DNS issues with openconnect

goro9922 · 2019-04-12 15:48:34

Recently I discovered that, after connecting to a network with openconnect, I found that I'm unable to resolve machines by hostname. I can ping and connect to the machines by IP. My resolv.conf is not updated with the nameservers even after running resolvconf -u manually.

dumbo · 2019-04-15 08:01:51

Also facing somewhat similar issue.

sh-5.0$ curl google.com
curl: (6) Could not resolve host: google.com
sh-5.0$ dig +short google.com
172.217.0.46
sh-5.0$ ping google.com
ping: google.com: Name or service not known

NetworkManger Version: 1.16.0-1

Last edited by dumbo (2019-04-15 08:02:33)

goro9922 · 2019-04-16 00:16:52

Well this is interesting. I wasn't using NetworkManager, just openconnect. I don't recall if I was using it earlier, but I'm only using awesome wm.

If you're using NetworkManager, maybe you need to look at https://wiki.archlinux.org/index.php/NetworkManager. For example, to integrate with openconnect, you need to install another package called networkmanager-openconnect.

For now, my workaround is to manually edit /etc/hosts and set the static IP of the servers I want to to connect to.

dumbo · 2019-04-16 00:33:43

goro9922 wrote:

Well this is interesting. I wasn't using NetworkManager, just openconnect. I don't recall if I was using it earlier, but I'm only using awesome wm.
If you're using NetworkManager, maybe you need to look at https://wiki.archlinux.org/index.php/NetworkManager. For example, to integrate with openconnect, you need to install another package called networkmanager-openconnect.
For now, my workaround is to manually edit /etc/hosts and set the static IP of the servers I want to to connect to.

I have networkmanager-openconnect installed but I am doing sh script and supplying args via command line to connect via openconnect

Yes, I am doing same thing with the /etc/hosts file and end up adding IP every 2-3 mins

Were you able to find the exact problem? or possible solution apart from maintaining your own hosts file.

goro9922 · 2019-04-17 16:31:20

No I haven't figured it out.
I did find that you can modify /etc/resolvconf.conf to add some nameservers, so that the next time you run openconnect it will append those nameservers to /etc/resolv.conf. See man resolvconf.conf.

However somehow DNS resolution still doesn't work for me.

Lone_Wolf · 2019-04-18 08:00:38

goro9922, What are you using to manage your network connection ?

Is systemd-resolved enabled ?

Last edited by Lone_Wolf (2019-04-18 08:01:17)

goro9922 · 2019-04-20 05:10:25

I think I'm using networkctl for network management.
I checked systemd-resolved, and it is enabled. Below is some output.

systemctl status systemd-resolved 
● systemd-resolved.service - Network Name Resolution
   Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; v>
   Active: active (running) since Fri 2019-04-19 21:57:49 PDT; 31s ago
     Docs: man:systemd-resolved.service(8)
           [url]https://www.freedesktop.org/wiki/Software/systemd/resolved[/url]
           [url]https://www.freedesktop.org/wiki/Software/systemd/writing-network-co>[/url]
           [url]https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-c>[/url]
 Main PID: 723 (systemd-resolve)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4915)
   Memory: 6.9M
   CGroup: /system.slice/systemd-resolved.service
           └─723 /usr/lib/systemd/systemd-resolved

Apr 19 21:57:48 zaxman systemd[1]: Starting Network Name Resolution...
Apr 19 21:57:49 zaxman systemd-resolved[723]: Positive Trust Anchors:
Apr 19 21:57:49 zaxman systemd-resolved[723]: . IN DS 19036 8 2 49aac11d7b6f644>
Apr 19 21:57:49 zaxman systemd-resolved[723]: . IN DS 20326 8 2 e06d44b80b8f1d3>
Apr 19 21:57:49 zaxman systemd-resolved[723]: Negative trust anchors: 10.in-add>
Apr 19 21:57:49 zaxman systemd-resolved[723]: Using system hostname 'zaxman'.
Apr 19 21:57:49 zaxman systemd[1]: Started Network Name Resolution.

I did discover that after connecting to my VPN and running systemd-resolved again, I am seeing some errors. The errors don't go away afer disconnecting from VPN.

[root@zaxman taro]# systemctl status systemd-resolved 
● systemd-resolved.service - Network Name Resolution
   Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; v>
   Active: active (running) since Fri 2019-04-19 21:57:49 PDT; 1min 29s ago
     Docs: man:systemd-resolved.service(8)
           [url]https://www.freedesktop.org/wiki/Software/systemd/resolved[/url]
           [url]https://www.freedesktop.org/wiki/Software/systemd/writing-network-co>[/url]
           [url]https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-c>[/url]
 Main PID: 723 (systemd-resolve)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4915)
   Memory: 7.8M
   CGroup: /system.slice/systemd-resolved.service
           └─723 /usr/lib/systemd/systemd-resolved

Apr 19 21:59:06 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:06 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:06 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:06 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:06 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:13 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:13 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:13 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:13 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>
Apr 19 21:59:13 zaxman systemd-resolved[723]: DNSSEC validation failed for ques>

I've just run pacman -Syu, so I have the latest package updates, and I'm using the latest kernel.

[root@zaxman taro]# uname -a
Linux zaxman 5.0.7-arch1-1-ARCH #1 SMP PREEMPT Mon Apr 8 10:37:08 UTC 2019 x86_64 GNU/Linux

Someone seems to have encountered a similar issue with the keyword"DNSSEC validation failed for ques", as seen at https://bbs.archlinux.org/viewtopic.php?id=240427. I'm starting to read it. Amazing to see that it's quite an old post.

Last edited by goro9922 (2019-04-20 05:14:31)

goro9922 · 2019-04-20 05:31:28

A follow-up on my last post.

I've just got DNS working over VPN again. I just set DSNSEC=no in /etc/systemd/resolved.conf and ran systemctl restart systemd-resolved before connecting to VPN again. I did not have to add any nameservers to /etc/resolvconf.conf.

Perhaps this thread can be closed as resolved.

Lone_Wolf · 2019-04-20 11:00:54

I think I'm using networkctl for network management.

man networkctl will show you it's a tool to query systemd-networkd .

https://wiki.archlinux.org/index.php/Ne … k_managers shows systemd-networkd is a network manager.
It also shows systemd-networkd uses systemd-resolved .

Conclusion : your network manager is systemd-networkd .

Nice to see you found a relevant thread about the issue, though you didn't get the best solution out of it.
The thread can be summarized like this :
systemd-resolved has trouble using dnssec if configured dns servers don't support it.
disabling dnssec is a workaround, switching to dnssec supporting dns servers is the solution .

I suggest you read https://wiki.archlinux.org/index.php/DNSSEC thoroughly .

Arch Linux

#1 2019-04-12 15:48:34

DNS issues with openconnect

#2 2019-04-15 08:01:51

Re: DNS issues with openconnect

#3 2019-04-16 00:16:52

Re: DNS issues with openconnect

#4 2019-04-16 00:33:43

Re: DNS issues with openconnect

#5 2019-04-17 16:31:20

Re: DNS issues with openconnect

#6 2019-04-18 08:00:38

Re: DNS issues with openconnect

#7 2019-04-20 05:10:25

Re: DNS issues with openconnect

#8 2019-04-20 05:31:28

Re: DNS issues with openconnect

#9 2019-04-20 11:00:54

Re: DNS issues with openconnect

Board footer