Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 4 Nov 2023 11:49:58 +0100
From: Markus Wichmann <>
Subject: Re: questions about musl DNS resolver

Am Sat, Nov 04, 2023 at 12:12:58PM +0530 schrieb Ayush Agarwal:
> Hi,
> I was reading about how DNS works in Linux distributions and I noticed
> some differences in the way libc resolvers work in glibc and in musl.
> I hope it's okay if I ask a few (potentially stupid) questions?
> 1. Why not offer a different man page on musl distributions for pages
> like resolv.conf(5) and resolver(3) considering how their
> implementation details and behavior are different from glibc? Is not
> offering them intentional or does it require someone to step up and
> write the documentation?

Well, for one, because musl doesn't offer /any/ manpages. For two,
because it could change. Rich may decide to add support for more options
if someone makes a convincing-enough case.

What you have to understand is that musl only contains a stub resolver.
Its job is to send a request to a bunch of recursive resolvers and
collate their answers. And those resolvers are trusted implicitly. That
is why the only servers you should have in your resolv.conf are servers
you trust, and you trust the path to them as well. If you have a laptop
and travel a lot and want to use dodgy airport Wifi, you may want to run
your own DNS resolver and use in resolv.conf.

See, if you put in there, then Google is happy about that, but
so is the Russian hacker between you and Google.

> 2. Which options in the resolv.conf(5) man page are supported by musl?
> I know "search" and "nameserver" are supported but what about
> "options" like "ndots", "edns0", "use-vc", "trust-ad"?

The code is the documentation. At the moment I see an implementation for
the options ndots, attempts, and timeout, as well as nameserver and
domain or search (where the last two are equivalent). Note that musl
only supports up to three nameservers, because they are only for
increased reliability of the system. All nameservers are supposed to
implement the same view of the namespace. If you want something else,
like a union of different namespaces, you must use or implement a DNS
proxy like dnsmasq.

> 3. It seems that version 1.2.1 added support for DNSSEC queries but
> how do I confirm if DNSSEC queries are sent and received with musl? Do
> I need to use the "option edns0 trust-ad" directive in resolv.conf for
> it work? The usual suspects like drill and kdig seem to use their own
> resolver.
 I do not see musl itself use any kind of DNSSEC query. Not sure where
you got this. I do remember that some time ago, Rich converted his
bespoke internal DNS API into the de-facto standard libresolv interface.
And you can use that to make DNSSEC queries if you so choose. But musl
itself doesn't do any DNSSEC.

> 4. The musl version 1.2.4 added TCP fallback to DNS. Is this fallback
> intended to work automatically when the size of a DNS query is large
> or does it need any configuration?

That is indeed automatic, and triggered by the TC bit in the response.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.