[SOLVED] "Network is unreachable" with fully configured network

quequotion · 2023-02-22 23:15:16

A couple of days ago, I upgraded, and then rebooted.

Since then, I have been unable to access most of the internet.

Only archlinux and google domains can be resolved by any internet client I have installed.

Those two domains can be resolved, but everything else returns either "Network is unreachable" or "Temporary failure in name resolution" (the latter appears less often).

Even pinging ip addresses directly fails, unless they belong to google or archlinux sites.

Even the router's ip (192.168.0.1) returns "Network is unreachable" although I am using that router as a gateway, right now, to edit this post, and it is accessible from any other client connected to it. I have rebooted the router multiple times since I started having trouble.

This is not a new installation; I have been using it for years.

I use systemd-networkd with systemd-resolved plugged into dnscrypt-proxy; my WiFi connection is established with wpa_supplicant.

I have tried reconfiguring to use dnscrypt-proxy by itself, I have tried reconfiguring to use systemd-resolved with standard DNS servers, I have tried putting just google's DNS servers in /etc/resolv.conf.

None of those attempts changed the situation. There should not have been a need to reconfigure in the first place: I checked for .pacnew files as well, and found a few, but there were no conflicts with my existing configuration.

My network is connected and my router is configured correctly (every other client of the router is fine, it is only the Archlinux PC having problems; same for WiFi or LAN)

I rebooted with the installation media to see if it was a hardware problem, but the installation media had no trouble resolving any domain I asked it for.

Speaking of which, although no internet clients on this machine can access any domain other than google and archlinux, resolvectl is able to resolve any valid domain.

Here are some configuration files and status for your consideration:

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether bc:5f:f4:22:35:07 brd ff:ff:ff:ff:ff:ff
3: wlp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 6c:6a:77:9e:64:61 brd ff:ff:ff:ff:ff:ff

/etc/systemd/network/20-wifi.network

[Match]
MACAddress=6c:6a:77:9e:64:61

[Network]
Address=192.168.0.101
Gateway=192.168.0.1
DNS=127.0.0.53 127.0.0.1 ::1

/etc/systemd/network/20-wired.network

[Match]
MACAddress=bc:5f:f4:22:35:07

[Network]
Address=192.168.0.103
Gateway=192.168.0.1
DNS=127.0.0.53 127.0.0.1 ::1

/etc/resolv.conf

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

/etc/systemd/resolved.conf

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#DNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

DNS=127.0.0.1 ::1
FallbackDNS=
Domains=~.

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

## This is an example configuration file.
## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
##
## Online documentation is available here: https://dnscrypt.info/doc



##################################
#         Global settings        #
##################################

## List of servers to use
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## The proxy will automatically pick working servers from this list.
## Note that the require_* filters do NOT apply when using this setting.
##
## By default, this list is empty and all registered servers matching the
## require_* filters will be used instead.
##
## Remove the leading # first to enable this; lines starting with # are ignored.

# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']


## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
##
## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`

listen_addresses = ['127.0.0.1:53', '[::1]:53']


## Maximum number of simultaneous client connections to accept

max_clients = 250


## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user

# user_name = 'nobody'


## Require servers (from remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

# Use servers implementing the Oblivious DoH protocol
odoh_servers = true


## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = true

# Server names to avoid even if they match all criteria
disabled_server_names = []


## Always use TCP to connect to upstream servers.
## This can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.

force_tcp = false


## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC)
## Note that, like DNSCrypt but unlike other HTTP versions, this uses
## UDP and (usually) port 443 instead of TCP.

http3 = true


## SOCKS proxy
## Uncomment the following line to route all TCP connections to a local Tor node
## Tor doesn't support UDP, so set `force_tcp` to `true` as well.

# proxy = 'socks5://127.0.0.1:9050'


## HTTP/HTTPS proxy
## Only for DoH servers

# http_proxy = 'http://127.0.0.1:8888'


## How long a DNS query will wait for a response, in milliseconds.
## If you have a network with *a lot* of latency, you may need to
## increase this. Startup may be slower if you do so.
## Don't increase it too much. 10000 is the highest reasonable value.

timeout = 10000


## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds

keepalive = 30


## Add EDNS-client-subnet information to outgoing queries
##
## Multiple networks can be listed; they will be randomly chosen.
## These networks don't have to match your actual networks.

# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32']


## Response for blocked queries. Options are `refused`, `hinfo` (default) or
## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
## Using the `hinfo` option means that some responses will be lies.
## Unfortunately, the `hinfo` option appears to be required for Android 8+

# blocked_query_response = 'refused'


## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
## The response quality still depends on the server itself.

