![tunnelblick resolving domain name tunnelblick resolving domain name](https://www.techtutsonline.com/wp-content/uploads/2015/08/Name-Resolution.jpg)
The downside is the customer now needs a flow chart to understand how their DNS is resolving.Īssuming. This gives you what you want most of the time, but also supports all customer use cases. Then another option is to implement all 3. If I were you, I think I'd write a short NSS module or use dnsmasq, depending upon your needs. If you prefer the forwarder route, dnsmasq seems to be fairly popular these days in the embedded world and elsewhere. But I get it, reverse DNS is pretty hacky anyways.) It can handle multiple interfaces with separate domains and split DNS fairly well! (Not so good with reverse DNS, unfortunately.
![tunnelblick resolving domain name tunnelblick resolving domain name](https://patentimages.storage.googleapis.com/US8402010B2/US08402010-20130319-D00002.png)
Systemd-resolved actually handles the first option pretty well (although it would prefer that you use the dbus interface over gai). So you have two options: use a different NSS module (maybe write your own?) or have a proxy DNS resolver that sends different requests to different places. This doesn't include enough configuration to do what you suggest it pretty much just points everything towards a server. With glibc that means nss generally you're also looking at libnss_dns.so, which uses glibc's resolv (copied from BIND). I'm assuming you only care about gethostbyname(3) and friends. It depends on what you're using for the resolver. I've come pretty close to breaking out preload in anger over this problem. If there's a clean way to resolve this, so that the VM itself can just send `.internal` queries to us, and everything else to `1.1.1.1` or `8.8.8.8` or whatever the customer's container had, I would _love_ to hear it. This sucks we shouldn't have to be inline for arbitrary customer DNS. So instead, we end up (by default you could override) serving _all_ customer DNS, and our `.internal` server has to forward recursive queries to things that aren't `.internal` somewhere else.
![tunnelblick resolving domain name tunnelblick resolving domain name](http://vanseodesign.com/blog/wp-content/uploads/2017/08/dns-lookup.png)
But as far as I can tell, there's no way to take a bare Linux VM that can accept an arbitrary container and set that capability up. What you'd want in a perfect work is an option in `/etc/nf` that sends `.internal` to a special nameserver, and everything else to a normal nameserver. We do DNS for that private network under the fake "internal" TLD, so if you have an app "phoenix-frontend" and another app "rabbitmq-cluster", they can see each other at "phoenix-frontend.internal" and "rabbitmq-cluster.internal". We run user containers as Firecracker VMs users belong to "organizations", and organizations share a private IPv6 network. This Linux DNS stuff drives us batty at Fly.io. Tailscale is awesome, you should use it for everything.