nss-resolve, libnss_resolve.so.2 — Hostname resolution via
nss-resolve is a plug-in module for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) enabling it to resolve hostnames via the systemd-resolved(8) local network name resolution service. It replaces the nss-dns plug-in module that traditionally resolves hostnames via DNS.
To activate the NSS module, add "
resolve [!UNAVAIL=return]" to the line starting
/etc/nsswitch.conf. Specifically, it is
recommended to place "
resolve" early in
hosts:" line. It should be before the "
files" entry, since
/etc/hosts internally, but with
caching. To the contrary, it should be after "
mymachines", to give hostnames given to
local VMs and containers precedence over names received over DNS. Finally, we recommend placing
dns" somewhere after "
resolve", to fall back to
systemd-resolved.service is not available.
Note that systemd-resolved will synthesize DNS resource records in a few cases,
for example for "
localhost" and the current local hostname, see
the full list. This duplicates the functionality of
it is still recommended (see examples below) to keep nss-myhostname configured in
/etc/nsswitch.conf, to keep those names resolveable if
systemd-resolved is not running.
Please keep in mind that nss-myhostname (and nss-resolve) also resolve in the other direction — from locally attached IP addresses to hostnames. If you rely on that lookup being provided by DNS, you might want to order things differently.
Communication between nss-resolve and
systemd-resolved.service takes place via the
Takes a boolean argument. When false, cryptographic validation of resource records via DNSSEC will be disabled. This may be useful for testing, or when system time is known to be unreliable.
Takes a boolean argument. When false, synthetic records, e.g. for the local host name, will not be returned. See section SYNTHETIC RECORDS in systemd-resolved.service(8) for more information. This may be useful to query the "public" resource records, independent of the configuration of the local machine.
Takes a boolean argument. When false, answers using locally registered public LLMNR/mDNS resource records will not be returned.
Takes a boolean argument. When false, answers using locally configured trust anchors will not be used.
Here is an example
/etc/nsswitch.conf file that enables
passwd: files systemd group: files [SUCCESS=merge] systemd shadow: files systemd gshadow: files systemd hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis