On 2022-04-19 15:15:11 +0300, Michael Tokarev wrote:
> unbound resolvconf integration (the disabled one) works by setting
> DNS servers obtained via DHCP to become the forwarders in
> unbound. As simple as that. I'm not saying about 127.0.0.1
> filtering there, it's a different issue.
>
> If we (re)enable /etc/resolvconf/update.d/unbound , the dhcp-provided
> nameservers will be used as the primary nameservers with unbound sitting
> just as a local cache. Unbound will not use them as fallbacks but as
> primary forwarders.
The issue is that resolvconf assumes that unbound will use them
as fallbacks (see below).
> The only way to do what - I think - you're asking for, is for
> resolvconf to modify /etc/resolv.conf file to specify one unbound-
> provided nameserver line (with 127.0.0.1 in there) and *add* the
> dhcp-provided nameservers there *too*. And you don't want in this
> case to enable unbound's resolvconf integration.
resolvconf actually does the opposite: instead of leaving the
/etc/resolv.conf contents as is, it removes every nameserver
after 127.0.0.1, assuming that they will be handled by the
local nameserver.
Perhaps this is something to see with the resolvconf authors.
> But this doesn't really work and it is unreliable. Because quite
> some software will query *all* nameservers listed in resolv.conf
> at the same time (accepting the first reply), and some software
> will only query the first one.
This would clearly be a bug, as not conforming with the
/etc/resolv.conf spec. See the resolv.conf(5) man page:
nameserver Name server IP address
Internet address of a name server that the resolver should query,
either an IPv4 address (in dot notation), or an IPv6 address in
colon (and possibly dot) notation as per RFC 2373. Up to MAXNS
(currently 3, see <resolv.h>) name servers may be listed, one per
keyword. If there are multiple servers, the resolver library
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
queries them in the order listed. If no nameserver entries are
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
present, the default is to use the name server on the local
machine. (The algorithm used is to try a name server, and if the
query times out, try the next, until out of name servers, then
repeat trying all the name servers until a maximum number of
retries are made.)
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