# lb_strategy = 'p2'

## Set to `true` to constantly try to estimate the latency of all the resolvers
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
## Default is `true` that makes 'p2' `lb_strategy` work well.

# lb_estimator = true


## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

# log_level = 2


## Log file for the application, as an alternative to sending logs to
## the standard system logging service (syslog/Windows event log).
##
## This file is different from other log files, and will not be
## automatically rotated by the application.

log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'


## When using a log file, only keep logs from the most recent launch.

# log_file_latest = true


## Use the system logger (syslog on Unix, Event Log on Windows)

use_syslog = true


## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240


## Initially don't check DNSCrypt server certificates for expiration, and
## only start checking them after a first successful connection to a resolver.
## This can be useful on routers with no battery-backed clock.

# cert_ignore_timestamp = false


## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

# dnscrypt_ephemeral_keys = false


## DoH: Disable TLS session tickets - increases privacy but also latency

# tls_disable_session_tickets = false


## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##  4865 = TLS_AES_128_GCM_SHA256
##  4867 = TLS_CHACHA20_POLY1305_SHA256
##
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
## This may also help on Intel CPUs running 32-bit operating systems.
##
## Keep tls_cipher_suite empty if you have issues fetching sources or
## connecting to some DoH servers. Google and Cloudflare are fine with it.

# tls_cipher_suite = [52392, 49199]


## Bootstrap resolvers
##
## These are normal, non-encrypted DNS resolvers, that will be only used
## for one-shot queries when retrieving the initial resolvers list and if
## the system DNS configuration doesn't work.
##
## No user queries will ever be leaked through these resolvers, and they will
## not be used after IP addresses of DoH resolvers have been found (if you are
## using DoH).
##
## They will never be used if lists have already been cached, and if the stamps
## of the configured servers already include IP addresses (which is the case for
## most of DoH servers, and for all DNSCrypt servers and relays).
##
## They will not be used if the configured system DNS works, or after the
## proxy already has at least one usable secure resolver.
##
## Resolvers supporting DNSSEC are recommended, and, if you are using
## DoH, bootstrap resolvers should ideally be operated by a different entity
## than the DoH servers you will be using, especially if you have IPv6 enabled.
##
## People in China may want to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
##
## If more than one resolver is specified, they will be tried in sequence.
##
## TL;DR: put valid standard resolver addresses here. Your actual queries will
## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
## lists are up to date, these resolvers will not even be used.

bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']


## Always use the bootstrap resolver before the system DNS settings.

ignore_system_dns = true


## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
## Use 0 to not test for connectivity at all (not recommended),
## and -1 to wait as much as possible.

#netprobe_timeout = 60
netprobe_timeout = 0

## Address and port to try initializing a connection to, just to check
## if the network is up. It can be any address and any port, even if
## there is nothing answering these on the other side. Just don't use
## a local address, as the goal is to check for Internet connectivity.
## On Windows, a datagram with a single, nul byte will be sent, only
## when the system starts.
## On other operating systems, the connection will be initialized
## but nothing will be sent at all.

netprobe_address = '9.9.9.9:53'


## Offline mode - Do not use any remote encrypted servers.
## The proxy will remain fully functional to respond to queries that
## plugins can handle directly (forwarding, cloaking, ...)

# offline_mode = false


## Additional data to attach to outgoing queries.
## These strings will be added as TXT records to queries.
## Do not use, except on servers explicitly asking for extra data
## to be present.
## encrypted-dns-server can be configured to use this for access control
## in the [access_control] section

# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']


## Automatic log files rotation

# Maximum log files size in MB - Set to 0 for unlimited.
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 1

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1



#########################
#        Filters        #
#########################

## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
## configure dnscrypt-proxy to do any kind of filtering (including the filters
## below and blocklists).
## You can still choose resolvers that do DNSSEC validation.


## Immediately respond to IPv6-related queries with an empty response
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.

block_ipv6 = false


## Immediately respond to A and AAAA queries for host names without a domain name

block_unqualified = true


## Immediately respond to queries for local zones instead of leaking them to
## upstream resolvers (always causing errors or timeouts).

block_undelegated = true


## TTL for synthetic responses sent when a request has been blocked (due to
## IPv6 or blocklists).

reject_ttl = 10



##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## See the `example-forwarding-rules.txt` file for an example

# forwarding_rules = '/etc/dnscrypt-proxy/forwarding-rules.txt'



###############################
#        Cloaking rules       #
###############################

## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled
## for cloaking rules that do not contain wild cards.
##
## See the `example-cloaking-rules.txt` file for an example

# cloaking_rules = '/etc/dnscrypt-proxy/cloaking-rules.txt'

## TTL used when serving entries in cloaking-rules.txt

# cloak_ttl = 600
# cloak_ptr = false



###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true


## Cache size

cache_size = 4096


## Minimum TTL for cached entries

cache_min_ttl = 2400


## Maximum TTL for cached entries

cache_max_ttl = 86400


## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60


## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600



########################################
#        Captive portal handling       #
########################################

[captive_portals]

## A file that contains a set of names used by operating systems to
## check for connectivity and captive portals, along with hard-coded
## IP addresses to return.

