Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 22. Using different DNS servers for different domains

By default, Red Hat Enterprise Linux (RHEL) sends all DNS requests to the first DNS server specified in the /etc/resolv.conf file. If this server does not reply, RHEL uses the next server in this file. In environments where one DNS server cannot resolve all domains, administrators can configure RHEL to send DNS requests for a specific domain to a selected DNS server.

For example, you connect a server to a Virtual Private Network (VPN), and hosts in the VPN use the example.com domain. In this case, you can configure RHEL to process DNS queries in the following way:

  • Send only DNS requests for example.com to the DNS server in the VPN network.
  • Send all other requests to the DNS server that is configured in the connection profile with the default gateway.

22.1. Using dnsmasq in NetworkManager to send DNS requests for a specific domain to a selected DNS server

You can configure NetworkManager to start an instance of dnsmasq. This DNS caching server then listens on port 53 on the loopback device. Consequently, this service is only reachable from the local system and not from the network.

With this configuration, NetworkManager adds the nameserver 127.0.0.1 entry to the /etc/resolv.conf file, and dnsmasq dynamically routes DNS requests to the corresponding DNS servers specified in the NetworkManager connection profiles.

Prerequisites

  • The system has multiple NetworkManager connections configured.

  • A DNS server and search domain are configured in the NetworkManager connection profile that is responsible for resolving a specific domain.

    For example, to ensure that the DNS server specified in a VPN connection resolves queries for the example.com domain, the VPN connection profile must contain the following settings:

    • A DNS server that can resolve example.com
    • A search domain set to example.com in the ipv4.dns-search and ipv6.dns-search parameters
  • The dnsmasq service is not running or configured to listen on a different interface then localhost.

Procedure

  1. Install the dnsmasq package: 

    # yum install dnsmasq

  2. Edit the /etc/NetworkManager/NetworkManager.conf file, and set the following entry in the [main] section: 

    dns=dnsmasq

  3. Reload the NetworkManager service: 

    # systemctl reload NetworkManager

Verification

  1. Search in the systemd journal of the NetworkManager unit for which domains the service uses a different DNS server: 

    # journalctl -xeu NetworkManager
...
Jun 02 13:30:17 client_hostname dnsmasq[5298]: using nameserver 198.51.100.7#53 for domain example.com
...

  2. Use the tcpdump packet sniffer to verify the correct route of DNS requests:

    1. Install the tcpdump package: 

      # yum install tcpdump

    2. On one terminal, start tcpdump to capture DNS traffic on all interfaces: 

      # tcpdump -i any port 53

    3. On a different terminal, resolve host names for a domain for which an exception exists and another domain, for example: 

      # host -t A www.example.com
# host -t A www.redhat.com

    4. Verify in the tcpdump output that Red Hat Enterprise Linux sends only DNS queries for the example.com domain to the designated DNS server and through the corresponding interface: 

      ...
13:52:42.234533 IP server.43534 > 198.51.100.7.domain: 50121+ [1au] A? www.example.com. (33)
...
13:52:57.753235 IP server.40864 > 192.0.2.1.domain: 6906+ A? www.redhat.com. (33)
...

      Red Hat Enterprise Linux sends the DNS query for www.example.com to the DNS server on 198.51.100.7 and the query for www.redhat.com to 192.0.2.1.

Troubleshooting

  1. Verify that the nameserver entry in the /etc/resolv.conf file refers to 127.0.0.1: 

    # cat /etc/resolv.conf
nameserver 127.0.0.1

    If the entry is missing, check the dns parameter in the /etc/NetworkManager/NetworkManager.conf file.

  2. Verify that the dnsmasq service listens on port 53 on the loopback device: 

    # ss -tulpn | grep "127.0.0.1:53"
udp  UNCONN 0  0    127.0.0.1:53   0.0.0.0:*    users:(("dnsmasq",pid=7340,fd=18))
tcp  LISTEN 0  32   127.0.0.1:53   0.0.0.0:*    users:(("dnsmasq",pid=7340,fd=19))

    If the service does not listen on 127.0.0.1:53, check the journal entries of the NetworkManager unit: 

    # journalctl -u NetworkManager

22.2. Using systemd-resolved in NetworkManager to send DNS requests for a specific domain to a selected DNS server

You can configure NetworkManager to start an instance of systemd-resolved. This DNS stub resolver then listens on port 53 on IP address 127.0.0.53. Consequently, this stub resolver is only reachable from the local system and not from the network.

