domains and having the sub domain listed in resolv.conf does not insure that a device in the domain will be resolved.
I suspect that this will be a corner case for some time to come.
resolvconf enforces the restriction of 3 dns servers when generating /etc/resolv.conf as that’s the maximum number of entries allowed by the libc resolver.
A quick look at the same function for search domains doesn’t show an hardcoded limitation so I believe resolvconf will add as many search domains as it receives (though it makes sure the list doesn’t contain duplicates) and lets the libc deal with it. If it turns out to be a big problem, we could probably change the logic there to write something that’s more libc-compatible.
No, the glibc resolver still imposes the same limits: maximally six domain names totaling a maximally of 255 characters (where the space characters between the names also count).
From resolv/resolv.h:
# define MAXDNSRCH 6 /* max # domains in search path */
char defdname[256];
Finally! I made this change on my systems years ago, to make DNS & VPNs play more nicely together.
When (in a few months) I upgrade an Ubuntu server from 10.04 to 12.04 using sudo do-release-upgrade, will I need to move my DNS configuration from /etc/resolv.conf to /etc/network/interfaces by hand (assuming I remember to do that), or will the upgrade script do that for me?
There’s logic in place in resolvconf’s postinst to detect cases where the user manually modified /etc/resolv.conf and automatically make the “tail” file link to the “original” file which should give you working DNS resolution.
It’s obviously not as good as having the right entries magically appear in /etc/network/interfaces but the result should be the same without the need for configuration file handling magic.
Just upgraded to 12.04 today and had manually nameservers in /etc/resolv.conf. I have a static IP. It did not put them automatically in the tail file, nor did it add it to /etc/network/interfaces.
I can’t connect via VPN anymore either. Any handholding instructions on how to add the relevant configurations to the interfaces file?
@Duke: You shouldn’t have to do any manual configuration of nameserver information for VPN connections since the local VPN client should transmit that information directly to resolvconf.
If you have