HA OS DNS Setting - Configuration not respected?

CentralCommand · June 27, 2022, 3:55pm

FYI you can disable the fallback DNS by entering the following in the cli:

ha dns options --fallback=false

Also less is potentially leaked out of the box after

github.com/home-assistant/plugin-dns

No SERVFAIL and no forwarding multicast names

home-assistant:master ← home-assistant:nxdomain-not-servfail

opened 11:48PM - 21 Apr 22 UTC

mdegat01

+13 -5

Fixes #85 by responding with an NXDOMAIN if a `local.hass.io` name is not found …in our hosts file. We are authoritative on that domain in networks with supervisor and so there's no reason to keep looking if we can't find it. Additionally fixes #70. When reviewing the SERVFAILS that occurred when an LLMNR name was looked up (single name, no TLD) I realized that generally only bad things happen if we continue looking up multicast names past the MDNS plug-in. Since the MDNS plug-in asks the host for an answer it will get an answer for any multicast names as long as the host has one. And if the host doesn't its unlikely any of the other potential forwarding servers will either. But trying will likely leak private host names to external resolvers. There is a risk with this. It is possible to add a dns rewrite entry for something like `my-server.local` in some DNS servers instead of properly using MDNS. This will no longer resolve after this change for users doing this because `systemd-resolved` also [refuses to forward multicast names to other resolvers](https://github.com/systemd/systemd/blob/2afb2f4a9d6a497dfbe1983fbe1bac297a8dc52b/src/resolve/resolved-dns-scope.c#L797-L813). But given what we are doing has caused a CVE and I think we should follow `systemd-resolved` example and stop at the MDNS plugin as well. Note that if we cannot reach `systemd-resolved` (can occur only on an unsupported system) then the MDNS plugin continues to pass the request along as normal. It can't answer any queries in this situation so that is the best it can do.

Now supervisor does as systemd-resolved does and no longer sends LLMNR or MDNS queries to resolvers at all even if the fallback is enabled.

My general advice to anyone before disabling the fallback is to run the following command first:

ha resolution info

If you see no issues, feel free to disable it. If you see issues related to DNS then that means HA has issues working with your DNS server and you should fix those first.

And yes it is possible for HA to have an issue with a DNS server even though literally every other device on your network does not because of this:

If you have that musl related issue them it’ll show up as an issue when you enter that command. If not then feel free to disable the fallback.