Hi all,
I am not able to understand or find anywhere the correct DNS resolution order for a custom linux namespace.
For ex- If I add a new namespace & using IP command I can give its IP address, subnet & default gateway.
But I haven’t yet found any way to pass the dns server address too for my custom linux namespace.
All the information I have come accross tells me that the only way DNS server address is passed to namespace is
If /etc/netns/customNamespace/resolv.conf is present, then use this.
by using /etc/resolv.conf of the host only
So my questions are
Why is DNS resolution not taken care by IP command and depends on file system.
If new network namespace is using files from host for its network configuration, then how do we call it isolated ?
Please do correct me, where ever I have been wrong with my understanding or assumptions.
DNS resolution is carried out in each application process by a library that was traditionally included with bind, which at one time was the exclusive DNS code base. today we have many alternatives, and bind, itself, usually gets packaged in pieces. the ip command provides no information to processes that try to determine a destination address.
this library needed starting/configuration information such as the IP addresses to access the caching and recursive resolving servers. it was decided that /etc/resolv.conf would have this information. most DNS lookup tools use this unless their intentions (for example, being a testing tool) urge a different way.
knowing this, i would expect a container to have a different mount namespace, too, so that its distinctive configuration(s) can be provided. in fact, the network namespace would have no impact on which servers are asked. this kind of thing is done in chroots.
how is “files from host” accomplished? a bind mount view? an overlay mount view? copying select files into a private file space? the choice made would be expected to affect the behavior of that container. i don’t know if you get all those choices, and if you do, it’s not in the ip command.
Thanks for your reply,
I got what you mean here and with my further internet search understanding, It makes sense too how things got shaped.
What I “had” more issue with was the way DNS is treated w.r.t linux network namespaces “isolation”. Even after there exists many a ways to get “files from host”, I just somehow couldn’t get my head wrapped around for taking a decision or making a convention to read a file to work out things directly related to network stack while other things are just working like a turnkey solution.
As I understand, from your comment too, dig command does this trick with its “@server” thing for using custom DNS address.
