[SOLVED]Three systemd services on port 53

Morta · 2021-10-25 13:04:15

Hi folks

sudo lsof -i TCP:53
COMMAND    PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd      1            root   55u  IPv4  17611      0t0  TCP lapt0p.localdomain:domain (LISTEN)
systemd      1            root   57u  IPv6  11788      0t0  TCP lapt0p.localdomain:domain (LISTEN)
systemd-r 3552 systemd-resolve   19u  IPv4  39425      0t0  TCP localhost:domain (LISTEN)

sudo ss -lntp | grep 53

LISTEN 0      4096        127.0.0.53%lo:53        0.0.0.0:*    users:(("systemd-resolve",pid=3552,fd=19))
LISTEN 0      4096            127.0.0.1:53        0.0.0.0:*    users:(("systemd",pid=1,fd=55))           
LISTEN 0      4096              0.0.0.0:5355      0.0.0.0:*    users:(("systemd-resolve",pid=3552,fd=12))
LISTEN 0      4096                [::1]:53           [::]:*    users:(("systemd",pid=1,fd=57))           
LISTEN 0      4096                 [::]:5355         [::]:*    users:(("systemd-resolve",pid=3552,fd=14))

[morta@lapt0p ~]$ sudo tcpdump -i any port 53
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
15:14:28.499307 enp58s0u1u3c2 Out IP lapt0p.33445 > ns10.init7.net.domain: 21848+ [1au] AAAA? profile.accounts.firefox.com. (57)
15:14:28.499456 enp58s0u1u3c2 Out IP lapt0p.39125 > ns10.init7.net.domain: 41840+ [1au] A? profile.accounts.firefox.com. (57)
15:14:28.499548 enp58s0u1u3c2 Out IP lapt0p.58008 > 192.168.1.1.domain: Flags [S], seq 1219661168, win 64240, options [mss 1460,sackOK,TS val 655995857 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
15:14:28.502451 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.33445: 21848 0/1/1 (138)
15:14:28.502508 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.39125: 41840 6/0/1 A 54.186.174.209, A 52.88.167.252, A 35.165.130.171, A 34.223.188.207, A 34.210.55.11, A 52.33.111.89 (153)
15:14:28.502547 enp58s0u1u3c2 Out IP lapt0p.57302 > ns10.init7.net.domain: 57129+ [1au] AAAA? sync.joelmueller.ch. (48)
15:14:28.502673 enp58s0u1u3c2 Out IP lapt0p.36150 > ns10.init7.net.domain: 19618+ [1au] A? sync.joelmueller.ch. (48)
15:14:28.513989 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.36150: 19618 0/1/1 (110)
15:14:28.518492 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.57302: 57129 1/0/1 AAAA 2a02:168:a774:0:deca:fbad:c0:ffee (76)
15:14:28.531417 enp58s0u1u3c2 Out IP lapt0p.36248 > ns10.init7.net.domain: 6625+ [1au] AAAA? r3.o.lencr.org. (43)
15:14:28.531472 enp58s0u1u3c2 Out IP lapt0p.54606 > ns10.init7.net.domain: 31682+ [1au] A? r3.o.lencr.org. (43)
15:14:28.534483 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.54606: 31682 4/0/1 CNAME o.lencr.edgesuite.net., CNAME a1887.dscq.akamai.net., A 77.109.138.73, A 77.109.138.74 (142)
15:14:28.534516 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.36248: 6625 4/0/1 CNAME o.lencr.edgesuite.net., CNAME a1887.dscq.akamai.net., AAAA 2001:1620:2064::4d6d:8a49, AAAA 2001:1620:2064::4d6d:8a4a (166)
15:14:28.599313 enp58s0u1u3c2 Out IP lapt0p.32957 > ns10.init7.net.domain: 10662+ [1au] PTR? 2.128.109.77.in-addr.arpa. (54)
15:14:28.602144 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.32957: 10662 1/0/1 PTR ns10.init7.net. (82)
15:14:28.832584 enp58s0u1u3c2 Out IP lapt0p.58361 > ns10.init7.net.domain: 20628+ [1au] AAAA? api.accounts.firefox.com. (53)
15:14:28.832662 enp58s0u1u3c2 Out IP lapt0p.57700 > ns10.init7.net.domain: 57742+ [1au] A? api.accounts.firefox.com. (53)
15:14:28.835596 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.58361: 20628 0/1/1 (134)
15:14:28.835652 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.57700: 57742 6/0/1 A 54.203.29.75, A 34.209.164.143, A 52.41.49.213, A 52.40.29.150, A 52.36.126.233, A 44.228.195.44 (149)
15:14:29.502045 enp58s0u1u3c2 Out IP lapt0p.58008 > 192.168.1.1.domain: Flags [S], seq 1219661168, win 64240, options [mss 1460,sackOK,TS val 655996859 ecr 0,nop,wscale 7], length 0
15:14:31.662017 enp58s0u1u3c2 Out IP lapt0p.58008 > 192.168.1.1.domain: Flags [S], seq 1219661168, win 64240, options [mss 1460,sackOK,TS val 655999019 ecr 0,nop,wscale 7], length 0
15:14:35.718705 enp58s0u1u3c2 Out IP lapt0p.58008 > 192.168.1.1.domain: Flags [S], seq 1219661168, win 64240, options [mss 1460,sackOK,TS val 656003076 ecr 0,nop,wscale 7], length 0
15:14:37.749599 enp58s0u1u3c2 Out IP lapt0p.47799 > ns10.init7.net.domain: 56174+ [1au] AAAA? img-getpocket.cdn.mozilla.net. (58)
15:14:37.749701 enp58s0u1u3c2 Out IP lapt0p.55101 > ns10.init7.net.domain: 39632+ [1au] A? img-getpocket.cdn.mozilla.net. (58)
15:14:37.752981 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.47799: 56174 3/0/1 CNAME img-getpocket-cdn.prod.mozaws.net., CNAME img-prod.pocket.prod.cloudops.mozgcp.net., AAAA 2600:1901:0:e988:: (181)
15:14:37.753002 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.55101: 39632 3/0/1 CNAME img-getpocket-cdn.prod.mozaws.net., CNAME img-prod.pocket.prod.cloudops.mozgcp.net., A 34.120.237.76 (169)
15:14:38.555040 enp58s0u1u3c2 Out IP lapt0p.58010 > 192.168.1.1.domain: Flags [S], seq 1611535667, win 64240, options [mss 1460,sackOK,TS val 656005912 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0
15:16:37.127030 enp58s0u1u3c2 Out IP lapt0p.37938 > 192.168.1.1.domain: 3169+ A? play.google.com. (33)
15:16:37.127108 enp58s0u1u3c2 Out IP lapt0p.58841 > 192.168.1.1.domain: 57866+ AAAA? play.google.com. (33)
15:16:44.136343 enp58s0u1u3c2 Out IP lapt0p.34142 > 192.168.1.1.domain: 63100+ A? contile.services.mozilla.com. (46)
15:16:44.136456 enp58s0u1u3c2 Out IP lapt0p.52974 > ns10.init7.net.domain: 27174+ [1au] A? contile.services.mozilla.com. (57)
15:16:44.139736 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.52974: 27174 1/0/1 A 34.117.237.239 (73)
15:16:49.580363 enp58s0u1u3c2 Out IP lapt0p.41319 > 192.168.1.1.domain: 21395+ AAAA? www.google.com. (32)
15:16:49.580470 enp58s0u1u3c2 Out IP lapt0p.52446 > 192.168.1.1.domain: 12859+ A? www.google.com. (32)
15:16:55.376470 enp58s0u1u3c2 Out IP lapt0p.58341 > 192.168.1.1.domain: 53776+ AAAA? safebrowsing.googleapis.com. (45)
15:16:55.376549 enp58s0u1u3c2 Out IP lapt0p.49887 > 192.168.1.1.domain: 8615+ A? safebrowsing.googleapis.com. (45)
15:16:55.376652 enp58s0u1u3c2 Out IP lapt0p.40222 > ns10.init7.net.domain: 41015+ [1au] AAAA? safebrowsing.googleapis.com. (56)
15:16:55.376742 enp58s0u1u3c2 Out IP lapt0p.32912 > ns10.init7.net.domain: 57091+ [1au] A? safebrowsing.googleapis.com. (56)
15:16:55.379773 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.32912: 57091 1/0/1 A 172.217.168.42 (72)
15:16:55.392342 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.40222: 41015 1/0/1 AAAA 2a00:1450:400a:808::200a (84)
15:17:37.634293 enp58s0u1u3c2 Out IP lapt0p.44451 > 192.168.1.1.domain: 10017+ AAAA? play.google.com. (33)
15:17:37.695829 enp58s0u1u3c2 Out IP lapt0p.52688 > 192.168.1.1.domain: 29780+ A? play.google.com. (33)
15:17:50.559940 enp58s0u1u3c2 Out IP lapt0p.33736 > 192.168.1.1.domain: 59872+ AAAA? www.google.com. (32)
15:17:50.622390 enp58s0u1u3c2 Out IP lapt0p.48070 > 192.168.1.1.domain: 15065+ A? www.google.com. (32)
15:17:52.509194 enp58s0u1u3c2 Out IP lapt0p.58146 > 192.168.1.1.domain: 29907+ A? example.org. (29)
15:17:52.509892 enp58s0u1u3c2 Out IP lapt0p.51435 > 192.168.1.1.domain: 49046+ AAAA? example.org. (29)
15:17:52.510066 enp58s0u1u3c2 Out IP lapt0p.56110 > 192.168.1.1.domain: 16011+ A? example.org. (29)
15:17:52.511221 enp58s0u1u3c2 Out IP lapt0p.37757 > 192.168.1.1.domain: 11491+ AAAA? ipv4only.arpa. (31)
15:17:52.511435 enp58s0u1u3c2 Out IP lapt0p.58612 > 192.168.1.1.domain: 61417+ A? ipv4only.arpa. (31)
