1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
'\" t
.TH "NSS\-RESOLVE" "8" "" "systemd 256~rc3" "nss-resolve"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nss-resolve, libnss_resolve.so.2 \- Hostname resolution via systemd\-resolved\&.service
.SH "SYNOPSIS"
.PP
libnss_resolve\&.so\&.2
.SH "DESCRIPTION"
.PP
\fBnss\-resolve\fR
is a plug\-in module for the GNU Name Service Switch (NSS) functionality of the GNU C Library (\fBglibc\fR) enabling it to resolve hostnames via the
\fBsystemd-resolved\fR(8)
local network name resolution service\&. It replaces the
\fBnss\-dns\fR
plug\-in module that traditionally resolves hostnames via DNS\&.
.PP
To activate the NSS module, add
"resolve\ \&[!UNAVAIL=return]"
to the line starting with
"hosts:"
in
/etc/nsswitch\&.conf\&. Specifically, it is recommended to place
"resolve"
early in
/etc/nsswitch\&.conf\*(Aqs
"hosts:"
line\&. It should be before the
"files"
entry, since
systemd\-resolved
supports
/etc/hosts
internally, but with caching\&. To the contrary, it should be after
"mymachines", to give hostnames given to local VMs and containers precedence over names received over DNS\&. Finally, we recommend placing
"dns"
somewhere after
"resolve", to fall back to
\fBnss\-dns\fR
if
systemd\-resolved\&.service
is not available\&.
.PP
Note that
\fBsystemd\-resolved\fR
will synthesize DNS resource records in a few cases, for example for
"localhost"
and the current local hostname, see
\fBsystemd-resolved\fR(8)
for the full list\&. This duplicates the functionality of
\fBnss-myhostname\fR(8), but it is still recommended (see examples below) to keep
\fBnss\-myhostname\fR
configured in
/etc/nsswitch\&.conf, to keep those names resolveable if
\fBsystemd\-resolved\fR
is not running\&.
.PP
Please keep in mind that
\fBnss\-myhostname\fR
(and
\fBnss\-resolve\fR) also resolve in the other direction \(em from locally attached IP addresses to hostnames\&. If you rely on that lookup being provided by DNS, you might want to order things differently\&.
.PP
Communication between
\fBnss\-resolve\fR
and
systemd\-resolved\&.service
takes place via the
/run/systemd/resolve/io\&.systemd\&.Resolve
\fBAF_UNIX\fR
socket\&.
.SH "ENVIRONMENT VARIABLES"
.PP
\fI$SYSTEMD_NSS_RESOLVE_VALIDATE\fR
.RS 4
Takes a boolean argument\&. When false, cryptographic validation of resource records via DNSSEC will be disabled\&. This may be useful for testing, or when system time is known to be unreliable\&.
.sp
Added in version 250\&.
.RE
.PP
\fI$SYSTEMD_NSS_RESOLVE_SYNTHESIZE\fR
.RS 4
Takes a boolean argument\&. When false, synthetic records, e\&.g\&. for the local host name, will not be returned\&. See section SYNTHETIC RECORDS in
\fBsystemd-resolved.service\fR(8)
for more information\&. This may be useful to query the "public" resource records, independent of the configuration of the local machine\&.
.sp
Added in version 250\&.
.RE
.PP
\fI$SYSTEMD_NSS_RESOLVE_CACHE\fR
.RS 4
Takes a boolean argument\&. When false, the cache of previously queried records will not be used by
\fBsystemd-resolved\fR(8)\&.
.sp
Added in version 250\&.
.RE
.PP
\fI$SYSTEMD_NSS_RESOLVE_ZONE\fR
.RS 4
Takes a boolean argument\&. When false, answers using locally registered public LLMNR/mDNS resource records will not be returned\&.
.sp
Added in version 250\&.
.RE
.PP
\fI$SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR\fR
.RS 4
Takes a boolean argument\&. When false, answers using locally configured trust anchors will not be used\&.
.sp
Added in version 250\&.
.RE
.PP
\fI$SYSTEMD_NSS_RESOLVE_NETWORK\fR
.RS 4
Takes a boolean argument\&. When false, answers will be returned without using the network, i\&.e\&. either from local sources or the cache in
\fBsystemd-resolved\fR(8)\&.
.sp
Added in version 250\&.
.RE
.SH "EXAMPLE"
.PP
Here is an example
/etc/nsswitch\&.conf
file that enables
\fBnss\-resolve\fR
correctly:
.sp
.if n \{\
.RS 4
.\}
.nf
passwd: files systemd
group: files [SUCCESS=merge] systemd
shadow: files systemd
gshadow: files systemd
hosts: mymachines \fBresolve [!UNAVAIL=return]\fR files myhostname dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1), \fBsystemd-resolved\fR(8), \fBnss-systemd\fR(8), \fBnss-myhostname\fR(8), \fBnss-mymachines\fR(8), \fBnsswitch.conf\fR(5), \fBsystemd.syntax\fR(5)
|