# map_file = '/etc/dnscrypt-proxy/captive-portals.txt'



##################################
#        Local DoH server        #
##################################

[local_doh]

## dnscrypt-proxy can act as a local DoH server. By doing so, web browsers
## requiring a direct connection to a DoH server in order to enable some
## features will enable these, without bypassing your DNS proxy.

## Addresses that the local DoH server should listen to

# listen_addresses = ['127.0.0.1:3000']


## Path of the DoH URL. This is not a file, but the part after the hostname
## in the URL. By convention, `/dns-query` is frequently chosen.
## For each `listen_address` the complete URL to access the server will be:
## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)

# path = '/dns-query'


## Certificate file and key - Note that the certificate has to be trusted.
## See the documentation (wiki) for more information.

# cert_file = "/var/lib/dnscrypt-proxy/localhost.pem"
# cert_key_file = "/var/lib/dnscrypt-proxy/localhost.pem"



###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]

## Path to the query log file (absolute, or relative to the same directory as the config file)
## Can be set to /dev/stdout in order to log to the standard output.

# file = '/var/log/dnscrypt-proxy/query.log'


## Query log format (currently supported: tsv and ltsv)

format = 'tsv'


## Do not log these query types, to reduce verbosity. Keep empty to log everything.

# ignored_qtypes = ['DNSKEY', 'NS']



############################################
#        Suspicious queries logging        #
############################################

## Log queries for nonexistent zones
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.

[nx_log]

## Path to the query log file (absolute, or relative to the same directory as the config file)

# file = '/var/log/dnscrypt-proxy/nx.log'


## Query log format (currently supported: tsv and ltsv)

format = 'tsv'



######################################################
#        Pattern-based blocking (blocklists)         #
######################################################

## Blocklists are made of one pattern per line. Example of valid patterns:
##
##   example.com
##   =example.com
##   *sex*
##   ads.*
##   ads*.example.*
##   ads*.example[0-9]*.com
##
## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
## A script to build blocklists from public feeds can be found in the
## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.

[blocked_names]

## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

# blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt'


## Optional path to a file logging blocked queries

# log_file = '/var/log/dnscrypt-proxy/blocked-names.log'


## Optional log format: tsv or ltsv (default: tsv)

# log_format = 'tsv'



###########################################################
#        Pattern-based IP blocking (IP blocklists)        #
###########################################################

## IP blocklists are made of one pattern per line. Example of valid patterns:
##
##   127.*
##   fe80:abcd:*
##   192.168.1.4

[blocked_ips]

## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)

# blocked_ips_file = '/etc/dnscrypt-proxy/blocked-ips.txt'


## Optional path to a file logging blocked queries

# log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'


## Optional log format: tsv or ltsv (default: tsv)

# log_format = 'tsv'



######################################################
#   Pattern-based allow lists (blocklists bypass)    #
######################################################

## Allowlists support the same patterns as blocklists
## If a name matches an allowlist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_names]

## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)

# allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'


## Optional path to a file logging allowed queries

# log_file = '/var/log/dnscrypt-proxy/allowed-names.log'


## Optional log format: tsv or ltsv (default: tsv)

# log_format = 'tsv'



#########################################################
#   Pattern-based allowed IPs lists (blocklists bypass) #
#########################################################

## Allowed IP lists support the same patterns as IP blocklists
## If an IP response matches an allowed entry, the corresponding session
## will bypass IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[allowed_ips]

## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)

# allowed_ips_file = '/etc/dnscrypt-proxy/allowed-ips.txt'


## Optional path to a file logging allowed queries

# log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'

## Optional log format: tsv or ltsv (default: tsv)

# log_format = 'tsv'



##########################################
#        Time access restrictions        #
##########################################

## One or more weekly schedules can be defined here.
## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blocklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

