/etc/hosts handling plugin for unbound

Petr Menšík pemensik at redhat.com
Wed Dec 21 10:37:19 UTC 2022 

On 12/19/22 17:39, Paul Wouters wrote:
> On Mon, 19 Dec 2022, Petr Menšík via Unbound-users wrote:
>
>> Is there some plugin for automatically watching /etc/hosts file for 
>> changes and loading them as a local data?
>>
>> I am thinking about supporting unbound as a default localhost cache. 
>> But I think many people rely on /etc/hosts changes are propagated 
>> automatically to the cache. Dnsmasq and systemd-resolved both try to 
>> watch this file and re-read it after changes.
>>
>> Is there any existing way to populate local data automatically from 
>> it? Is it already possible to synchronize local data in unbound with 
>> legacy text file?
>
> Any real software uses /etc/nsswitch.conf which states something like:
>
> hosts:      files myhostname mdns4_minimal [NOTFOUND=return] dns
>
> The "files" directory (see man nsswitch.conf) reads in /etc/hosts first.
>
> This happens before the "dns" entry, so before unbound is used. So for
> apps on localhost this should work fine? It is always read (and not
> cached)
That is not strictly true. Some software may use DNS explicitly via 
specialized libraries, like libresolv, ldns, libunbound, etc. dig and 
host tools are the best examples. What you wrote applies only to 
applications using getaddrinfo() or gethostbyname() API calls.
>
> But I guess you want to make it systemd-resolved+glibc hack compatible,
> where calls to gethostbyname() are intercepted outside of nsswitch by a
> linux glibc hack, then fed to systemd-resolved, which I guess might do 
> the
> wrong thing by using dns before files ?

I am more inspired by dnsmasq, which I maintain also. But both of those 
is able to watch /etc/hosts and auto-load its entries into the local DNS 
cache. I think it might be useful in some cases to have very simple way 
to add address override for some names on whole machine. I use it 
sometimes to create common records for virtual machines or containers 
running on my machine. I think it is convenient to query those names 
also from DNS only tools like dig, unbound-host or similar. dnsmasq 
spawned for libvirt forwards queries to my localhost cache, because 
/etc/resolv.conf on the host points to it.

Sure, it should be possible to disable this behavior. An unbound module 
or plugin might be a way.

>
> Or are you trying to work with the libunbound call of:
>
>         /* lookup from /etc/hosts before DNS lookups as people expect 
> that */
>         ugh = ub_ctx_hosts(dns_ctx, "/etc/hosts");
>
> and are afraid changes in /etc/hosts are not picked up without an
> unbound restart?
Yes something similar. But this requires explicit code in (every) client 
binary. Instead of a common code in the localhost cache instance.
>
> I guess I feel /etc/hosts is there only for localhost apps in case of
> broken DNS. The days you could leave something out of DNS by putting in
> the /etc/hosts file are kinda long gone.
Is that true? Can you give an example, why it is so? Isn't it the 
argument for adding /etc/hosts to the DNS then?
>
> Perphaps you can detail a bit more of what you are looking for and what
> you are afraid of ?
>
> Paul
I just would like ability to provide a way both dnsmasq and 
systemd-resolved have. Yes, I know it is possible to use unbound-control 
to add local zone and local data into it. But that is too complicated 
for ordinary user IMO. It is not persistent. sudoedit /etc/hosts is 
simple enough even for (a bit) advanced user. Should be relatively 
simple to implement also. It should not break anything if enabled by 
default on workstations.

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list