Has anyone used resolved to set up a local domain? I want to set up a domain like test.local and since Fedora / Cent / RHEL are all using resolved, I’d like to learn how to do it the “native resolved way”. The closest hoot I’ve found was using dnsmasq alongside resolved.
By dns mass, I assume you mean dnsmasq, in which case, that is exactly what I would do.
1 Like
4 Likes
@vwbusguy
Thanks for catching that. Stupid autocorrect.
@vgaetera
I’m trying to do this tutorial:
The first part is to set up a local domain. I was asked to figure out how to do it on Linux and write a how-to for my colleagues to use. Can I configure resolved to use a .lan, .home, or .home.arpa for Docker on my workstation to use?
systemd-resolved is mainly a client service.
You need some DNS server to serve A/AAAA records.
dnsmasq is likely the easiest way to do that.
1 Like
Thank you. I’ll go ahead and do that.
1 Like
ICANN has proposed the .internal TLD for private use.
For completeness: for a small project like this systemd-resolved might be suitable too. dnsmasq reads local names from /etc/hosts, but systemd-resolved does this too by default. Difference is that, for dnsmasq, you can define additional hosts files to keep your system one clean.
The systemd-resolved option DNSStubListenerExtra allows systemd-resolved not only to respond on 127.0.0.53, but also other address(es).
/etc/hosts fragment:
192.168.3.1 host1.test.lan
fc00:1::1 host1.test.lan
192.168.3.2 host2.test.lan
fc00:1::2 host2.test.lan
resolvectl output:
resolvectl query host1.test.lan
host1.test.lan: fc00:1::1
192.168.3.1
4 Likes
On my Fedora system, it looks like avahi-daemon has been packaged/pre-installed and is ready-to-go with serving mDNS queries.
NAME
avahi.hosts - avahi-daemon static host name file
SYNOPSIS
/etc/avahi/hosts
DESCRIPTION
/etc/avahi/hosts is a file which may be used to define static host name to IP address
mappings for multicast DNS. This is especially useful when publishing DNS-SD services
on behalf of other hosts. See avahi.service(5) for more information.
The file format is similar to the one of /etc/hosts: on each line an IP address and
the corresponding host name. The host names should be in FQDN form, i.e. with ap‐
pended .local suffix.
AUTHORS
The Avahi Developers <avahi (at) lists (dot) freedesktop (dot) org>; Avahi is avail‐
able from http://avahi.org/
SEE ALSO
avahi-daemon(8), avahi.service(5)
COMMENTS
This man page was written using xml2man(1) by Oliver Kurth.
Manuals
There is a /etc/avahi/hosts file already present with some commented-out examples:
$ tail /etc/avahi/hosts
# This file contains static ip address <-> host name mappings. These
# can be useful to publish services on behalf of a non-avahi enabled
# device. Please bear in mind that host names are expected to be
# fully qualified domain names, i.e. ending in .local!
# See avahi.hosts(5) for more information on this configuration file!
# Examples:
# 192.168.0.1 router.local
# 2001::81:1 test.local
And it looks like mdns4_minimal is already configured in /etc/nsswitch.conf.
$ grep ^hosts /etc/nsswitch.conf
hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
I’ve never used it, but probably all you need to do is edit /etc/avahi/hosts and maybe restart avahi-daemon.service (and/or enable avahi-daemon.socket).
caveat emptor: The PC I’m looking at is not a “fresh” installation, so it may have picked up some of this as part of something else I did. But I never intentionally installed/enabled Avahi, so I think it is likely something that came with Fedora Linux (at least at one point in time).
With avahi and mdns, your other coputers on the same network is automatically known. For example, if you have a computer named “fc36” you can look it up like this
[vek@newbox ~]$ getent hosts fc36.local
192.168.178.20 fc36.local
[vek@newbox ~]$
No configuration needed other than setting the host names on each computer, preferably without any domain suffix.
1 Like
That just loses you caching and other features.
Tried the procedure, being lazy and using my existing easy-rsa for openvpn until the signing step where the DNS name is added. Note that the procedure to import CA certs for Linux does not work in Fedora, read “man update-ca-trust” and follow instructions there. Educational for sure, but updating ca trust on all devices is less attractive. If the aim is to have development and production the same, I would apply for a (free) global dynamic dns name + letsencrypt certificate, and overrule the dynamic DNS IP by local ip with systemd-resolved or dnsmasq.
Ideal is IPv6, there the internal and external address difference is no longer existent, but your provider should support it, and containers or reverse proxies might cause some headaches.
This is for developers at my company to use. For many of them, that’s too complicated a procedure. The goal is for them to setup Docker on their machines and then have a local domain and CA for their containerized applications to use. I know Podman exists but the former manager of the Linux team gutted Podman from the build image, and most of the developers are already familiar with installing Docker.
Podman exists becuase Docker was very hard to use on a Fedora/RHEL system.
Especically after the switch to kernel control groups 2 API as Docker refused to support it.
Not sure if they finally did add the required support.
OK, professional environment. Then probably indeed a local domain is the easiest because you can create hostnames and certificates as much as you need.
dnsmasq is a proven program so probably the best choice, after disabling systemd-resolved or using dnsmasq for input for systemd-resolved. The latter detects that it is fed by a cache so if everything is OK it disables it’s own cache. Depending on the application, may be unbound or bind are even better because these are the authoritative servers on the internet, but much more complicated to configure.
I have had a good experience with mkcert - GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.. The author is a lead engineer for security libraries for golang. mkcert is designed to create certs for development.
I’m looking at mkcert, but it doesn’t handle the DNS portion of it.
For anyone looking over this thread in the future trying to do the same, here’s a how-to for setting up DNSMasq alongside systemd-resolved:
1 Like
How does that interact with Avahi deamon and mdns4_minimal which seem to be enabled by default on Fedora Linux? If dnsmasq and Avahi both happen to resolve the same <whatever>.local DNS name, who wins? If some random device is connected to the network that happens to have a conflicting name with whatever .local DNS name your local server is responding to, does the new network device suddenly start to receive all the data/traffic?
I don’t know the answers, it just doesn’t seem like a good idea to have two completely different and unrelated services providing answers for the same namespace.
My guess is whichever service happens to be listed first in /etc/nsswitch.conf would “win” (mdns4_minimal = Avahi or resolve = systemd resolve).
1 Like
Avahi is a different protocol (Zeroconf/mDNS). It’s the Apple networking stack and is different from traditional DNS, but dnsmasq can forward to an upstream DNS (which you’ll almost certainly be doing anyway to something like 1.1.1.1) if you want dnsmasq to resolve avahi managed local domains. You can also have multiple resolvers in resolv.conf.