On 3/3/24 22:39, Victor Sudakov wrote:
jeremy ardley wrote:
On 3/3/24 12:43, Victor Sudakov wrote:
Not that I would use bind9 as a caching resolver but still, how
do you pass the dynamically obtained AWS DNS server address from
systemd-networkd to bind9 ?
The AWS DNS resolver IPs are static and are widely published.
Do you mean 169.254.169.253?
That IP address is a non-routable AWS internal address for internal DNS
services. It is not the public IP address
There is some convention that address 2 in non routable address ranges
allocatted to customers is also a DNS server address. So 10.0.0.2 is a
DNS server.
The actual public source addresses used by AWS DNS servers are not well
defined and may vary by region
It is permissible to not use AWS resolvers for upstream.
If you want to use AWS resolvers you may run into the problem that some RBL
services reject queries from 'well known' free DNS servers; that may include
AWS resolver addresses.
systemd-networkd without systemd-resolved maintains a list of DNS servers in
/etc/resolv.conf that can be used by local services.
Do you just disable the systemd-resolved service or do you remove the
systemd-resolved package completely?
I completely removed system-resolved as when it is installed it changes
the DNS configuration to be non-standard
If you disable it, you are also supposed to remove the "resolve"
service from nsswitch.conf, right?
I am not sure what you mean by resolve service. The current user manual
manual for nsswitch has
hosts: dns [!UNAVAIL=return] files
which seems to be some new spin. It has always been the practice to use
files and then dns if nothing found
hosts: files dns
in neither case is systemd-resolved required. The resolution uses the
contents of /etc/resolv.conf to choose a resolver.
You can override dynamic setting of the dns resolvers in the
systemd-networkd configuration to use a local caching resolver such as
bind9, usually listening at 127.0.0.1:53
What would this be for? Sorry, I did not understand this step.
I was in error stating that. You need to manually edit /etc/resolv.conf
to contain a line
nameserver 127.0.0.1
and configure bind9 to listen to that
options {
listen-on { 127.0.0.1; };
// other options like directory, allow-query, etc.
recursion yes;
// Additional configuration to ensure it acts as a caching server
};
You can then configure bind 9 as a caching only DNS resolver and set
appropriate upstream (forwarder) sites, or none at all defaulting to the
root servers.
Thank you for the ideas, I may use them but first I would like to do
something about the obvious bug in systemd-resolved.