  # [schedules.time-to-sleep]
  #   mon = [{after='21:00', before='7:00'}]
  #   tue = [{after='21:00', before='7:00'}]
  #   wed = [{after='21:00', before='7:00'}]
  #   thu = [{after='21:00', before='7:00'}]
  #   fri = [{after='23:00', before='7:00'}]
  #   sat = [{after='23:00', before='7:00'}]
  #   sun = [{after='21:00', before='7:00'}]

  # [schedules.work]
  #   mon = [{after='9:00', before='18:00'}]
  #   tue = [{after='9:00', before='18:00'}]
  #   wed = [{after='9:00', before='18:00'}]
  #   thu = [{after='9:00', before='18:00'}]
  #   fri = [{after='9:00', before='17:00'}]



#########################
#        Servers        #
#########################

## Remote lists of available servers
## Multiple sources can be used simultaneously, but every source
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
##
## A prefix can be prepended to server names in order to
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
##
## If the `urls` property is missing, cache files and valid signatures
## must already be present. This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.
## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
## of less than 24 hours will have no effect.
## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.

[sources]

  ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.public-resolvers]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
    cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
    prefix = ''

  ### Anonymized DNS relays

  [sources.relays]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
    cache_file = '/var/cache/dnscrypt-proxy/relays.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
    prefix = ''

  ### ODoH (Oblivious DoH) servers and relays

  # [sources.odoh-servers]
  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  #   cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md'
  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  #   refresh_delay = 24
  #   prefix = ''
  # [sources.odoh-relays]
  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  #   cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md'
  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  #   refresh_delay = 24
  #   prefix = ''

  ### Quad9

  # [sources.quad9-resolvers]
  #   urls = ['https://www.quad9.net/quad9-resolvers.md']
  #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
  #   cache_file = '/var/cache/dnscrypt-proxy/quad9-resolvers.md'
  #   prefix = 'quad9-'

  ### Another example source, with resolvers censoring some websites not appropriate for children
  ### This is a subset of the `public-resolvers` list, so enabling both is useless.

  # [sources.parental-control]
  #   urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md']
  #   cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
  #   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'



#########################################
#        Servers with known bugs        #
#########################################

[broken_implementations]

## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
## truncate responses larger than questions as expected by the DNSCrypt protocol.
## This prevents large responses from being received over UDP and over relays.
##
## Older versions of the `dnsdist` server software had a bug with queries larger
## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
## some server may still run an outdated version.
##
## The list below enables workarounds to make non-relayed usage more reliable
## until the servers are fixed.

fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']



#################################################################
#        Certificate-based client authentication for DoH        #
#################################################################

## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
## This is only useful if you are operating your own, private DoH server(s).
## 'creds' maps servers to certificates, and supports multiple entries.
## If you are not using the standard root CA, an optional "root_ca"
## property set to the path to a root CRT file can be added to a server entry.

[doh_client_x509_auth]

# creds = [
#    { server_name='*', client_cert='client.crt', client_key='client.key' }
# ]



################################
#        Anonymized DNS        #
################################

[anonymized_dns]

## Routes are indirect ways to reach DNSCrypt servers.
##
## A route maps a server name ("server_name") to one or more relays that will be
## used to connect to that server.
##
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
## DNSCrypt stamp) or a server name.
##
## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
## and "example-server-2" via the relay whose relay DNS stamp is
## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
##
## !!! THESE ARE JUST EXAMPLES !!!
##
## Review the list of available relays from the "relays.md" file, and, for each
## server you want to use, define the relays you want connections to go through.
##
## Carefully choose relays and servers so that they are run by different entities.
##
## "server_name" can also be set to "*" to define a default route, for all servers:
## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
##
## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
##
## Manual selection is always recommended over automatic selection, so that you can
## select (relay,server) pairs that work well and fit your own criteria (close by or
## in different countries, operated by different entities, on distinct ISPs...)

# routes = [
#    { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
#    { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
# ]


## Skip resolvers incompatible with anonymization instead of using them directly

skip_incompatible = false


## If public server certificates for a non-conformant server cannot be
## retrieved via a relay, try getting them directly. Actual queries
## will then always go through relays.

# direct_cert_fallback = false



###############################
#            DNS64            #
###############################

## DNS64 is a mechanism for synthesizing AAAA records from A records.
## It is used with an IPv6/IPv4 translator to enable client-server
## communication between an IPv6-only client and an IPv4-only server,
## without requiring any changes to either the IPv6 or the IPv4 node,
## for the class of applications that work through NATs.
##
## There are two options to synthesize such records:
## Option 1: Using a set of static IPv6 prefixes;
## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
##
## If both options are configured - only static prefixes are used.
## (Ref. RFC6147, RFC6052, RFC7050)
##
## Do not enable unless you know what DNS64 is and why you need it, or else
## you won't be able to connect to anything at all.

