second nameserver in /etc/resolv.conf not picked up by wget

Question

My resolv.conf looks like this:

; generated by /sbin/dhclient-script
search mcdc
nameserver 10.0.4.48
nameserver 8.8.8.8

if I do nslookup www.google.com it works

nslookup www.google.com
;; Got SERVFAIL reply from 10.0.4.48, trying next server
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.

but when I curl www.google.com, it cannot resolve the host.

I tried running curl under strace, and found curl was only using the first nameserver in resolv.conf, not the second. If I switch the two nameserver lines around, www.google.com resolves, but internal DNS names do not, so thats not a good workaround.

How can I fix resolv.conf to use both nameservers?

Answer 1

The default behavior for resolv.conf and the resolver is to try the servers in the order listed. The resolver will only try the next nameserver if the first nameserver times out. The resolv.conf manpage says:

nameserver Name server IP address

Internet address (in dot notation) of a name server that the resolver should query. Up to MAXNS (currently 3, see ) name servers may be listed, one per keyword. If there are multiple servers, the resolver library queries them in the order listed.

And:

(The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)

Also see the resolver(5) manual page for more information.

You can alter the resolver's behavior using rotate, which will query the Nameservers in a round-robin order:

rotate sets RES_ROTATE in _res.options, which causes round robin selection of nameservers from among those listed. This has the effect of spreading the query load among all listed servers, rather than having all clients try the first listed server first every time.

However, nslookup will use the second nameserver if it receives a SERVFAIL from the first nameserver. From the nslookup manpage:

[no]fail Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.

(Default = nofail)

Answer 2

yes you could use "rotate" and timeout setting to improve DNS lookups, below is the example,

Ex:

[root@centos-xxxxxx ~]# cat /etc/resolv.conf
options rotate
options timeout:1
search xyz.abc.local
nameserver 192.168.56.3
nameserver 10.0.2.4

Answer 3

So to make it work as expected install dnsmasq or other lightweight DNS repeater (or a full blown DNS server). See Comparison of DNS server software.

For dnsmasq configuration is as simple as:

server=10.0.4.48
server=8.8.8.8

You can also specify which DNS should be used for which domain . E.g.:

server=/mcdc/10.0.4.48
server=8.8.8.8

This will make dnsmasq look for *.mcdc in 10.0.4.48 DNS server and any other in 8.8.8.8.

In /etc/resolv.conf you just use your local DNS:

nameserver 127.0.0.1

For more details on dnsmasq setup see my answer here: https://unix.stackexchange.com/questions/55090/change-default-dns-on-openvpn-connect/545591#545591.

Answer 4

adding the below command in starting of resolv conf worked in ubuntu 18.04 LTS

options rotate

Answer 5

Is 10.0.4.48 a recursive dns server aka resolver?

Or is it only an authoritative server for your internal zones?

You should set up an internal resolver that might also be holding your authoritative data.

Answer 6

If you can, I would configure it in this fashion.

search mcdc
nameserver 127.0.0.1
nameserver 8.8.8.8