15:17:52.512290 enp58s0u1u3c2 Out IP lapt0p.45129 > 192.168.1.1.domain: 17792+ A? example.org. (29)
15:17:52.513061 enp58s0u1u3c2 Out IP lapt0p.57250 > 192.168.1.1.domain: 34160+ A? detectportal.firefox.com. (42)
15:17:52.513241 enp58s0u1u3c2 Out IP lapt0p.41073 > ns10.init7.net.domain: 45407+ [1au] A? detectportal.firefox.com. (53)
15:17:52.513821 enp58s0u1u3c2 Out IP lapt0p.44211 > 192.168.1.1.domain: 2210+ AAAA? example.org. (29)
15:17:52.513990 enp58s0u1u3c2 Out IP lapt0p.59653 > 192.168.1.1.domain: 33069+ A? example.org. (29)
15:17:52.514726 enp58s0u1u3c2 Out IP lapt0p.45805 > 192.168.1.1.domain: 12973+ AAAA? ipv4only.arpa. (31)
15:17:52.514893 enp58s0u1u3c2 Out IP lapt0p.33257 > 192.168.1.1.domain: 57224+ A? ipv4only.arpa. (31)
15:17:52.515801 enp58s0u1u3c2 Out IP lapt0p.38678 > 192.168.1.1.domain: 55718+ AAAA? detectportal.firefox.com. (42)
15:17:52.515974 enp58s0u1u3c2 Out IP lapt0p.47330 > ns10.init7.net.domain: 31260+ [1au] AAAA? detectportal.firefox.com. (53)
15:17:52.516072 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.41073: 45407 3/0/1 CNAME detectportal.prod.mozaws.net., CNAME prod.detectportal.prod.cloudops.mozgcp.net., A 34.107.221.82 (164)
15:17:52.519109 enp58s0u1u3c2 In  IP ns10.init7.net.domain > lapt0p.47330: 31260 3/0/1 CNAME detectportal.prod.mozaws.net., CNAME prod.detectportal.prod.cloudops.mozgcp.net., AAAA 2600:1901:0:38d7:: (176)
15:17:52.521276 enp58s0u1u3c2 Out IP lapt0p.58929 > 192.168.1.1.domain: 27608+ A? detectportal.firefox.com. (42)
15:17:52.521690 enp58s0u1u3c2 Out IP lapt0p.47298 > 192.168.1.1.domain: 21215+ A? prod.detectportal.prod.cloudops.mozgcp.net. (60)
15:17:52.552239 enp58s0u1u3c2 Out IP lapt0p.42048 > 192.168.1.1.domain: 15694+ AAAA? ipv4only.arpa. (31)
15:17:52.552387 enp58s0u1u3c2 Out IP lapt0p.48854 > 192.168.1.1.domain: 63469+ A? ipv4only.arpa. (31)
15:17:52.553144 enp58s0u1u3c2 Out IP lapt0p.49483 > 192.168.1.1.domain: 1115+ AAAA? detectportal.firefox.com. (42)
15:17:52.553290 enp58s0u1u3c2 Out IP lapt0p.56283 > 192.168.1.1.domain: 16882+ A? detectportal.firefox.com. (42)
15:17:52.553787 enp58s0u1u3c2 Out IP lapt0p.37206 > 192.168.1.1.domain: 21212+ AAAA? prod.detectportal.prod.cloudops.mozgcp.net. (60)
15:17:52.553944 enp58s0u1u3c2 Out IP lapt0p.59421 > 192.168.1.1.domain: 41152+ A? prod.detectportal.prod.cloudops.mozgcp.net. (60)
15:17:53.548764 enp58s0u1u3c2 Out IP lapt0p.37263 > 192.168.1.1.domain: 37727+ AAAA? ipv4only.arpa. (31)
15:17:53.548911 enp58s0u1u3c2 Out IP lapt0p.46889 > 192.168.1.1.domain: 63646+ A? ipv4only.arpa. (31)
15:17:53.550486 enp58s0u1u3c2 Out IP lapt0p.56703 > 192.168.1.1.domain: 11392+ AAAA? ipv4only.arpa. (31)
15:17:53.550690 enp58s0u1u3c2 Out IP lapt0p.45696 > 192.168.1.1.domain: 37416+ A? ipv4only.arpa. (31)
15:17:53.552037 enp58s0u1u3c2 Out IP lapt0p.40247 > 192.168.1.1.domain: 6875+ AAAA? ipv4only.arpa. (31)
15:17:53.552164 enp58s0u1u3c2 Out IP lapt0p.56867 > 192.168.1.1.domain: 64556+ A? ipv4only.arpa. (31)
15:17:53.567586 enp58s0u1u3c2 Out IP lapt0p.38360 > 192.168.1.1.domain: 35103+ A? example.org. (29)
15:17:53.568197 enp58s0u1u3c2 Out IP lapt0p.60389 > 192.168.1.1.domain: 34255+ AAAA? example.org. (29)
15:17:53.568352 enp58s0u1u3c2 Out IP lapt0p.58542 > 192.168.1.1.domain: 64234+ A? example.org. (29)
15:17:53.569100 enp58s0u1u3c2 Out IP lapt0p.36791 > 192.168.1.1.domain: 41537+ AAAA? ipv4only.arpa. (31)
15:17:53.569235 enp58s0u1u3c2 Out IP lapt0p.34787 > 192.168.1.1.domain: 44046+ A? ipv4only.arpa. (31)
15:17:53.570582 enp58s0u1u3c2 Out IP lapt0p.45992 > 192.168.1.1.domain: 32304+ AAAA? ipv4only.arpa. (31)
15:17:53.570689 enp58s0u1u3c2 Out IP lapt0p.57162 > 192.168.1.1.domain: 53444+ A? ipv4only.arpa. (31)
^C
81 packets captured
126 packets received by filter
45 packets dropped by kernel