[dns64]

## Static prefix(es) as Pref64::/n CIDRs

# prefix = ['64:ff9b::/96']

## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs
## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.

# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']



########################################
#            Static entries            #
########################################

## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.

[static]

  # [static.myserver]
  #   stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'

systemctl status systemd-networkd

● systemd-networkd.service - Network Configuration
     Loaded: loaded (/usr/lib/systemd/system/systemd-networkd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-02-23 07:43:38 JST; 21min ago
TriggeredBy: ● systemd-networkd.socket
       Docs: man:systemd-networkd.service(8)
   Main PID: 30135 (systemd-network)
     Status: "Processing requests..."
      Tasks: 1 (limit: 38302)
     Memory: 1.6M
        CPU: 96ms
     CGroup: /system.slice/systemd-networkd.service
             └─30135 /usr/lib/systemd/systemd-networkd

Feb 23 07:43:38 Shiroko systemd-networkd[30135]: Enumeration completed
Feb 23 07:43:38 Shiroko systemd[1]: Started Network Configuration.
Feb 23 07:43:38 Shiroko systemd-networkd[30135]: enp12s0: Configuring with /etc/systemd/network/20-wired.network.
Feb 23 07:43:38 Shiroko systemd-networkd[30135]: wlp8s0: Configuring with /etc/systemd/network/20-wifi.network.
Feb 23 07:44:31 Shiroko systemd-networkd[30135]: wlp8s0: Lost carrier
Feb 23 07:44:31 Shiroko systemd-networkd[30135]: wlp8s0: DHCPv6 lease lost
Feb 23 07:44:31 Shiroko systemd-networkd[30135]: wlp8s0: Link DOWN
Feb 23 07:44:31 Shiroko systemd-networkd[30135]: wlp8s0: Link UP
Feb 23 07:44:35 Shiroko systemd-networkd[30135]: wlp8s0: Gained carrier
Feb 23 07:44:36 Shiroko systemd-networkd[30135]: wlp8s0: Gained IPv6LL

systemctl status systemd-resolved

● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-02-23 01:01:14 JST; 7h ago
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
   Main PID: 21325 (systemd-resolve)
     Status: "Processing requests..."
      Tasks: 1 (limit: 38302)
     Memory: 3.1M
        CPU: 759ms
     CGroup: /system.slice/systemd-resolved.service
             └─21325 /usr/lib/systemd/systemd-resolved

Feb 23 01:01:14 Shiroko systemd[1]: Starting Network Name Resolution...
Feb 23 01:01:14 Shiroko systemd-resolved[21325]: Positive Trust Anchors:
Feb 23 01:01:14 Shiroko systemd-resolved[21325]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Feb 23 01:01:14 Shiroko systemd-resolved[21325]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.>
Feb 23 01:01:14 Shiroko systemd-resolved[21325]: Using system hostname 'Shiroko'.
Feb 23 01:01:14 Shiroko systemd[1]: Started Network Name Resolution.
Feb 23 01:06:21 Shiroko systemd-resolved[21325]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 127.0.0.1.
Feb 23 01:23:20 Shiroko systemd-resolved[21325]: Grace period over, resuming full feature set (UDP+EDNS0) for DNS server 127.0.0.1.
Feb 23 07:01:22 Shiroko systemd-resolved[21325]: Clock change detected. Flushing caches.

systemctl status dnscrypt-proxy

● dnscrypt-proxy.service - DNSCrypt-proxy client
     Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; disabled; preset: disabled)
     Active: active (running) since Thu 2023-02-23 01:06:22 JST; 7h ago
       Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
   Main PID: 21607 (dnscrypt-proxy)
      Tasks: 14 (limit: 38302)
     Memory: 85.8M
        CPU: 32.401s
     CGroup: /system.slice/dnscrypt-proxy.service
             └─21607 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   316ms sth-dnscrypt-se-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   319ms ams-dnscrypt-nl-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   332ms meganerd-doh-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   403ms uncensoreddns-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   484ms v.dnscrypt.uk-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   511ms e-utp.net-ipv6-doh
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   712ms doh.ffmuc.net-v6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   716ms doh.ffmuc.net-v6-2
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] -   927ms ams-doh-nl-ipv6
Feb 23 07:01:39 Shiroko dnscrypt-proxy[21607]: [2023-02-23 07:01:39] [NOTICE] Server with the lowest initial latency: cloudflare-ipv6 >

resolvectl status

Global
         Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 127.0.0.1
       DNS Servers: 127.0.0.1 ::1 127.0.0.53 127.0.0.1 ::1 127.0.0.53 127.0.0.1 ::1
        DNS Domain: ~.

