I manage a home router that runs a number of services that I want
accessible over the local network. I would like to access these services
via domain name, and have been using mDNS for a while, but it doesn't
always work (e.g. over a wireguard tunnel). I recently switched the
router's DNS server from unbound to resolved, and I figured I could add
some simple static names in the process. So I added some IPv4 and IPv6
entries in the router's /etc/hosts file, using ".home.arpa" and
".internal" domains as these are LAN-only resources. And this does seem
to work at first, with A and AAAA queries returning the fixed IPs I have
assigned as expected. Note that I am using resolved as a DNS client on
my end machines too. However, when I went to use the names in a browser,
I ran into an issue. Watching wireshark, I see that the browser first
queries a HTTPS record type (even if I specify http://), to which
resolved will respond with a 'no such domain'. At this point, it appears
that the local resolved will cache that negative result, and subsequent
queries for A or AAAA records will fail until the cache is flushed. To
verify this, I can re-create the process on the cli:
$ resolvectl flush-caches
$ resolvectl query -t AAAA hass.internal
hass.internal IN AAAA fc00::6861:7373 -- link:
eth0
-- Information acquired via protocol DNS in 1.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted
transport: no
-- Data from: network
$ resolvectl query -t HTTPS hass.internal
hass.internal: resolve call failed: Name 'hass.internal' not found
$ resolvectl query -t AAAA hass.internal
hass.internal: resolve call failed: Name 'hass.internal' not found
$ resolvectl flush-caches
# resolvectl query -t AAAA hass.internal
hass.internal IN AAAA fc00::6861:7373 -- link:
eth0
-- Information acquired via protocol DNS in 1.7ms.
-- Data is authenticated: no; Data was acquired via local or encrypted
transport: no
-- Data from: network
I figure I can probably set Cache="no-negative" on the client machines
to work around this, but ideally I'd like to do this without too much
custom client-side setup (especially to account for clients where I have
less control, like Android). It feels like a nice solution would be if
resolved on router could respond somehow respond with a 'no such RR' for
hosts listed in /etc/hosts.
However, I am unsure if the existing behavior can be considered a bug, I
am doing something wrong or misunderstanding something (my DNS knowledge
is a little shaky), or this use case is not supported with resolved, so
I'm looking for some guidance.
Thanks,
-Dmitri