There are a lot of package dropped.

 sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N other_packets
-N reject_packets
-N service_sec
-N services
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j other_packets
-A INPUT -j services
-A INPUT -m limit --limit 10/sec -j reject_packets
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
-A other_packets -m state --state INVALID -j DROP
-A other_packets -p icmp -m limit --limit 1/sec -j ACCEPT
-A other_packets -j RETURN
-A reject_packets -p tcp -j REJECT --reject-with tcp-reset
-A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject_packets -j REJECT --reject-with icmp-proto-unreachable
-A reject_packets -j RETURN
-A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/sec -j ACCEPT
-A service_sec -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/hour -j ACCEPT
-A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 1/hour -j ACCEPT
-A service_sec -j RETURNsec
-A services -p tcp -m tcp --dport 53 -j service_sec
-A services -p tcp -m tcp --dport 53 -j ACCEPT
...
-A services -p udp -m udp --dport 53 -j service_sec
-A services -p udp -m udp --dport 53 -j ACCEPT
...

It's someting wrong with my iptales?

I can stop resolved but then i have no internet, but what are the other two?

I can't start dnscrypt-proxy because of this two process

Last edited by Morta (2021-10-28 14:26:37)

Morta · 2021-10-25 13:48:08

I find out that when i start

sudo systemctl enable --now dnscrypt-proxy.socket

Then systemd use Port 53 when they boot up and i can't start dnscrypt-proxy.service

but when i do

sudo systemctl enable -now dnscrypt-proxy.service

and then

sudo systemctl enable --now dnscrypt-proxy.socket

I get this error...

