nixos: add option for bind to not resolve local queries (#29503)

When the user specifies the networking.nameservers setting in the
configuration file, it must take precedence over automatically
derived settings.

The culprit was services.bind that made the resolver set to
127.0.0.1 and ignore the nameserver setting.

This patch adds a flag to services.bind to override the nameserver
to localhost. It defaults to true. Setting this to false prevents the
service.bind and dnsmasq.resolveLocalQueries settings from
overriding the users' settings.

Also, when the user specifies a domain to search, it must be set in
the resolver configuration, even if the user does not specify any
nameservers.

(cherry picked from commit 670b4e29adc16e0a29aa5b4c126703dcca56aeb6)

This commit was accidentally merged to 17.09 but was intended for
master. This is the cherry-pick to master.

4 files changed, 14 insertions, 3 deletions

diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix
index 619f36cd515..5fa91ec9cfb 100644
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@@ -9,7 +9,9 @@ let
   cfg = config.networking;
   dnsmasqResolve = config.services.dnsmasq.enable &&
                    config.services.dnsmasq.resolveLocalQueries;
-  hasLocalResolver = config.services.bind.enable || dnsmasqResolve;
+  bindResolve =    config.services.bind.enable &&
+                   config.services.bind.resolveLocalQueries;
+  hasLocalResolver = bindResolve || dnsmasqResolve;
 
   resolvconfOptions = cfg.resolvconfOptions
     ++ optional cfg.dnsSingleRequest "single-request"
diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
index 763283dfe7a..9f533eedf6e 100644
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@@ -151,6 +151,15 @@ in
         ";
       };
 
+      resolveLocalQueries = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether bind should resolve local queries (i.e. add 127.0.0.1 to
+          /etc/resolv.conf, overriding networking.nameserver).
+        '';
+      };
+
     };
 
   };
diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix
index fcf5aa5f175..3d1b931de07 100644
--- a/nixos/modules/services/networking/dnsmasq.nix
+++ b/nixos/modules/services/networking/dnsmasq.nix
@@ -42,7 +42,7 @@ in
         default = true;
         description = ''
           Whether dnsmasq should resolve local queries (i.e. add 127.0.0.1 to
-          /etc/resolv.conf).
+          /etc/resolv.conf overriding networking.nameservers).
         '';
       };
 
diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix
index 7ede8752bcc..adc048f3ca2 100644
--- a/nixos/modules/tasks/network-interfaces-scripted.nix
+++ b/nixos/modules/tasks/network-interfaces-scripted.nix
@@ -105,7 +105,7 @@ let
               ''
                 # Set the static DNS configuration, if given.
                 ${pkgs.openresolv}/sbin/resolvconf -m 1 -a static <<EOF
-                ${optionalString (cfg.nameservers != [] && cfg.domain != null) ''
+                ${optionalString (cfg.domain != null) ''
                   domain ${cfg.domain}
                 ''}
                 ${optionalString (cfg.search != []) ("search " + concatStringsSep " " cfg.search)}