通过systemd-resloved实现不同域名通过不同的`nameserver`进行解析

通过systemd-resloved实现不同域名通过不同的nameserver进行解析

一般来说只要DNS不发生网络故障就只会在一个nameserver 获取地址，但我们可能需要从不同nameserver 获取不同域名的地址，比如内网环境和外网环境分别使用不同的nameserver ，但resloveconf只会在一个DNS server获取地址，即使在/etc/resolv.conf中设置了多个nameserver 如果第一个nameserver 返回的是NXDOMIAN而不是没有返回也不会使用其他的nameserver

如果需要按照Domains匹配nameserver进行查询可以参考以下步骤

编辑systemd-resloved /etc/systemd/resolved.conf.d/custom.conf 指定Domains=www.test.com 到其他地方进行解析

[Resolve]
DNS=10.10.0.7
Domains=www.test.com

查看当前配置可以看到默认路由是到172.31.0.2但是www.test.com 会通过DNS 10.10.0.7解析

#重启服务
#systemctl restart systemd-resolved.service
root@ip-172-31-40-209:~# resolvectl status
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 10.10.0.7
       DNS Servers: 10.10.0.7
        DNS Domain: www.test.com

Link 2 (ens5)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.31.0.2
       DNS Servers: 172.31.0.2
        DNS Domain: cn-north-1.compute.internal

测试解析

resolvectl flush-caches
root@ip-172-31-40-209:~# resolvectl query www.baidu.com
www.baidu.com: 39.156.66.14                    -- link: ens5
               39.156.66.18                    -- link: ens5
               (www.a.shifen.com)

-- Information acquired via protocol DNS in 2.8ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache network
root@ip-172-31-40-209:~# resolvectl query www.test.com
www.test.com: 172.31.8.8                       -- link: ens5

-- Information acquired via protocol DNS in 2.4ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

需要注意gethostbyname和getaddrinfo默认来说并不会使用systemd-resloved进行解析例如

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <netdb.h>

int main() {
   const char *hostname = "www.baidu.com";
   struct hostent *host_info;
   struct in_addr **addr_list;
   int i;

   // 使用 gethostbyname 获取主机信息
   if ((host_info = gethostbyname(hostname)) == NULL) {
       // 如果无法解析主机名，显示错误信息
       herror("gethostbyname");
       return 1;
   }

   // 打印主机名
   printf("Host name: %s\n", host_info->h_name);

   // 打印所有 IP 地址
   addr_list = (struct in_addr **)host_info->h_addr_list;
   for(i = 0; addr_list[i] != NULL; i++) {
       printf("IP Address: %s\n", inet_ntoa(*addr_list[i]));
   }

   return 0;

但gethostbyname和getaddrinfo是兼容nsswitch.conf的

The glibc getaddrinfo(3) API as defined by RFC3493 and its related resolver functions, including gethostbyname(3). This API is widely supported, including beyond the Linux platform. In its current form it does not expose DNSSEC validation status information however, and is synchronous only. This API is backed by the glibc Name Service Switch (nss(5)). Usage of the glibc NSS module nss-resolve(8) is required in order to allow glibc's NSS resolver functions to resolve hostnames via systemd-resolved.

如果需要确保使用systemd-resloved需要修改/etc/nsswitch.conf文件将hosts这一行修改位hosts: files resolve [!UNAVAIL=return] dns

这种配置方式执行以下操作：

• files: 首先检查 /etc/hosts 文件。
• resolve: 使用通过 nss-resolve 模块的 systemd-resolved 进行解析。
• [!UNAVAIL=return]: 确保如果 resolve 不可用，不会回退到下一个方法。
• dns: 如果 resolve 失败，则回退到传统的 DNS 解析。

修改后就能够解析到了

[root@ip-172-31-35-68 dns]# ./a.out
Host name: www.a.shifen.com
IP Address: 110.242.68.3
IP Address: 110.242.68.4

不适用nss的兼容resolvconf的配置方案

针对一些dig 和nslookup之类的命令依赖/etc/resolv.conf而不会在nss中查看现后顺序的，如果需要resolvconf也能够使用不同DNS server解析不同域名，则需要开启systemd的stub Resolver功能，监听127.0.0.53 的53端口实现本地缓存和stub的功能

1. 首先确认stub Resolver是否开启

   systemd-analyze cat-config systemd/resolved.conf命令可以查看到具体的配置DNSStubListener=no则表示没有开启，需要修改为开启。

   

2. 重启systemctl restart systemd-resolved.service

3. 确认配置文件已经修改

   

4. 需要将reslov.conf 指向stub-resolv

root@ip-172-31-40-209:~# rm -rf /etc/resolv.conf
root@ip-172-31-40-209:~#  ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

就可以成功使用不同DNS服务器解析不同域名了

一些排错命令

查看缓存记录

#将cache写入日志
sudo pkill -USR1 systemd-resolve  
#查看日志
journalctl -u systemd-resolved

root@ip-172-31-40-209:~# #解析记录
resolvectl query  baidu.com
#清空缓存
resolvectl flush-caches
#统计信息
resolvectl statistics
#刷新统计信息
resolvectl reset-statistics
#解析服务的状态
resolvectl status
baidu.com: 39.156.66.10                        -- link: ens5
           110.242.68.66                       -- link: ens5

-- Information acquired via protocol DNS in 2.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
DNSSEC supported by current servers: no

Transactions
Current Transactions: 0
  Total Transactions: 1478

Cache
  Current Cache Size: 0
          Cache Hits: 433
        Cache Misses: 1102

DNSSEC Verdicts
              Secure: 0
            Insecure: 0
               Bogus: 0
       Indeterminate: 0
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 10.10.0.7
       DNS Servers: 10.10.0.7
        DNS Domain: www.test.com

Link 2 (ens5)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.31.0.2
       DNS Servers: 172.31.0.2
        DNS Domain: cn-north-1.compute.internal