Okt 25 15:43:40 lapt0p systemd[1]: dnscrypt-proxy.socket: Socket service dnscrypt-proxy.service already active, refusing.
Okt 25 15:43:40 lapt0p systemd[1]: Failed to listen on DNSCrypt-proxy socket.

Wired...

Morta · 2021-10-25 13:49:29

I have internet but no dns when i deactived systemd-resloved

I can ping 8.8.8.8 but don't browse with fireox or either ping google.ch

V1del · 2021-10-25 14:10:51

Did you read the configuration section? https://wiki.archlinux.org/title/Dnscry … figuration You are not supposed to enable both at the same time. The point of systemd socket listeners is that it can invoke the relevant service when requests to that address are made, so it's likely you are seeing the effect of having enabled the dnscrypt-proxy.socket .

Last edited by V1del (2021-10-25 14:15:26)

Morta · 2021-10-25 14:25:30

V1del wrote:

Did you read the configuration section? https://wiki.archlinux.org/title/Dnscry … figuration You are not supposed to enable both at the same time. The point of systemd socket listeners is that it can invoke the relevant service when requests to that address are made, so it's likely you are seeing the effect of having enabled the dnscrypt-proxy.socket .

Yes read it but why i have no dns, when i start dnscrypt and stop resolved?

I can’t find the reason so i searched for a reason but i can’t find anything.

On the server is it running properly.

Any thoughts?

seth · 2021-10-25 14:56:27

Yes read it but why i have no dns, when i start dnscrypt and stop resolved?

Because systemd-resolved is your resolver?
The note in https://wiki.archlinux.org/title/Dnscry … to_port_53 claims that resolved should not be an interference, but if you don't want to use it, you'll have to provide proper resolution elsewise and wrt systemd-resolved that ESPECIALLY means to take control over /etc/resolve.conf

Morta · 2021-10-25 16:01:07

seth wrote:

Yes read it but why i have no dns, when i start dnscrypt and stop resolved?
Because systemd-resolved is your resolver?
The note in https://wiki.archlinux.org/title/Dnscry … to_port_53 claims that resolved should not be an interference, but if you don't want to use it, you'll have to provide proper resolution elsewise and wrt systemd-resolved that ESPECIALLY means to take control over /etc/resolve.conf

I had disabled systemd-resolved, do chattr+i /etc/resolve.conf, restarted and configured NetworkManager with dns=none in the [main] section but no effect.

So i'm dumb or what i'm doing wrong?

seth · 2021-10-25 16:02:55

stat /etc/resolv.conf
cat /etc/resolv.conf

Morta · 2021-10-25 16:06:08

stat /etc/resolv.conf
Datei: /etc/resolv.conf
 Größe: 151       	Blöcke: 8          EA Block: 4096   reguläre Datei
Device: 254,2	Inode: 5243965     Links: 1
Zugriff: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff: 2021-10-25 14:32:33.632527366 +0200
Modifiziert: 2021-10-25 14:31:32.361983313 +0200
Geändert: 2021-10-25 14:31:38.742044701 +0200
Geburt: 2021-10-25 14:31:32.361983313 +0200

cat /etc/resolv.conf
# Created for dnscrypt-proxy
# This is a content of /etc/resolv.conf.override
nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen

Last edited by Morta (2021-10-25 16:06:22)

Koatao · 2021-10-25 16:28:50

Try:

$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve archlinux.org
$ drill archlinux.org

And maybe dnscrypt-proxy,toml configuration file would be useful to us.

Btw, be aware that using only dnscrypt-proxy, you won't be able to authenticate through captive portal easily (talking from experience here). It is usually required to use a captive portal on public network (guest WiFi in airport, train station, universities and so on)... Nowadays, you may want to be able to connect to those network with your laptop.

Last edited by Koatao (2021-10-25 16:31:16)

seth · 2021-10-25 16:50:24

When dnscrypt-proxy.service is running, does it listen on 127.0.0.1:53 ?

Morta · 2021-10-25 17:51:51

Koatao wrote:

Try:
$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve archlinux.org
$ drill archlinux.org
And maybe dnscrypt-proxy,toml configuration file would be useful to us.
Btw, be aware that using only dnscrypt-proxy, you won't be able to authenticate through captive portal easily (talking from experience here). It is usually required to use a captive portal on public network (guest WiFi in airport, train station, universities and so on)... Nowadays, you may want to be able to connect to those network with your laptop.

Ok i will try it tomorrow. Now i‘m lazy

Last edited by Morta (2021-10-25 17:52:30)

Morta · 2021-10-25 17:53:03

seth wrote:

When dnscrypt-proxy.service is running, does it listen on 127.0.0.1:53 ?