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 127.0.0.53
       DNS Servers: 127.0.0.53 127.0.0.1 ::1

Link 3 (wlp8s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 127.0.0.53
       DNS Servers: 127.0.0.53 127.0.0.1 ::1

systemctl status wpa_supplicant@wlp8s0.service

● wpa_supplicant@wlp8s0.service - WPA supplicant daemon (interface-specific version)
     Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant@.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-02-23 07:44:31 JST; 9min ago
   Main PID: 30291 (wpa_supplicant)
      Tasks: 1 (limit: 38302)
     Memory: 1.6M
        CPU: 35ms
     CGroup: /system.slice/system-wpa_supplicant.slice/wpa_supplicant@wlp8s0.service
             └─30291 /usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wlp8s0.conf -iwlp8s0

Feb 23 07:44:31 Shiroko systemd[1]: Started WPA supplicant daemon (interface-specific version).
Feb 23 07:44:31 Shiroko wpa_supplicant[30291]: Successfully initialized wpa_supplicant
Feb 23 07:44:31 Shiroko wpa_supplicant[30291]: wlp8s0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=JP
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: SME: Trying to authenticate with 00:5f:67:93:20:b6 (SSID='TP-Link_20B8' freq=52>
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: Trying to associate with 00:5f:67:93:20:b6 (SSID='TP-Link_20B8' freq=5200 MHz)
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: Associated with 00:5f:67:93:20:b6
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: CTRL-EVENT-CONNECTED - Connection to 00:5f:67:93:20:b6 completed [id=0 id_str=]
Feb 23 07:44:35 Shiroko wpa_supplicant[30291]: wlp8s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0

/etc/hosts

# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1	localhost
::1		localhost
127.0.1.1	Shiroko.localdomain Shiroko

Edit: Immediately after making this post a few more domains have begun to resolve, but most of the internet remains out of reach. I can now get to downforeveryoneorjustme, which indicates there are no problems with any of the inaccessible domains I have tried.

Last edited by quequotion (2023-02-25 04:11:55)

quequotion · 2023-02-23 02:47:29

This is so weird.

Like, I could imagine the reason google and archlinux work is that I frequent those domains often and they are cached by either dnscrypt-proxy or systemd-resolved, however other websites I frequent, such as github and reddit, are completely inaccessible, not to mention IPs on my local network.

Then, I can access just a few other domains, including places I have never been before today, such as upcloud.com, but most of the internet is cut off.

I can't use pacman at all, although it seems to be getting DNS resolution done:

sudo pacman -S systemd-resolvconf
[sudo] password for zombie:       
resolving dependencies...
looking for conflicting packages...

Packages (1) systemd-resolvconf-253-1

Total Download Size:  0.00 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...

02/23 11:34:23 [ERROR] CUID#7 - Download aborted. URI=https://mirrors.kernel.org/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://mirrors.kernel.org/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
  -> [SocketCore.cc:507] errorCode=1 Failed to connect to the host 139.178.88.99, cause: Network is unreachable

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
c2ba90|ERR |       0B/s|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

02/23 11:34:25 [ERROR] CUID#7 - Download aborted. URI=https://mirrors.cat.net/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://mirrors.cat.net/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
  -> [SocketCore.cc:507] errorCode=1 Failed to connect to the host 45.14.106.5, cause: Network is unreachable

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
334e07|ERR |       0B/s|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
2a0175|ERR |        n/a|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
4bfc25|ERR |        n/a|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
de801f|ERR |        n/a|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

02/23 11:34:33 [ERROR] CUID#7 - Download aborted. URI=http://srv2.ftp.ne.jp/Linux/packages/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
Exception: [AbstractCommand.cc:351] errorCode=1 URI=http://srv2.ftp.ne.jp/Linux/packages/archlinux/core/os/x86_64/systemd-resolvconf-253-1-x86_64.pkg.tar.zst
  -> [SocketCore.cc:507] errorCode=1 Failed to connect to the host 202.255.47.226, cause: Network is unreachable

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
e22121|ERR |       0B/s|//var/cache/pacman/pkg/systemd-resolvconf-253-1-x86_64.pkg.tar.zst.part

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.
warning: failed to retrieve some files
error: failed to commit transaction (error invoking external downloader)
Errors occurred, no packages were upgraded.

seth · 2023-02-23 21:49:17

Even pinging ip addresses directly fails, unless they belong to google or archlinux sites.
…
Even the router's ip (192.168.0.1) returns "Network is unreachable"

Means it's not DNS.

ip link

ip a
ip r
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

quequotion · 2023-02-24 02:49:48

seth wrote:

Means it's not DNS.

