You are not logged in.

#1 2020-11-27 12:11:33

crazystick
Member
Registered: 2012-11-22
Posts: 7

[SOLVED] systemd-resolved not following CNAME records

I have some strange behaviour on a new laptop with systemd-resolved. I have symlinked /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf as suggested in the wiki. However downloads from certain hosts are failing with curl and Firefox (although strangely Chrome seerms immune). For example:

paul@alsvin ~ % curl -O https://downloads.slack-edge.com/linux_releases/slack-desktop-4.11.3-amd64.deb -vv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 100::1:443...
* Immediate connect fail for 100::1: Network is unreachable
* Closing connection 0
curl: (7) Couldn't connect to server

paul@alsvin ~ % systemd-resolve downloads.slack-edge.com
downloads.slack-edge.com: 100::1               -- link: wlp0s20f3

-- Information acquired via protocol DNS in 1.1ms.
-- Data is authenticated: no

LOGS:

Nov 27 11:22:26 alsvin systemd-resolved[31150]: Got message type=method_call sender=:1.1831 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname cookie=2 reply_cookie=0 signature=isit error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: idn2_lookup_u8: downloads.slack-edge.com → downloads.slack-edge.com
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Looking up RR for downloads.slack-edge.com IN A.
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Looking up RR for downloads.slack-edge.com IN AAAA.
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=93 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=94 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1809 path=n/a interface=n/a member=n/a cookie=51 reply_cookie=94 signature=s error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Positive cache hit for downloads.slack-edge.com IN A
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Transaction 9085 for <downloads.slack-edge.com IN A> on scope dns on wlp0s20f3/* now complete with <success> from cache (unsigned).
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Positive cache hit for downloads.slack-edge.com IN AAAA
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Transaction 51790 for <downloads.slack-edge.com IN AAAA> on scope dns on wlp0s20f3/* now complete with <success> from cache (unsigned).
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Freeing transaction 9085.
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Freeing transaction 51790.
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Sent message type=method_return sender=n/a destination=:1.1831 path=n/a interface=n/a member=n/a cookie=95 reply_cookie=2 signature=a(iiay)st error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=96 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Nov 27 11:22:26 alsvin systemd-resolved[31150]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1809 path=n/a interface=n/a member=n/a cookie=50 reply_cookie=93 signature=n/a error-name=n/a error-message=n/a

However if I specify IPv4 then it works:

paul@alsvin ~ % systemd-resolve -4 downloads.slack-edge.com
downloads.slack-edge.com: 52.85.114.49         -- link: wlp0s20f3
                          52.85.114.106        -- link: wlp0s20f3
                          52.85.114.74         -- link: wlp0s20f3
                          52.85.114.110        -- link: wlp0s20f3
                          (d25f4v0ddt3j8p.cloudfront.net)

-- Information acquired via protocol DNS in 1.1ms.
-- Data is authenticated: no

LOGS:

Nov 27 11:24:27 alsvin systemd-resolved[31150]: Got message type=method_call sender=:1.1838 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname cookie=2 reply_cookie=0 signature=isit error-name=n/a error-message=n/a                                                                                                                             
Nov 27 11:24:27 alsvin systemd-resolved[31150]: idn2_lookup_u8: downloads.slack-edge.com → downloads.slack-edge.com
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Looking up RR for downloads.slack-edge.com IN A.
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=117 reply_cookie=0 signature=s error-name=n/a error-message=n/a                                                                                                                                                            
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=118 reply_cookie=0 signature=s error-name=n/a error-message=n/a                                                                                                                                                        
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1809 path=n/a interface=n/a member=n/a cookie=63 reply_cookie=118 signature=s error-name=n/a error-message=n/a                                                                                                                                                                                              
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Positive cache hit for downloads.slack-edge.com IN A
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Transaction 45161 for <downloads.slack-edge.com IN A> on scope dns on wlp0s20f3/* now complete with <success> from cache (unsigned).
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Freeing transaction 45161.
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Following CNAME/DNAME downloads.slack-edge.com → d25f4v0ddt3j8p.cloudfront.net.
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Positive cache hit for d25f4v0ddt3j8p.cloudfront.net IN A
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Transaction 64839 for <d25f4v0ddt3j8p.cloudfront.net IN A> on scope dns on wlp0s20f3/* now complete with <success> from cache (unsigned).
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Freeing transaction 64839.
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Sent message type=method_return sender=n/a destination=:1.1838 path=n/a interface=n/a member=n/a cookie=119 reply_cookie=2 signature=a(iiay)st error-name=n/a error-message=n/a                                                                                                                                                                                                       
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=120 reply_cookie=0 signature=s error-name=n/a error-message=n/a                                                                                                                                                         
Nov 27 11:24:27 alsvin systemd-resolved[31150]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1809 path=n/a interface=n/a member=n/a cookie=62 reply_cookie=117 signature=n/a error-name=n/a error-message=n/a    

Last edited by crazystick (2020-11-28 23:07:56)

Offline

#2 2020-11-28 15:33:31

jonathon
Member
Registered: 2016-09-19
Posts: 60

Re: [SOLVED] systemd-resolved not following CNAME records

crazystick wrote:
* Immediate connect fail for 100::1: Network is unreachable

Possibly they have misconfigured IPv6 on their end, or you're picking up a non-existent AAAA record?

It just doesn't seem to have a valid AAAA record:

$ dig AAAA downloads.slack-edge.com @8.8.8.8

; <<>> DiG 9.16.8 <<>> AAAA downloads.slack-edge.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1212
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;downloads.slack-edge.com.	IN	AAAA

;; ANSWER SECTION:
downloads.slack-edge.com. 53	IN	CNAME	d25f4v0ddt3j8p.cloudfront.net.

;; AUTHORITY SECTION:
d25f4v0ddt3j8p.cloudfront.net. 59 IN	SOA	ns-1407.awsdns-47.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Nov 28 15:30:24 GMT 2020
;; MSG SIZE  rcvd: 178

$ dig AAAA d25f4v0ddt3j8p.cloudfront.net @8.8.8.8

; <<>> DiG 9.16.8 <<>> AAAA d25f4v0ddt3j8p.cloudfront.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45098
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;d25f4v0ddt3j8p.cloudfront.net.	IN	AAAA

;; AUTHORITY SECTION:
d25f4v0ddt3j8p.cloudfront.net. 59 IN	SOA	ns-1407.awsdns-47.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 70 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Nov 28 15:31:29 GMT 2020
;; MSG SIZE  rcvd: 143

Last edited by jonathon (2020-11-28 15:34:56)

Offline

#3 2020-11-28 23:06:40

crazystick
Member
Registered: 2012-11-22
Posts: 7

Re: [SOLVED] systemd-resolved not following CNAME records

jonathon wrote:

Possibly they have misconfigured IPv6 on their end, or you're picking up a non-existent AAAA record?

It just doesn't seem to have a valid AAAA record:

Hmm, I was on a bus when I had this issue, it's gone now I'm home. I had this issue on multiple sites, and they all returned this spurious AAAA record of 100::1 so I suspect that you are right, and probably it was some dodgy configuration on the WiFi of the bus. Maybe it used to have a captive portal that is disabled but has something left over.

Offline

Board footer

Powered by FluxBB