Correct way to use external nameservers?

MuhKuh · Sep 6th 2014

I currently have 3 external nameservers in my /etc/resolv.conf and the package resolvconf is not installed, so /etc/resolv.conf is a file and not a link.

During i-mscp installation I tried all 3 combinations.

1. Use bind9 and allow local resolver to use bind9

resolvconf and bind9 packages installed
resolv.conf contains only 127.0.0.1 after installation

2. Use bind9 and no dot allow local resolver to use bind9

resolvconf and bind9 packages installed
resolv.conf contains only 127.0.0.1 after installation
Where is the difference to option 1?

3. Use external nameserver

resolvconf package installed
resolv.conf still contains the 3 namesevers after installation
however after restart, resolv.conf is empty

Therefore my question: What is the i-mscp way of setting the external nameservers correctly?

**Nuxwin** · Sep 6th 2014

Hello ;

Normally, when you disable the local DNS resolver, your own entries should be left untouched (option 2). The current behavior is wrong and I'll fix this. For the option 3, I'll also check why after a restart, the entries get removed.

Thank you for your report.

**Nuxwin** · Sep 6th 2014

Re;

I've do some tests and here come the results:

Test environment

I've also added the following entries in my static resolv.conf file:

Shell-Script

search nuxwin.comnameserver 8.8.8.8nameserver 8.8.4.4

First test

I've rebooted the server.

Result: No changes. The entries were not removed (This was expected because a static resolv.conf file has been used).

Second test

I've installed the resolvconf package and rebooted the server.

Result: The entries were gone after reboot.

This is expected because as stated in the last resolvconf documentation:

Code

N.B.: On a machine where resolvconf has just been or is about to be installed and which previously relied on a static /etc/resolv.conf file, the nameserver information in that static file should be migrated to the appropriate iface stanza(s) in interfaces(5).

So here, I've simply migrated my entries into the /etc/network/interfaces as follow:

The /etc/network/interfaces before editing:

Shell-Script

allow-hotplug eth0# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interfaceallow-hotplug eth0iface eth0 inet static address 192.168.5.120 netmask 255.255.255.0 network 192.168.5.0 broadcast 192.168.5.255 gateway 192.168.5.254

The /etc/network/interfaces after editing:

Shell-Script

allow-hotplug eth0# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).# The loopback network interfaceauto loiface lo inet loopback# The primary network interfaceallow-hotplug eth0iface eth0 inet static address 192.168.5.120 netmask 255.255.255.0 network 192.168.5.0 broadcast 192.168.5.255 gateway 192.168.5.254 # dns-* options are implemented by the resolvconf package, if installed dns-search nuxwin.com dns-nameservers 8.8.8.8 8.8.4.4

Then, I've run ifdown eth0 && ifup eth0 to trigger update of the dynamic resolv.conf file.

The dynamic resolv.conf file after update has been changed to:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 8.8.8.8nameserver 8.8.4.4search nuxwin.com

To resume here, when you are using a static resolv.conf file and before switching to resolvconf (a dynamic resolv.conf file), you must move your nameserver entries into the /etc/network/interfaces file to be sure that they will be re-added after reboot.

Note: This is not the only way to process.

Third test

I've moved the nameserver entries from the static resolv.conf file into the /etc/network/interfaces file as stated in second test.
I've installed i-MSCP (with bind9 + local DNS resolver enabled)

The dynamic resolv.conf file after installation was:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.0.1search nuxwin.com

The dynamic resolv.conf file after reboot was:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.0.1search nuxwin.com

Fourth test

I've disabled the local DNS resolver: perl imscp-autoinstall -dar resolver

The dynamic resolv.conf file after reconfiguration was:

Code

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.0.1search nuxwin.com

The dynamic resolv.conf file after reboot was:

Code

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.0.1search nuxwin.com

Here is the bug. I've specified that I do not want use the local DNS resolver through the i-MSCP installer but the entry was still added. This is not really due to i-MSCP. In fact, this is because bind9 adds the nameserver 127.0.0.1 entry itself when the value of the RESOLVCONF parameter in the /etc/default/bind9 file is set to yes.

To solve the problem I've set the value of this parameter to no and removed the entry by running:

Shell-Script

# /sbin/resolvconf -d lo.named

Then after doing this, the dynamic resolv.conf file has been changed to:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 8.8.8.8nameserver 8.8.4.4search nuxwin.com

And after reboot, it was:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 8.8.8.8nameserver 8.8.4.4search nuxwin.com

To resume here, i-MSCP must also set the RESOLVCONF parameter value to no in the /etc/default/bind9 when the local DNS resolver is disabled. I'll fix that.

Specific behavior

In latest resolvconf versions your own nameserver entries get removed only if the TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS is affirmatively set.
This essentially mean that your own entries (up to 3 nameserver entries max) will be left untouched, even if you add the nameserver 127.0.0.1 entry.

For instance, you'll get something like:

Shell-Script

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTENnameserver 127.0.0.1nameserver 8.8.8.8nameserver 8.8.4.4search nuxwin.com

Indeed, the related documentation state

Code

...
The dynamically generated resolver configuration file always starts with the contents of /etc/resolvconf/resolv.conf.d/head and ends with the contents of /etc/resolvconf/resolv.conf.d/tail.
Between head and tail the libc script inserts dynamic nameserver information compiled from, first, information provided for configured interfaces; second, static information from /etc/resolv‐conf/resolv.conf.d/base. Specifically, it writes:
1) up to three nameserver lines, ordered according to /etc/resolvconf/interface-order, possibly fewer if one of the addresses is a loopback address and the TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS environment variable is affirmatively set, as discussed in the ENVIRONMENT VARIABLES section;
2) up to one search line containing the combined domain search list from all "domain" and "search" input lines, also ordered according to interface-order(5);
3) all other non-comment input lines.
...

MuhKuh · Sep 6th 2014

wow, thanks for the detailed testing and documentation

**Nuxwin** · Sep 7th 2014

Re;

Bug as described in test 4 should be fixed. See https://github.com/i-MSCP/imsc…8ac48033c6c1a6a869c7505ba

Correct way to use external nameservers?

Share

Daily visitors