DNS and /etc/resolv.conf future improvements

[pemensik]

I have met it few times on virtual machines, but met it last time on vpsfree.cz VPS provider.

VPS instances often does not use DHCP or similar protocol. Instead, it specifies fixed IP address, gateway information and DNS servers to use. Shipped by whatever provisioning system the operator uses.

The problem I see is /etc/resolv.conf is often used to provide DNS servers to use. There are multiple problems with that:

• Not possible to specify encrypted DNS parameters to be used (proposal below)
• When local DNS cache resolver should run on the machine, it should replace /etc/resolv.conf with some localhost address and search+options. It does not matter whether dnsmasq or systemd-resolved is used, in both cases it will contain only some localhost address to be useful. Problem is we lose IP address specification provided by provisioning, if it is simply replaced. Losing information required on restart, service reconfiguration, etc.
• /etc/resolv.conf did make sense when the file is static, or mostly. Something like /run/resolv.conf would make more sense, when the file is adjusted dynamically by local running service. Again, not really important whether systemd-resolved, NetworkManager or openresolv is pushing those updates.

Another problem I would like to solve is ability to know who is asking for names. Unix domain sockets allows getting pid, user and group, even SELinux context of process asking. Might be useful to monitor just specific application, for example untrusted Flatpak. Even to refuse some queries to selected users or programs. Kind of SELinux applied to network traffic.

To solve this problem, I think we would need new nameserver-local /run/resolver.sock option, which would be preferred over legacy nameserver keyword. I doubt there are programs supporting unix domain sockets in common /etc/resolv.conf. Having separate entry would allow future upgrades, while not breaking typical software. Of course, programs emitting error if met unsupported keyword would fail in any case.

Thought we might even use libeconf to specify system forwarders in fixed way, which would supporting services parse and configure forwarding appropriately. For example, /{run,etc}/resolver.conf? That might allow specification also of TLS servers. Currently there are multiple implementations able to provide DNS cache and TLS forwarding, but they vary a lot in configuration syntax.

Would you have better ideas, where to discuss such ideas, if not here? Made also issue #122

[pemensik]

I have started a thread on fedoraproject.org, which let to some disagreements whether Varlink should be used for resolution. I would prefer keeping DNS protocol running on the pipe, because both servers and clients already implement DNS to some extent. DNS protocol is flexible enough, even mDNS and LLMNR use compatible packet format. There seems to be some support for unix domain handling in knot resolver's kdig tool for example.

But I think to make it well working, more wide audience would be required. Might it be here?