Right? I am used to fixing DNS issues because of dnscrypt-proxy, but this appears to be something else.

ip link

You will find this above, it is the first of the several code blocks in the original post.

ip a
ip r
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

I will edit this post after work with the results from ip a and the find.

I did ip r several times yesterday, it returns nothing at all.

ip a (note, ethernet is deliberately disconnected; makes no difference anyway)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp12s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether bc:5f:f4:22:35:07 brd ff:ff:ff:ff:ff:ff
3: wlp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6c:6a:77:9e:64:61 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/32 scope global wlp8s0
       valid_lft forever preferred_lft forever
    inet6 2400:4152:7064:6b00:6e6a:77ff:fe9e:6461/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591660sec preferred_lft 604460sec
    inet6 fe80::6e6a:77ff:fe9e:6461/64 scope link 
       valid_lft forever preferred_lft forever

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.network1.service    | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
display-manager.service                  | system
dnscrypt-proxy.service                   | multi-user.target.wants
gcr-ssh-agent.socket                     | sockets.target.wants
getty@tty1.service                       | getty.target.wants
gnome-keyring-daemon.socket              | sockets.target.wants
lm_sensors.service                       | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pcscd.socket                             | sockets.target.wants
pipewire.socket                          | sockets.target.wants
pulseaudio.socket                        | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-networkd.service                 | multi-user.target.wants
systemd-networkd.socket                  | sockets.target.wants
systemd-resolved.service                 | multi-user.target.wants
systemd-timesyncd.service                | sysinit.target.wants
throttle-cut.service                     | multi-user.target.wants
wpa_supplicant@wlp8s0.service            | multi-user.target.wants
xdg-user-dirs-update.service             | default.target.wants

Last edited by quequotion (2023-02-24 16:42:10)

seth · 2023-02-24 06:51:46

You will find this above

I saw it - it's just useless

I did ip r several times yesterday, it returns nothing at all.

There's your problem, it's only a matter of the cause.

Your internet lacks the roadmap - it doesn't know which road to take to get anywhere.
Working connections were either intermittent coincidence or from cached data.

quequotion · 2023-02-24 16:52:39

seth wrote:

Working connections were either intermittent coincidence or from cached data.

I was also thinking there must be some kind of cache, but then there are places I've never been that also work, and things that ought to be cached that aren't.

Take a look at these ping results: reddit.com is fine, but www.reddit.com (which the former redirects browsers to) doesn't exist.

ping reddit.com
PING reddit.com(2a04:4e42::396 (2a04:4e42::396)) 56 data bytes
64 bytes from 2a04:4e42::396 (2a04:4e42::396): icmp_seq=1 ttl=54 time=23.2 ms
64 bytes from 2a04:4e42::396 (2a04:4e42::396): icmp_seq=2 ttl=54 time=19.1 ms

ping www.reddit.com
ping: connect: Network is unreachable

There's no perceptible delay for the failed query. As soon as I enter the command, I get the error message.

The successful query takes a couple of milliseconds to respond, which is normal in my experience.

By the way, look up for ip a and find results.

find produced a list of various systemd services; is there something specific you were hoping to see or not see here?

Edit: PS, I tried ip route get for reddit.com; for www.reddit.com it returns NULL of course.

ip route get 2a04:4e42::396

2a04:4e42::396 from :: via fe80::212:e2ff:fe70:97e8 dev wlp8s0 proto ra src 2400:4152:7064:6b00:6e6a:77ff:fe9e:6461 metric 1024 pref medium

Edit: The plot thickens, it seems I do have an ipv6 routing table, just not an ipv4 one (which may explain why I can access some domains that could not be cached)

ip -6 route show

::1 dev lo proto kernel metric 256 pref medium
2400:4152:7064:6b00::/64 dev wlp8s0 proto ra metric 1024 expires 2591827sec pref medium
fe80::/64 dev wlp8s0 proto kernel metric 256 pref medium
default via fe80::212:e2ff:fe70:97e8 dev wlp8s0 proto ra metric 1024 expires 1627sec pref medium

I found a similar thread where you helped a user with NetworkManager and dhclient, apparently overcoming this issue.

My setup is different. I am not sure if systemd-networkd is responsible for setting up the routing tables and why it wouldn't be populating the ipv4 table if it should be, furthermore I can't figure out which command is meant by this:

kawsay wrote:

Indeed, I ran the same command and it worked.

