[Solved] Using different DNS servers for different domains
Hello Community,
I have some trouble following Chapter 33. Using different DNS servers for different domains from the RHEL 8 Configuring and Managing Networking Guide. My hope is that someone around here could give me some help.
The prerequisites from the documentation say that in order to use different DNS servers for different domains I need:
* The system has multiple NetworkManager connections configured.
* A DNS server and search domain are configured in the NetworkManager connections that are responsible for resolving a specific domain; For example, if the DNS server specified in a VPN connection should resolve queries for the example.com domain, the VPN connection profile must have:
** Configured a DNS server that can resolve example.com
** Configured the search domain to example.com in the ipv4.dns-search and ipv6.dns-search parameters
On my machine I have:
$ nmcli device
DEVICE TYPE STATE CONNECTION
ens3 ethernet connected ens3
ens4 ethernet connected ens4
lo loopback unmanaged --
$ nmcli con show ens3 | egrep ipv[4,6].dns.*
ipv4.dns: 192.168.11.3
ipv4.dns-search: lan
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
$ nmcli con show ens4 | egrep ipv[4,6].dns.*
ipv4.dns: 192.168.100.1
ipv4.dns-search: private1
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan private1
nameserver 127.0.0.53
$ ss -lun | grep ":53"
UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
$ ip --brief a
lo UNKNOWN 127.0.0.1/8 ::1/128
ens3 UP 192.168.11.10/24 2a02:908:3032:a1c0:bc3a:5877:944e:e000/64 fe80::b9d6:5bdb:b296:ca63/64
ens4 UP 192.168.100.2/24 fe80::cebc:48da:3c6c:6bce/64
The ipv6.dns settings are not set because currently I don't use IPv6 and all I need is a working config for IPv4.
That DNS is working in general you could see by the following queries using an explicit nameserver:
$ host raspi-sht21.lan 192.168.11.3
Using domain server:
Name: 192.168.11.3
Address: 192.168.11.3#53
Aliases:
raspi-sht21.lan has address 192.168.11.4
$ host rhel7-ansible.private1 192.168.100.1
Using domain server:
Name: 192.168.100.1
Address: 192.168.100.1#53
Aliases:
rhel7-ansible.private1 has address 192.168.100.180
But the resolution using systemd-resolved failed:
$ host raspi-sht21.lan 127.0.0.53
Using domain server:
Name: 127.0.0.53
Address: 127.0.0.53#53
Aliases:
Host raspi-sht21.lan not found: 3(NXDOMAIN)
$ host rhel7-ansible.private1 127.0.0.53
Using domain server:
Name: 127.0.0.53
Address: 127.0.0.53#53
Aliases:
Host rhel7-ansible.private1 not found: 2(SERVFAIL)
Well, now I'm open for your ideas.
- Is there something wrong with my config?
- Is there another way to use different nameserver for different domains?
Looking forward reading from you. :-)
Regards,
Joerg
PS: I followed the documentation carefully and checked that all services are started and listening appropriately.
Update 2020-11-04T17:08+01
Thanks to my buddies from the Red Hat Accelerators the issue is solved. And I would like to write it down here as well, so it might help you in a similar situation.
One of the nameserver I use doesn't support DNSSEC. After setting DNSSEC=false
in /etc/systemd/resolved.conf and restarting systemd-resolved.service
the name resolution works as expected.
Now DNSSEC is globally disabled. But resolved.conf(5) gives a hint that there might be a chance to configure this on a per link basis:
In addition to this global DNSSEC setting systemd-networkd.service(8) also maintains per-link DNSSEC settings. For system DNS servers (see above), only the global DNSSEC setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.
But I won't check that out because I don't need it in my environment.
Regards,
Joerg