You’ll probably want to use hostnames rather than IP addresses, so that you’ll be able to browse to http://www.cnn.com/ instead of http://157.166.255.18. Unix-like systems use the resolver to accomplish this feat.
Most hosts use two tools to map between IP addresses and hostnames: the hosts file and DNS. (Different operating systems support additional name services, such as YP, LDAP, NIS, and so on, but dang near every system supports these two.)
The hosts file is a text file on the local machine that contains static IP address and hostname lists. DNS is a more dynamic service that reaches across the network to find information. You can specify DNS servers by IP address, but we’ll look at the hosts file in a little more detail.
What if you prefer IPv4 or IPv6 addresses? Or you want the hosts file to override DNS? Maybe you have a default domain that your queries should use. The resolver searches until it either finds the first answer or has exhausted its information sources, so these questions matter. Tell your resolver your needs in /etc/resolv.conf.
You configure the resolver behavior in /etc/resolv.conf. A system without /etc/resolv.conf can find only hostnames listed in the hosts file. Because the hosts file starts off empty, that’s probably not what you want. Start by specifying domain names.
If you wanted to ping a host on a remote network, you might expect to need to specify the whole domain. Entering ping www.openbsd.org
should work. But if you wanted to ping your company’s web server, it would make more sense to just type ping www
. And you can, because OpenBSD allows you to specify default domains, so that when you type in a short hostname, it will try to find the proper host.
For example, if you have only one local domain, you would list the domain keyword in /etc/resolv.conf like this:
domain michaelwlucas.com
Now, when I enter ping ftp
, the resolver should get the IP address of the host ftp.michaelwlucas.com.
If you have more than one local domain, use the search
keyword and a list of domains, like this:
search michaelwlucas.com openbsd.org
If I enter ping ftp
now, the resolver should get the IP of the host ftp.michaelwlucas.com. Once the resolver learns that no such host exists, it will check for ftp.openbsd.org. Because that host exists, ping
will start to work. The search
keyword can have up to six domains, and can be no longer than 1024 characters.
You can only use either domain
or search
. If you use both, the last entry in the file wins. If you list multiple search or domain lines, the last one in the file takes effect. Here’s how not to do it:
search cnn.com openbsd.org search sluggy.com michaelwlucas.com domain blackhelicopters.org
You might as well get rid of the two search
statements. The resolver will never go through those domain lists; it will use only the domain
list because it’s the last one.
Now that the resolver knows which domains to check by default, tell it which name servers to use. List each name server on its own line, by IP address, in order of preference.
nameserver 192.0.2.5 nameserver 198.51.100.5 nameserver 2001:db8::5
You can list up to three name servers, by IP address. (Hostnames in a nameserver
entry won’t work, for fairly obvious reasons.)
If your resolv.conf doesn’t list a name server, the resolver should check for a name server on the local machine.
You might get host information from DNS or from the hosts file. The resolver should stop once it finds an answer to a query. If you check the hosts file and then DNS, entries in the hosts file override the name server. If you check the name server before the hosts file, the hosts file is used only when no DNS record is available. Either approach has its uses, but by default, the resolver checks the hosts file, and then checks DNS. To reverse this, use the lookup
keyword.
lookup bind file
The file
option represents /etc/hosts, while due to a historical accident, bind
represents DNS. (The first DNS server software was the Berkeley Internet Name Domain server, or BIND.)The reverse (file bind
) is the default, so there’s no need to explicitly specify it.
The /etc/hosts file matches IP addresses to hostnames. While the hosts file is very simple, its contents are available only on the local machine. A hosts file is most useful on a small private network, such as in your home or test lab. You can also use a hosts file to override data from the DNS server, such as when you want to test a new system.
Each line in /etc/hosts represents one host. The first entry on each line is an IP address. The second is the fully qualified domain name of the host. Following these two entries, you can have an arbitrary number of aliases for that host. I often add comments at the end of the line, prefixed with a hash mark (#
).
There was a time when I had a small network at home with only four machines: the proxy/firewall, the wife’s desktop, my laptop, and the crash machine where I did stupid things. The hosts file looked like this:
192.0.2.1 1nat.blackhelicopters.org 2nat firewall gateway 192.0.2.8 boss.blackhelicopters.org boss wife 3#don't crash 192.0.2.20 crashbox.blackhelicopters.org crashbox test 192.0.10.21 laptop.blackhelicopters.org laptop mwlucas
The machine nat.blackhelicopters.org
at 1 also had the names firewall
and gateway
at 2. I added a note to remind myself at 3 not to run security scanners against my wife’s desktop. (The machine crashbox
is also called test
.)
Any machine with this hosts table could find any machine listed in the hosts table by name. For example, I could run ping boss
or ssh crashbox
and reach the desired machine.
The hosts file works just fine for finding networked hosts, but whenever you add, remove, or change a machine, you must edit /etc/hosts on every computer. And every time you change an IP address, you must edit /etc/hosts on every machine.
If your OpenBSD system roams between networks, like a laptop, you probably use DHCP to configure your network connection.
DHCP overwrites /etc/resolv.conf with the information for its network. This is appropriate for most users, but if you’re carrying an OpenBSD laptop, you’re not normal. You probably want some of your resolver configuration, such as your domain search list, to remain in effect no matter what network you’re on.
OpenBSD supports permanent resolver configuration in the file /etc/resolv.conf.tail. When OpenBSD’s DHCP client gets /etc/resolv.conf information from the server, it writes to /etc/resolv.conf and adds /etc/resolv.conf.tail
to the end.
Remember how only the last search
or domain
keyword works? resolv.conf.tail takes advantage of that, allowing you to override your network administrator’s search order.