systemd-resolved leaks mDNS queries to DNS

Did some more checks about this. If I understand correctly:

- Passing ".local" queries to the DNS is something that now happens because systemd-resolved is doing all of the name resolution (DNS and mDNS) while in the past it was the avahi daemon to be in charge of the mDNS resolution.

- Specifically, the reason is that systemd-resolved adds its own switches to configure mDNS and by default it is configured to pass ".local" queries to the DNS.

- You can have systemd-resolved use mDNS only for .local names by either
a) activating DNSSEC in its global configuration; or
b) activating multicast DNS in its global configuration and then tweak the Network Manager configuration files for the individual connections by adding mdns=2 in the [connection] section.

I have some comments/inquires on this:

- the Network Manager configuration with respect to mdns is not something that can be done from the GUI (at least with the KDE applet), which makes recovering the "normal" mDNS behavior inconvenient;

- the implications of activating DNSSEC in systemd-resolved are unclear to me. Is everything ready to do this without side effects?

- It is my understanding that the reason why mDNS is now passed by default to regular DNS is that in some enterprise environments the .local domain is used as a local domain controlled by an internal DNS. However, again to my understanding, this should not be the standard according to RFC 6762. Even less so now that the operation of many consumer network-attached peripherals is based on zeroconf. Because of this, I think that the default should be the opposite and that if .local needs to be resolved by unicast DNS, then in that case a configuration action should be taken.

- Even in environments where hosts on the .local domain require unicast DNS, it seems unreasonable to attempt that if the configured DNS is not local (e.g., the ISP provided one, google, etc.). In fact it is unclear to me why on public DNS *.local points to 40.68.249.35. Probably my ignorance, found no reference to it googling.

- It is unclear to me why systemd-resolved places additional configuration switches in front of mDNS when this should be already configured in nsswitch.conf. Particularly the default nsswitch.conf says to lookup first using mDNS, so when this is not done the result is confusing.

- Ubuntu seems to ship by default with both systemd-resolved and the avahi-daemon. Is this redundant? Is there a way to tell systemd-resolved to refrain from mDNS lookup and just hand it over to the avahi daemon? Shouldn't systemd-resolved just do that when mDNS is disabled for it but globally enabled via nsswitch? Is the avahi daemon needed at all if systemd-resolved can take care of everything? Can there be issues in having both up? For instance the arch wiki explicitly says "If Avahi has been installed, consider disabling avahi-daemon.service and avahi-daemon.socket to prevent conflicts with systemd-resolved".

Again, more analysis...

looks like the 40.68.249.35 is an answer delivered by my ISP that is hijacking DNS requests on port 53 (redirecting the request to a server of them even if I am specifying another server by IP address). For instance

host -t A pippo.pertica.palla 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

pippo.pertica.palla has address 40.68.249.35

This is easily verified because if I reconfigure systemd-resolved to access the cloudflare dns 1.1.1.1 via TLS the DNS highjacking cannot happen anymore.

Hence apparently nothing may have changed in ubuntu and systemd-resolved and the issue presented here may be no regression.

Still, IMHO there is an issue with systemd-resolved. For .local hosts it seems to first query unicast DNS and only over a resolution failure to let the avahi-daemon do the mDNS resolution. However this is just the opposite of what my nsswitch.conf specifies (first query mDNS, then dns).

Hi,

Can I make this bug public?

On my side, certainly so.

Out of curiosity, what does the hosts line in your /etc/nsswitch.conf file look like?

Host entry in nsswitch.conf is:

files mdns4_minimal [NOTFOUND=return] dns

Note that I do not see the issue anymore, because the ISP has (for the time being) stopped messing so aggressively with dns.

In any case, I've moved to using dns over tls which systemd.resolved supports perfectly with 1.1.1.1 or 9.9.9.9, which should prevent the isp from troubling me even if they restart doing weird things (wonder if it was some sort of experiment on their side).

Nonetheless, I believe that the system should avoid breaking .local resolution and obey the priorities in the nsswitch file.

Finished my investigation. Guess it is not a bug after all, rather — I would say — a matter of extremely dispersed documentation plus very unfriendly behavior from the ISP.

The situation is that even if you put mdns_minimal in front of other entries in hosts in nsswitch, mdns /is not queried/ if the DNS declares SOA for the "local" domain. Mine does. This is the reason why I was getting the impression of systemd-resolved passing queries to DNS even when it should not have. It was actually nss_mdns to let it do so. The fact that for some time my isp has directed all dns queries to its own nameserver even when another one was selected did not help in verifying the behavior with a dns not declaring SOA for local.

Yet, this aspect of the linux mdns implementation should be documented with much better emphasis, or even better, there should be a way to make mdns_minimal report/log what it is doing. Currently, you find mention of the mdns "handover" to dns for local only looking at the very end of /usr/share/doc/libnss-mdns/README.md.gz where the heuristics is explained.

Because heuristics /can go wrong/, the item should IMHO be given much better emphasis. For instance, I suggest that ubuntu ships with a man page for nss_mdns and nss_mdns_minimal.