With this configuration, NetworkManager adds the nameserver 127.0.0.53 entry to the /etc/resolv.conf file, and systemd-resolved dynamically routes DNS requests to the corresponding DNS servers specified in the NetworkManager connection profiles.

Important

The systemd-resolved service is provided as a Technology Preview only. Technology Preview features are not supported with Red Hat production Service Level Agreements (SLAs), might not be functionally complete, and Red Hat does not recommend using them for production. These previews provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

See Technology Preview Features Support Scope on the Red Hat Customer Portal for information about the support scope for Technology Preview features.

For a supported solution, see Using dnsmasq in NetworkManager to send DNS requests for a specific domain to a selected DNS server.

Prerequisites

  • The system has multiple NetworkManager connections configured.

  • A DNS server and search domain are configured in the NetworkManager connection profile that is responsible for resolving a specific domain.

    For example, to ensure that the DNS server specified in a VPN connection resolves queries for the example.com domain, the VPN connection profile must contain the following settings:

    • A DNS server that can resolve example.com
    • A search domain set to example.com in the ipv4.dns-search and ipv6.dns-search parameters

Procedure

  1. Enable and start the systemd-resolved service: 

    # systemctl --now enable systemd-resolved

  2. Edit the /etc/NetworkManager/NetworkManager.conf file, and set the following entry in the [main] section: 

    dns=systemd-resolved

  3. Reload the NetworkManager service: 

    # systemctl reload NetworkManager

Verification

  1. Display the DNS servers systemd-resolved uses and for which domains the service uses a different DNS server: 

    # resolvectl
...
Link 2 (enp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute ...
Current DNS Server: 192.0.2.1
       DNS Servers: 192.0.2.1

Link 3 (tun0)
    Current Scopes: DNS
         Protocols: -DefaultRoute ...
Current DNS Server: 198.51.100.7
       DNS Servers: 198.51.100.7 203.0.113.19
        DNS Domain: example.com

    The output confirms that systemd-resolved uses different DNS servers for the example.com domain.

  2. Use the tcpdump packet sniffer to verify the correct route of DNS requests:

    1. Install the tcpdump package: 

      # yum install tcpdump

    2. On one terminal, start tcpdump to capture DNS traffic on all interfaces: 

      # tcpdump -i any port 53

    3. On a different terminal, resolve host names for a domain for which an exception exists and another domain, for example: 

      # host -t A www.example.com
# host -t A www.redhat.com

    4. Verify in the tcpdump output that Red Hat Enterprise Linux sends only DNS queries for the example.com domain to the designated DNS server and through the corresponding interface: 

      ...
13:52:42.234533 IP server.43534 > 198.51.100.7.domain: 50121+ [1au] A? www.example.com. (33)
...
13:52:57.753235 IP server.40864 > 192.0.2.1.domain: 6906+ A? www.redhat.com. (33)
...

      Red Hat Enterprise Linux sends the DNS query for www.example.com to the DNS server on 198.51.100.7 and the query for www.redhat.com to 192.0.2.1.

Troubleshooting

  1. Verify that the nameserver entry in the /etc/resolv.conf file refers to 127.0.0.53: 

    # cat /etc/resolv.conf
nameserver 127.0.0.53

    If the entry is missing, check the dns parameter in the /etc/NetworkManager/NetworkManager.conf file.

  2. Verify that the systemd-resolved service listens on port 53 on the local IP address 127.0.0.53: 

    # ss -tulpn | grep "127.0.0.53"
udp  UNCONN 0  0      127.0.0.53%lo:53   0.0.0.0:*    users:(("systemd-resolve",pid=1050,fd=12))
tcp  LISTEN 0  4096   127.0.0.53%lo:53   0.0.0.0:*    users:(("systemd-resolve",pid=1050,fd=13))

    If the service does not listen on 127.0.0.53:53, check if the systemd-resolved service is running.