Yes it listen it on port 53

Morta · 2021-10-26 05:21:09

Koatao wrote:

Try:
$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve archlinux.org
$ drill archlinux.org
And maybe dnscrypt-proxy,toml configuration file would be useful to us.
Btw, be aware that using only dnscrypt-proxy, you won't be able to authenticate through captive portal easily (talking from experience here). It is usually required to use a captive portal on public network (guest WiFi in airport, train station, universities and so on)... Nowadays, you may want to be able to connect to those network with your laptop.

[morta@lapt0p ~]$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve archlinux.org
Resolving [archlinux.org] using [::1] port 53

Resolver      : 74.80.88.244

Canonical name: archlinux.org.

IPv4 addresses: 95.217.163.246
IPv6 addresses: 2a01:4f9:c010:6b1f::1

Name servers  : hydrogen.ns.hetzner.com., oxygen.ns.hetzner.com., helium.ns.hetzner.de.
DNSSEC signed : no
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 ip4:95.216.189.61 ip6:2a01:4f9:c010:3052::1 ~all

[morta@lapt0p ~]$ drill archlinux.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12031
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; archlinux.org.	IN	A

;; ANSWER SECTION:
archlinux.org.	20810	IN	A	95.217.163.246

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 11 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 127.0.0.1
;; WHEN: Tue Oct 26 07:18:51 2021
;; MSG SIZE  rcvd: 58
[morta@lapt0p ~]$ ping archlinux.org
ping: archlinux.org: Der Name oder der Dienst ist nicht bekannt

DNScrypt-proxy is working but no systemwide DNS. I don't know why?

I don't use my laptop often outside of at airports or open access wlan's

Last edited by Morta (2021-10-26 05:22:31)

seth · 2021-10-26 06:36:38

drill uses /etc/resolv.conf directly, ping uses libresolve which will lookup your /etc/nsswitch.conf
Post that file. Do you also (try to) use dnsmasq?
Also briefly drop the iptables to see whether some rule there is responsible (so we know whether we want to look deeper into that)

Morta · 2021-10-26 10:23:45

seth wrote:

drill uses /etc/resolv.conf directly, ping uses libresolve which will lookup your /etc/nsswitch.conf
Post that file. Do you also (try to) use dnsmasq?
Also briefly drop the iptables to see whether some rule there is responsible (so we know whether we want to look deeper into that)

I have already dropped the iptables with sudo systemctl stop iptables, sudo systemctl stop ip6tables, iptables -F and ip6tables -F. No effect.

And why Firefox Browser doesn't work? Looks also in nsswicht.conf?

And how can i do that dnscrypt has systemwide effect?

Koatao · 2021-10-26 11:06:41

Morta wrote:

And why Firefox Browser doesn't work? Looks also in nsswicht.conf?
And how can i do that dnscrypt has systemwide effect?

Everything is explained in the wiki:
https://wiki.archlinux.org/title/Domain_name_resolution

You don't directly make dnscrypt-proxy the system-wide resolver, you modify /etc/nsswitch.conf so that /etc/resolv.conf is used to determine the DNS server(s) to reach at some point in the resolution.

seth wrote:

drill uses /etc/resolv.conf directly, ping uses libresolve which will lookup your /etc/nsswitch.conf
Post that file.

Last edited by Koatao (2021-10-26 11:09:10)

Morta · 2021-10-26 12:20:36

Koatao wrote:

Morta wrote:
And why Firefox Browser doesn't work? Looks also in nsswicht.conf?
And how can i do that dnscrypt has systemwide effect?
Everything is explained in the wiki:
https://wiki.archlinux.org/title/Domain_name_resolution
You don't directly make dnscrypt-proxy the system-wide resolver, you modify /etc/nsswitch.conf so that /etc/resolv.conf is used to determine the DNS server(s) to reach at some point in the resolution.
seth wrote:
drill uses /etc/resolv.conf directly, ping uses libresolve which will lookup your /etc/nsswitch.conf
Post that file.

cat /etc/nsswitch.conf
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files systemd
group: files [SUCCESS=merge] systemd
shadow: files

publickey: files

hosts: files resolver mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

# Use /etc/resolv.conf first, then fall back to systemd-resolved
hosts: files dns resolve myhostname
# Use systemd-resolved first, then fall back to /etc/resolv.conf
hosts: files resolve dns myhostname
# Don't use /etc/resolv.conf at all
hosts: files resolve myhostname

seth · 2021-10-26 12:53:53

hosts: files resolver mymachines myhostname resolve [!UNAVAIL=return] dns

What is the "resolver"?

