You are not logged in.
Hello everyone
Despite using Linux since 1994 I am officially lost with how current DNS configuration actually work.
My problem: I have all my services running in docker containers, including pi-hole (https://pi-hole.net/) on server 192.168.10.2. I am in a catch-22 situation because pi-hole needs a DNS server to correctly start, and it is the DNS server.
I was hoping to be able to rely on a backup DNS during the time of the startup of pi-hole.
I therefore have the following configuration in /etc/systemd/resolved.conf
[Resolve]
DNS=192.168.10.2
FallbackDNS=8.8.8.8 1.1.1.1
resolvectl status says
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 192.168.10.2
DNS Servers: 192.168.10.2
Fallback DNS Servers: 8.8.8.8 1.1.1.1
Link 2 (enp3s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3
DNS Servers: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3
Link 3 (enp4s0f0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 4 (enp4s0f1)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (br-04c6573bdc82)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
(.... more docker virtual interfaces like this one ...)
When I disabled pihole (and therefore there are no local servers) I expected to be able to resolve via google or cloudflare servers. I tried to resolve lemonde.fr:
root@srv ~# dig lemonde.fr
; <<>> DiG 9.18.14 <<>> lemonde.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30077
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;lemonde.fr. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon May 01 21:30:37 CEST 2023
;; MSG SIZE rcvd: 39
Please note the address of the server that was queried: 127.0.0.53. Why?
/etc/resolv.conf indeed points to that server:
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search .
With the information in the comment I am officially lost.
My question: how to set up DNS on Arch correctly?
Of course I read https://wiki.archlinux.org/title/Domain_name_resolution but nowhere there I can find the answer to my problem. I do not use NetworkManager or any other.
I would be really grateful for any hints.
Offline
Is this about the hosts config or the Pi-Hole config?
Afaict the latter uses dnsmasq, https://wiki.archlinux.org/title/Dnsmas … forwarding
Edit: https://wiki.archlinux.org/title/Pi-hol … management
Last edited by seth (2023-05-01 20:17:37)
Online
There are several things to unpack here.
I am in a catch-22 situation because pi-hole needs a DNS server to correctly start, and it is the DNS server.
I was hoping to be able to rely on a backup DNS during the time of the startup of pi-hole.
Using Pi-Hole as an Ad-Blocker via DNS means Pi-Hole itself should not use itself as a DNS server - it should be manually configured to either use the DNS forwarder in your router, one of the DNS servers of your provider or a public DNS server of your choice.
I therefore have the following configuration in /etc/systemd/resolved.conf
[Resolve] DNS=192.168.10.2 FallbackDNS=8.8.8.8 1.1.1.1
This configuration is not useful: If you manually configure a DNS server here the fallback servers will never be used.
This "FallBackDNS" does not work as a secondary DNS server.
resolvectl status says
Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Current DNS Server: 192.168.10.2 DNS Servers: 192.168.10.2 Fallback DNS Servers: 8.8.8.8 1.1.1.1 Link 2 (enp3s0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3 DNS Servers: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3 Link 3 (enp4s0f0) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Link 4 (enp4s0f1) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Link 5 (br-04c6573bdc82) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported (.... more docker virtual interfaces like this one ...)
You have an additional problem here: Your router provides an IPv6 DNS server most likely via router advertisement - this server belongs to your internet provider (ProXad / Free SAS). Every piece of software that chooses to use DNSv6 instead bypasses your Pi-Hole entirely (IPv6 bypass).
When I disabled pihole (and therefore there are no local servers) I expected to be able to resolve via google or cloudflare servers. I tried to resolve lemonde.fr:
root@srv ~# dig lemonde.fr ; <<>> DiG 9.18.14 <<>> lemonde.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30077 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;lemonde.fr. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Mon May 01 21:30:37 CEST 2023 ;; MSG SIZE rcvd: 39
Please note the address of the server that was queried: 127.0.0.53. Why?
This is how systemd-resolved works - it sets a stub entry in resolv.conf:
/etc/resolv.conf indeed points to that server:
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search .
With the information in the comment I am officially lost.
Again: "FallbackDNS" does not work as a secondary DNS server.
With an unreachable primary DNS server this is exactly as it should be.
Please configure Pi-Hole via pi-hole-ftl as mentioned above. I only use dnsmasq - but the configuration should be similar.
You should configure systemd-resolved neither to accept DNSv6 via DHCPv6 nor accept RA's:
[DHCPv6]
UseDomains=false
[IPv6AcceptRA]
UseDomains=false
Disable "FallbackDNS":
/etc/systemd/resolved.conf.d/fallback_dns.conf
[Resolve]
FallbackDNS=
Offline