Arch Linux

brianbaligad

Member

Registered: 2013-08-12

Posts: 22

[solved] systemd-resolved: some domains fail to resolve

Trying to figure out what I did wrong here.  On a machine where I'm using systemd-resolved, most domains resolve just fine, but I am unable to resolve some subdomains such as www.netflix.com, even while netflix.com does resolve. The dig result says status: SERVFAIL, id: 12465 but my Google-fu fails to demystify that error.

$ dig +short @127.0.0.53 netflix.com
52.41.193.16
...
$ dig @127.0.0.53 www.netflix.com

; <<>> DiG 9.14.8 <<>> @127.0.0.53 www.netflix.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12465
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.netflix.com.               IN      A

;; Query time: 134 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jan 06 12:49:06 PST 2020
;; MSG SIZE  rcvd: 44

Here is my resolved.conf:

[Resolve]
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic

Relevant output from resolvectl:

Link 2 (enp7s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes
  Current DNS Server: 8.8.8.8
         DNS Servers: 1.1.1.1
                      8.8.8.8
          DNS Domain: <redacted>

Last edited by brianbaligad (2020-01-06 21:27:55)

brianbaligad

Member

Registered: 2013-08-12

Posts: 22

Re: [solved] systemd-resolved: some domains fail to resolve

Whoops, I should have read systemd-resolved logs.  This seems useful:

systemd-resolved[559]:  DNSSEC validation failed for question geo.netflix.com IN SOA: failed-auxiliary

As an interim workaround, I have set DNSSEC=no in my /etc/systemd/resolved.conf.

Last edited by brianbaligad (2020-01-06 21:28:31)