Re: [systemd-devel] .local searches not working
On Fr, 09.04.21 15:20, Phillip Susi (ph...@thesusis.net) wrote: > > Silvio Knizek writes: > > > So in fact your network is not standard conform. You have to define > > .local as search and routing domain in the configuration of sd- > > resolved. > > Interesting... so what are you supposed to name your local, private > domains? This draft RFC suggests .home or .corp: https://www.ietf.org/archive/id/draft-chapin-additional-reserved-tlds-02.txt It never made it beyond a draft, but I think that#s already enough to be pretty sure these domains unlikely will be used elsewhere. RFC 6762, Appendix G suggests using .lan, .intranet, .internal and .private. RFC 8375 suggests .home.arpa. This is probably the RFC that is the most official one, but OTOH its probably at the moment the least widely used one. Still, probably the safest bet, though it does sound a bit weird when used in a corporate context. > I believe Microsoft used to ( or still do? ) recommend using > .local to name your domain if you don't have a public domain name, so > surely I'm not the first person to run into this? Why does > systemd-resolved not fall back to DNS if it can't first resolve the name > using mDNS? That appears to be allowed by the RFC. You can enable this, just add ~local to the routing domains of the relevant DNS server. We won't do this automatically for security reasons, as locally scoped names should not be routed to Internet DNS servers, as that leaks pretty sensitive information about the local network infrastructur Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] .local searches not working
On Sat, Apr 10, 2021, 02:02 Mantas Mikulėnas wrote: > On Fri, Apr 9, 2021, 22:28 Phillip Susi wrote: > >> >> Silvio Knizek writes: >> >> > So in fact your network is not standard conform. You have to define >> > .local as search and routing domain in the configuration of sd- >> > resolved. >> >> Interesting... so what are you supposed to name your local, private >> domains? > > > .home.arpa is reserved for that purpose by IANA (as part of the Homenet > work, but explicitly stated that its usage is not limited to Homenet > protocols). > Er, I think I mixed up IANA and IETF there. It should be the latter, I think. > Though if you own a public domain there's nothing wrong with using a > subdomain of it for your private LAN, either. > > I believe Microsoft used to ( or still do? ) recommend using >> .local to name your domain if you don't have a public domain name, so >> surely I'm not the first person to run into this? > > > It could be that at some point they did. I've seen Active Directory > domains named "university.local" (even though they *did* have a public > domain...) But IIRC they went back on that recommendation. > > Why does >> systemd-resolved not fall back to DNS if it can't first resolve the name >> using mDNS? That appears to be allowed by the RFC. >> > > Simply falling back for each individual query is probably not desirable > because it would also leak local hostnames for people who *do* use mDNS. > > Systemd-resolved could implement the "check if local. SOA exists" probe > that AFAIK Apple does, I think there was a github thread about it... > > ... Actually, if you manually set an interface's search domain in resolved > to "local", doesn't that make it start using DNS for this domain? I cannot > test right now, but I'm *sure* I've seen something like that in resolved's > docs. > >> ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] .local searches not working
On Fri, Apr 9, 2021, 22:28 Phillip Susi wrote: > > Silvio Knizek writes: > > > So in fact your network is not standard conform. You have to define > > .local as search and routing domain in the configuration of sd- > > resolved. > > Interesting... so what are you supposed to name your local, private > domains? .home.arpa is reserved for that purpose by IANA (as part of the Homenet work, but explicitly stated that its usage is not limited to Homenet protocols). Though if you own a public domain there's nothing wrong with using a subdomain of it for your private LAN, either. I believe Microsoft used to ( or still do? ) recommend using > .local to name your domain if you don't have a public domain name, so > surely I'm not the first person to run into this? It could be that at some point they did. I've seen Active Directory domains named "university.local" (even though they *did* have a public domain...) But IIRC they went back on that recommendation. Why does > systemd-resolved not fall back to DNS if it can't first resolve the name > using mDNS? That appears to be allowed by the RFC. > Simply falling back for each individual query is probably not desirable because it would also leak local hostnames for people who *do* use mDNS. Systemd-resolved could implement the "check if local. SOA exists" probe that AFAIK Apple does, I think there was a github thread about it... ... Actually, if you manually set an interface's search domain in resolved to "local", doesn't that make it start using DNS for this domain? I cannot test right now, but I'm *sure* I've seen something like that in resolved's docs. > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] .local searches not working
Silvio Knizek writes: > So in fact your network is not standard conform. You have to define > .local as search and routing domain in the configuration of sd- > resolved. Interesting... so what are you supposed to name your local, private domains? I believe Microsoft used to ( or still do? ) recommend using .local to name your domain if you don't have a public domain name, so surely I'm not the first person to run into this? Why does systemd-resolved not fall back to DNS if it can't first resolve the name using mDNS? That appears to be allowed by the RFC. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] .local searches not working
Am Freitag, dem 09.04.2021 um 14:27 -0400 schrieb Phillip Susi: > What special treatment does systemd-resolved give to .local domains? > The corporate windows network uses a .local domain and even when I point > systemd-resolved at the domain controller, it fails the query without > bothering to ask the dc saying: > > resolve call failed: No appropriate name servers or networks for name > found Well, .local is by definition special as it is reserverd for MulticastDNS [1]. The man page [2] itself says > Multi-label names with the domain suffix ".local" are resolved using > MulticastDNS on all local interfaces where MulticastDNS is enabled. > As with LLMNR, IPv4 address lookups are sent via IPv4 and IPv6 > address lookups are sent via IPv6. > > Queries for multi-label names are routed via unicast DNS on local > interfaces that have a DNS server configured, plus the globally > configured DNS servers if there are any. Which interfaces are used > is determined by the routing logic based on search and route-only > domains, described below. Note that by default, lookups for domains > with the ".local" suffix are not routed to DNS servers, unless the > domain is specified explicitly as routing or search domain for the > DNS server and interface. This means that on networks where the > ".local" domain is defined in a site-specific DNS server, explicit > search or routing domains need to be configured to make lookups work > within this DNS domain. Note that these days, it's generally > recommended to avoid defining ".local" in a DNS server, as RFC6762 > reserves this domain for exclusive MulticastDNS use. So in fact your network is not standard conform. You have to define .local as search and routing domain in the configuration of sd- resolved. BR Silvio [1] https://tools.ietf.org/html/rfc6762#section-3 [2] https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] .local searches not working
What special treatment does systemd-resolved give to .local domains? The corporate windows network uses a .local domain and even when I point systemd-resolved at the domain controller, it fails the query without bothering to ask the dc saying: resolve call failed: No appropriate name servers or networks for name found ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