Last edited by quequotion (2023-02-24 18:46:44)

seth · 2023-02-24 20:47:45

systemd-networkd is responsible for setting up the routing tables

This.

systemd-networkd.service                 | multi-user.target.wants
systemd-networkd.socket                  | sockets.target.wants
systemd-resolved.service                 | multi-user.target.wants
wpa_supplicant@wlp8s0.service            | multi-user.target.wants

why it wouldn't be populating the ipv4 table if it should be

There're no conflicting services, so netword clumsys this all by itself.
The wiki has every static Adress= example on a /24 segment, no idea whether that's relevant to actually get you a route (though there should™ be a default route no matter what)
Google spits out https://unix.stackexchange.com/question … d-networkd - but those have the gateway in a different subnet.
(IN any event nb. that this apparently will require explicit Address and Route sections)

Maybe it's because you've to NICs configured…

quequotion · 2023-02-25 04:10:46

seth wrote:

Maybe it's because you've to NICs configured…

They had been functional together before, but I tried disabling the ethernet in BIOS, still no ip4 route.

Then I tried GatewayOnLink:

/etc/systemd/network/20-wifi.network

[Match]
MACAddress=6c:6a:77:9e:64:61

[Network]
Address=192.168.0.101
DNS=127.0.0.53 127.0.0.1 ::1

[Route]
Gateway=192.168.0.1
GatewayOnLink=yes
Destination=0.0.0.0/0

ip r

default via 192.168.0.1 dev wlp8s0 proto static onlink

IPv4 internet is back! Marking as [solved].

Still, would like to know why I had to start specifying a static route all of the sudden.

Don't really know if I need onlink, but it might save some cycles if systemd-networks skips the check.

I feel like I should probably do the same for ipv6, but it seems to be fine anyway.

Last edited by quequotion (2023-02-25 04:25:33)

seth · 2023-02-25 06:35:54

Still, would like to know why I had to start specifying a static route all of the sudden.

It's probably around https://bbs.archlinux.org/viewtopic.php … 5#p2085455 but you still haven't specified a prefix. Check the journal.

Though I'm not tryig to understand what systemd does wrt networks and just assume it's broken by design and it's your job to poke around until it behaves.
Which is why I keep it at arms length and off every system I need to care about

quequotion · 2023-02-25 09:45:25

seth wrote:

It's probably around https://bbs.archlinux.org/viewtopic.php … 5#p2085455 but you still haven't specified a prefix. Check the journal.

Looks like. I still have the same kind of warnings in the log. TIL: /32 is an island, /24 is the world.

assume it's broken by design and it's your job to poke around until it behaves

This pretty much describes my entire installation.

Edit: In the end I went ahead and specified that prefix:

/etc/systemd/network/20-wifi.network

[Match]
MACAddress=6c:6a:77:9e:64:61

[Network]
Address=192.168.0.101/24
DNS=127.0.0.53 127.0.0.1 ::1

[Route]
Gateway=192.168.0.1
GatewayOnLink=yes
Destination=0.0.0.0/0

/etc/systemd/network/20-wired.network

[Match]
MACAddress=bc:5f:f4:22:35:07

[Network]
Address=192.168.0.103/24
DNS=127.0.0.53 127.0.0.1 ::1

[Route]
Gateway=192.168.0.1
GatewayOnLink=yes
Destination=0.0.0.0/0

Last edited by quequotion (2023-03-14 02:29:08)

Arch Linux

#1 2023-02-22 23:15:16

[SOLVED] "Network is unreachable" with fully configured network

#2 2023-02-23 02:47:29

Re: [SOLVED] "Network is unreachable" with fully configured network

#3 2023-02-23 21:49:17

Re: [SOLVED] "Network is unreachable" with fully configured network

#4 2023-02-24 02:49:48

Re: [SOLVED] "Network is unreachable" with fully configured network

#5 2023-02-24 06:51:46

Re: [SOLVED] "Network is unreachable" with fully configured network

#6 2023-02-24 16:52:39

Re: [SOLVED] "Network is unreachable" with fully configured network

#7 2023-02-24 20:47:45

Re: [SOLVED] "Network is unreachable" with fully configured network

#8 2023-02-25 04:10:46

Re: [SOLVED] "Network is unreachable" with fully configured network

#9 2023-02-25 06:35:54

Re: [SOLVED] "Network is unreachable" with fully configured network

#10 2023-02-25 09:45:25

Re: [SOLVED] "Network is unreachable" with fully configured network

Board footer