ls /usr/lib/libnss_*
pacman -Qo /usr/lib/libnss_resolver.so

Morta · 2021-10-26 14:15:50

seth wrote:

hosts: files resolver mymachines myhostname resolve [!UNAVAIL=return] dns
What is the "resolver"?
ls /usr/lib/libnss_*
pacman -Qo /usr/lib/libnss_resolver.so

ls /usr/lib/libnss_*
/usr/lib/libnss_compat-2.33.so	/usr/lib/libnss_db.so.2        /usr/lib/libnss_files.so        /usr/lib/libnss_libvirt_guest.so.2  /usr/lib/libnss_mdns6.so.2	      /usr/lib/libnss_resolver.so.2  /usr/lib/libnss_wins.so
/usr/lib/libnss_compat.so	/usr/lib/libnss_dns-2.33.so    /usr/lib/libnss_files.so.2      /usr/lib/libnss_libvirt.so.2	   /usr/lib/libnss_mdns_minimal.so.2  /usr/lib/libnss_resolve.so.2   /usr/lib/libnss_wins.so.2
/usr/lib/libnss_compat.so.2	/usr/lib/libnss_dns.so	       /usr/lib/libnss_hesiod-2.33.so  /usr/lib/libnss_mdns4_minimal.so.2  /usr/lib/libnss_mdns.so.2	      /usr/lib/libnss_systemd.so.2
/usr/lib/libnss_db-2.33.so	/usr/lib/libnss_dns.so.2       /usr/lib/libnss_hesiod.so       /usr/lib/libnss_mdns4.so.2	   /usr/lib/libnss_myhostname.so.2    /usr/lib/libnss_winbind.so
/usr/lib/libnss_db.so		/usr/lib/libnss_files-2.33.so  /usr/lib/libnss_hesiod.so.2     /usr/lib/libnss_mdns6_minimal.so.2  /usr/lib/libnss_mymachines.so.2    /usr/lib/libnss_winbind.so.2

pacman -Qo /usr/lib/libnss_resolver.so
Fehler: Kein Paket besitzt /usr/lib/libnss_resolver.so

Fehler: Kein Paket besitzt -> Error: No package have:

Last edited by Morta (2021-10-26 14:16:52)

seth · 2021-10-26 14:18:18

So what is it and why is it there?

Btw, exporting or setting "LC_ALL=C" will provide English outputs.

Morta · 2021-10-26 15:25:21

seth wrote:

So what is it and why is it there?
Btw, exporting or setting "LC_ALL=C" will provide English outputs.

To be honest I have no clue. I didn't changed anything. On the Server are these one and there does running it.

[morta@5erver multi-user.target.wants]$ ls /usr/lib/libnss_*
/usr/lib/libnss_compat-2.33.so  /usr/lib/libnss_db-2.33.so  /usr/lib/libnss_dns-2.33.so  /usr/lib/libnss_files-2.33.so  /usr/lib/libnss_hesiod-2.33.so  /usr/lib/libnss_myhostname.so.2  /usr/lib/libnss_systemd.so.2
/usr/lib/libnss_compat.so       /usr/lib/libnss_db.so       /usr/lib/libnss_dns.so       /usr/lib/libnss_files.so       /usr/lib/libnss_hesiod.so       /usr/lib/libnss_mymachines.so.2
/usr/lib/libnss_compat.so.2     /usr/lib/libnss_db.so.2     /usr/lib/libnss_dns.so.2     /usr/lib/libnss_files.so.2     /usr/lib/libnss_hesiod.so.2     /usr/lib/libnss_resolve.so.2

What i have to change on the laptop?

Last edited by Morta (2021-10-26 15:26:00)

seth · 2021-10-26 15:32:34

I'd start by removing that out of the nss host resolution.
Looks like it's https://github.com/azukiapp/libnss-resolver
https://aur.archlinux.org/packages/libnss-resolver/ (but it's not an AUR package) used by https://aur.archlinux.org/packages/azk/

Morta · 2021-10-26 17:48:17

seth wrote:

I'd start by removing that out of the nss host resolution.
Looks like it's https://github.com/azukiapp/libnss-resolver
https://aur.archlinux.org/packages/libnss-resolver/ (but it's not an AUR package) used by https://aur.archlinux.org/packages/azk/

yay -Ss libnss
aur/libnss-resolver-git 0.3.0-1 (+0 0.00) (Installed)

Bingo! I will remove it and looks what happen.

