Frequently Asked Questions

« Previous
How do I set firewall rules in Linux to block SSH?
Next »
How do I really delete a directory and files in Windows?

windows ubuntu macos xibo network zenworks android storage

112. How do I configure my resolver on a Linux machine?

See also: My Internet does not work! How can I find the problem?
See also: How do I install Ubuntu?
See also: How do I get deduplication to work in Linux?

The university has a couple of resolvers which are referred to by

$ host has address has address has address has IPv6 address 2001:6b0:b:215:130:238:4:133 has IPv6 address 2001:6b0:b:732:130:238:164:6 has IPv6 address 2001:6b0:b:242:130:238:7:10 $ _

Historically the host name lookups in Linux were done by the resolver. No resolver was running and no cache existing locally in the machine. The resolvers were put in /etc/resolv.conf, either statically (manually) or via DHCP.

The problem with this approach is that if the first in the list of external resolvers cannot be reached the timeout is defaulting to 5 seconds with 2 attempts. This means that if the first server is down there will be a timeout up to 2*5=10 seconds. When a resolver is failing most things using the network will get slow and not work very well. This can be decreased but not eliminated by adding a shorter timeout to /etc/resolv.conf:

options timeout:1 attempts:1 rotate

Using dnsmasq as a forwarding resolver

Another, better, solution is to run dnsmasq in Linux. Dnsmasq will get you:

  1. Faster failover.
  2. Local cache.
  3. A well behaved client using central resolvers. (No problems with split-DNS, firewalls or router filters)

This is how it looks like in CentOS 7 when not using NetworkManager (most common on servers) and using DHCP. It will replace the first nameserver with the local dnsmasq. This works for a server always located on the UpUnet network.

Here we also add the Google public resolvers. But please note, if you add the those you cannot reach local split-DNS, like the Windows-domains or other local networks (RFC1918). Also check that you have access (not blocked by router filter or firewall) to the Google public resolvers before you add them.

$ yum install dnsmasq $ echo 'resolv-file=/etc/resolv.dnsmasq' > /etc/dnsmasq.d/resolv.file $ echo 'DNS=' >>/etc/sysconfig/network $ host | grep -v IPv6 | awk '{print "nameserver " $4}' >/etc/resolv.dnsmasq $ echo 'nameserver' >>/etc/resolv.dnsmasq $ echo 'nameserver' >>/etc/resolv.dnsmasq $ _

if you are running a totally static setup without NetworkManager you need to manually add the resolver first in resolv.conf instead of adding it to the /etc/sysconfig/network configuration file.

$ sed -i '1i nameserver' /etc/resolv.conf $ _

Most clients use NetworkManager. For a client moving around between networks you need to get the recommended resolvers from DHCP but also insert the dnsmasq resolver first. NetworkManager has built in support for dnsmasq. Simply adding dns=dnsmasq to the [main] section and then restart NetworkManager should solve it.

[main] dns=dnsmasq

Also check that dnsmasq do not have the option bogus-priv activated in /etc/dnsmasq.conf otherwise queries about the local networks (RFC1918) will be blocked with answer NXDOMAIN in dnsmasq. These are used in the university network so they should not be blocked between client and resolver. The default in CentOS 7 is to not have bogus-priv activated which is fine. Otherwise, uncomment with:

$ sed -i 's/\(^bogus-priv\)/#\1/1' /etc/dnsmasq.conf $ _

Using Bind as a local resolver

If you want to maximize reliability then nothing beats a local resolver. Just run BIND and set it up to only listen to the local machine (or local HPC cluster). On the university network, this usually requires openings in the router filters and perhaps firewalls in order to send UDP traffic in and out. Only do this if you do not want to pester the university resolvers with all your requests, like when you are running an HPC cluster connected to the USER-AD, doing statistics for a lot of webserver logs or something else similar.


This entry resolver was last modified 2018-06-04


This documentation is covered by GNU Free Documentation License. 12 ms