通过systemd-resloved实现不同域名通过不同的nameserver
进行解析
一般来说只要DNS不发生网络故障就只会在一个nameserver
获取地址,但我们可能需要从不同nameserver
获取不同域名的地址,比如内网环境和外网环境分别使用不同的nameserver
,但resloveconf只会在一个DNS server获取地址,即使在/etc/resolv.conf
中设置了多个nameserver
如果第一个nameserver
返回的是NXDOMIAN
而不是没有返回也不会使用其他的nameserver
如果需要按照Domains
匹配nameserver
进行查询可以参考以下步骤
编辑systemd-resloved /etc/systemd/resolved.conf.d/custom.conf 指定Domains=www.test.com 到其他地方进行解析
[Resolve]
DNS=10.10.0.7
Domains=www.test.com
查看当前配置可以看到默认路由是到172.31.0.2但是www.test.com 会通过DNS 10.10.0.7解析
#重启服务
#systemctl restart systemd-resolved.service
root@ip-172-31-40-209:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 10.10.0.7
DNS Servers: 10.10.0.7
DNS Domain: www.test.com
Link 2 (ens5)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.31.0.2
DNS Servers: 172.31.0.2
DNS Domain: cn-north-1.compute.internal
测试解析
resolvectl flush-caches
root@ip-172-31-40-209:~# resolvectl query www.baidu.com
www.baidu.com: 39.156.66.14 -- link: ens5
39.156.66.18 -- link: ens5
(www.a.shifen.com)
-- Information acquired via protocol DNS in 2.8ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache network
root@ip-172-31-40-209:~# resolvectl query www.test.com
www.test.com: 172.31.8.8 -- link: ens5
-- Information acquired via protocol DNS in 2.4ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
需要注意gethostbyname
和getaddrinfo
默认来说并不会使用systemd-resloved
进行解析例如
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <netdb.h>
int main() {
const char *hostname = "www.baidu.com";
struct hostent *host_info;
struct in_addr **addr_list;
int i;
// 使用 gethostbyname 获取主机信息
if ((host_info = gethostbyname(hostname)) == NULL) {
// 如果无法解析主机名,显示错误信息
herror("gethostbyname");
return 1;
}
// 打印主机名
printf("Host name: %s\n", host_info->h_name);
// 打印所有 IP 地址
addr_list = (struct in_addr **)host_info->h_addr_list;
for(i = 0; addr_list[i] != NULL; i++) {
printf("IP Address: %s\n", inet_ntoa(*addr_list[i]));
}
return 0;
但gethostbyname
和getaddrinfo
是兼容nsswitch.conf
的
The glibc getaddrinfo(3) API as defined by RFC3493 and its related resolver functions, including gethostbyname(3). This API is widely supported, including beyond the Linux platform. In its current form it does not expose DNSSEC validation status information however, and is synchronous only. This API is backed by the glibc Name Service Switch (nss(5)). Usage of the glibc NSS module nss-resolve(8) is required in order to allow glibc's NSS resolver functions to resolve hostnames via systemd-resolved.
如果需要确保使用systemd-resloved需要修改/etc/nsswitch.conf文件将hosts这一行修改位hosts: files resolve [!UNAVAIL=return] dns
这种配置方式执行以下操作:
files
: 首先检查/etc/hosts
文件。resolve
: 使用通过nss-resolve
模块的systemd-resolved
进行解析。[!UNAVAIL=return]
: 确保如果resolve
不可用,不会回退到下一个方法。dns
: 如果resolve
失败,则回退到传统的 DNS 解析。
修改后就能够解析到了
[root@ip-172-31-35-68 dns]# ./a.out
Host name: www.a.shifen.com
IP Address: 110.242.68.3
IP Address: 110.242.68.4
不适用nss的兼容resolvconf的配置方案
针对一些dig 和nslookup之类的命令依赖/etc/resolv.conf
而不会在nss中查看现后顺序的,如果需要resolvconf也能够使用不同DNS server解析不同域名,则需要开启systemd的stub Resolver功能,监听127.0.0.53 的53端口实现本地缓存和stub的功能
-
首先确认stub Resolver是否开启
systemd-analyze cat-config systemd/resolved.conf
命令可以查看到具体的配置DNSStubListener=no
则表示没有开启,需要修改为开启。 -
重启
systemctl restart systemd-resolved.service
-
确认配置文件已经修改
-
需要将reslov.conf 指向stub-resolv
root@ip-172-31-40-209:~# rm -rf /etc/resolv.conf
root@ip-172-31-40-209:~# ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
就可以成功使用不同DNS服务器解析不同域名了
一些排错命令
查看缓存记录
#将cache写入日志
sudo pkill -USR1 systemd-resolve
#查看日志
journalctl -u systemd-resolved
root@ip-172-31-40-209:~# #解析记录
resolvectl query baidu.com
#清空缓存
resolvectl flush-caches
#统计信息
resolvectl statistics
#刷新统计信息
resolvectl reset-statistics
#解析服务的状态
resolvectl status
baidu.com: 39.156.66.10 -- link: ens5
110.242.68.66 -- link: ens5
-- Information acquired via protocol DNS in 2.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
DNSSEC supported by current servers: no
Transactions
Current Transactions: 0
Total Transactions: 1478
Cache
Current Cache Size: 0
Cache Hits: 433
Cache Misses: 1102
DNSSEC Verdicts
Secure: 0
Insecure: 0
Bogus: 0
Indeterminate: 0
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 10.10.0.7
DNS Servers: 10.10.0.7
DNS Domain: www.test.com
Link 2 (ens5)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.31.0.2
DNS Servers: 172.31.0.2
DNS Domain: cn-north-1.compute.internal