Morta · 2021-10-26 18:08:03

ls /usr/lib/libnss_*
/usr/lib/libnss_compat-2.33.so  /usr/lib/libnss_db-2.33.so  /usr/lib/libnss_dns-2.33.so  /usr/lib/libnss_files-2.33.so  /usr/lib/libnss_hesiod-2.33.so  /usr/lib/libnss_libvirt_guest.so.2  /usr/lib/libnss_mdns4.so.2          /usr/lib/libnss_mdns_minimal.so.2  /usr/lib/libnss_mymachines.so.2  /usr/lib/libnss_winbind.so    /usr/lib/libnss_wins.so.2
/usr/lib/libnss_compat.so       /usr/lib/libnss_db.so       /usr/lib/libnss_dns.so       /usr/lib/libnss_files.so       /usr/lib/libnss_hesiod.so       /usr/lib/libnss_libvirt.so.2        /usr/lib/libnss_mdns6_minimal.so.2  /usr/lib/libnss_mdns.so.2          /usr/lib/libnss_resolve.so.2     /usr/lib/libnss_winbind.so.2
/usr/lib/libnss_compat.so.2     /usr/lib/libnss_db.so.2     /usr/lib/libnss_dns.so.2     /usr/lib/libnss_files.so.2     /usr/lib/libnss_hesiod.so.2     /usr/lib/libnss_mdns4_minimal.so.2  /usr/lib/libnss_mdns6.so.2          /usr/lib/libnss_myhostname.so.2    /usr/lib/libnss_systemd.so.2     /usr/lib/libnss_wins.so

Still not working should i remove libnss:mdns and libnss_winbind ? I can't find these files on my server.

The package libmicrodns (libnss_dns) are needed from gst-plugins-bad. What should i do?

Last edited by Morta (2021-10-26 18:18:58)

Arch Linux

#1 2021-10-25 13:04:15

[SOLVED]Three systemd services on port 53

#2 2021-10-25 13:48:08

Re: [SOLVED]Three systemd services on port 53

#3 2021-10-25 13:49:29

Re: [SOLVED]Three systemd services on port 53

#4 2021-10-25 14:10:51

Re: [SOLVED]Three systemd services on port 53

#5 2021-10-25 14:25:30

Re: [SOLVED]Three systemd services on port 53

#6 2021-10-25 14:56:27

Re: [SOLVED]Three systemd services on port 53

#7 2021-10-25 16:01:07

Re: [SOLVED]Three systemd services on port 53

#8 2021-10-25 16:02:55

Re: [SOLVED]Three systemd services on port 53

#9 2021-10-25 16:06:08

Re: [SOLVED]Three systemd services on port 53

#10 2021-10-25 16:28:50

Re: [SOLVED]Three systemd services on port 53

#11 2021-10-25 16:50:24

Re: [SOLVED]Three systemd services on port 53

#12 2021-10-25 17:51:51

Re: [SOLVED]Three systemd services on port 53

#13 2021-10-25 17:53:03

Re: [SOLVED]Three systemd services on port 53

#14 2021-10-26 05:21:09

Re: [SOLVED]Three systemd services on port 53

#15 2021-10-26 06:36:38

Re: [SOLVED]Three systemd services on port 53

#16 2021-10-26 10:23:45

Re: [SOLVED]Three systemd services on port 53

#17 2021-10-26 11:06:41

Re: [SOLVED]Three systemd services on port 53

#18 2021-10-26 12:20:36

Re: [SOLVED]Three systemd services on port 53

#19 2021-10-26 12:53:53

Re: [SOLVED]Three systemd services on port 53

#20 2021-10-26 14:15:50

Re: [SOLVED]Three systemd services on port 53

#21 2021-10-26 14:18:18

Re: [SOLVED]Three systemd services on port 53

#22 2021-10-26 15:25:21

Re: [SOLVED]Three systemd services on port 53

#23 2021-10-26 15:32:34

Re: [SOLVED]Three systemd services on port 53

#24 2021-10-26 17:48:17

Re: [SOLVED]Three systemd services on port 53

#25 2021-10-26 18:08:03

Re: [SOLVED]Three systemd services on port 53

Board footer