On Fri, 2014-04-11 at 14:21 -0500, Dan Williams wrote:
On Sat, 2014-04-12 at 02:33 +0800, P J P wrote:
> Hello,
>
> > On Thursday, 10 April 2014 11:39 PM, P J P wrote:
> > I plan to file a feature/change request for this one. I got caught up with
other
> > work this past week so could not do it. Will start with it right away.
>
> Please see ->
https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
>
> It's a System Wide Change Proposal request up for review.
>
> I have set the target release as F22, because the proposal deadline for F21 was 08
Apr 2014 [1]. Besides, this change would require significant work on the related packages
like NetworkManager etc. So F22 seems safer.
>
> In case if you spot any discrepancies or have additional inputs or links to relevant
documents etc. please feel free to update the wiki page or let me know and I'll add it
there.
NM has had local caching nameserver capability built-in since Fedora 12
or something like that. Set 'dns=dnsmasq' in the [main] section
of /etc/NetworkManager/NetworkManager.conf and NM will spawn dnsmasq in
a local caching nameserver configuration and write 127.0.0.1 to
resolv.conf. NM will update that dnsmasq instance whenever your network
configuration chagnes to ensure that dnsmasq has the latest nameservers.
It seems that 'unbound' is getting more love these days though, due to
it's DNSSEC capabilities, and there is not yet a NetworkManager DNS
plugin for unbound/dnssec-trigger. I know some people are working on
that though (Thomas Hozza and Pavel Simerda) and I'd expect that to show
up in the near future.
Note that hotspot detection is an important part of this, since hotspots
will clearly break any kind of DNSSEC validation that happens, and
that's something that's being worked out between dnssec-trigger and
NetworkManager right now too.
NM in F20+ already has a "dns=none" option that prevents NM from
touching resolv.conf, but obviously if NM isn't touching it, the DNS
information that NM gets from upstream or your local configuration needs
to get to the local caching nameserver somehow. Which is what the
existing NM DNS plugins are for, like the dnsmasq one.
" Add domain specific name server entries into local name server's
configuration file and ensure that applications are able to resolve
internal(company wide) domain names too. (try connecting to company
mail/IRC server)"
We want to make sure that any local caching nameserver that we do use
doesn't rely exclusively on file-based configuration, or if it does,
it's able to re-read that configuration file using SIGHUP or some
seamless reload functionality. It *must* also be able to load new
configuration without dropping in-process DNS queries on the floor,
otherwise users will experience hung DNS a non-trivial amount of the
time.
The better way is to add/remove zones + servers from dnsmasq over D-Bus,
which NM does not yet do since the patches are not yet upstream, or to
use some other socket-based protocol like unbound does with
dnssec-trigger.
Dan