You are not logged in.

#1 2023-05-01 19:35:09

Wpq
Member
Registered: 2022-01-15
Posts: 4

How to use a single DNS setup? (aka I am lost with DNS setup)

Hello everyone

Despite using Linux since 1994 I am officially lost with how current DNS configuration actually work.

My problem: I have all my services running in docker containers, including pi-hole (https://pi-hole.net/) on server 192.168.10.2. I am in a catch-22 situation because pi-hole needs a DNS server to correctly start, and it is the DNS server.
I was hoping to be able to rely on a backup DNS during the time of the startup of pi-hole.

I therefore have the following configuration in /etc/systemd/resolved.conf

[Resolve]
DNS=192.168.10.2
FallbackDNS=8.8.8.8 1.1.1.1

resolvectl status says

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 192.168.10.2
         DNS Servers: 192.168.10.2
Fallback DNS Servers: 8.8.8.8 1.1.1.1

Link 2 (enp3s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3
       DNS Servers: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3

Link 3 (enp4s0f0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (enp4s0f1)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (br-04c6573bdc82)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

(.... more docker virtual interfaces like this one ...)

When I disabled pihole (and therefore there are no local servers) I expected to be able to resolve via google or cloudflare servers. I tried to resolve lemonde.fr:

root@srv ~# dig lemonde.fr

; <<>> DiG 9.18.14 <<>> lemonde.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30077
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;lemonde.fr.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon May 01 21:30:37 CEST 2023
;; MSG SIZE  rcvd: 39

Please note the address of the server that was queried: 127.0.0.53. Why?

/etc/resolv.conf indeed points to that server:

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

With the information in the comment I am officially lost.

My question: how to set up DNS on Arch correctly?

Of course I read https://wiki.archlinux.org/title/Domain_name_resolution but nowhere there I can find the answer to my problem. I do not use NetworkManager or any other.

I would be really grateful for any hints.

Offline

#2 2023-05-01 20:14:49

seth
Member
Registered: 2012-09-03
Posts: 58,243

Re: How to use a single DNS setup? (aka I am lost with DNS setup)

Is this about the hosts config or the Pi-Hole config?
Afaict the latter uses dnsmasq, https://wiki.archlinux.org/title/Dnsmas … forwarding

Edit: https://wiki.archlinux.org/title/Pi-hol … management

Last edited by seth (2023-05-01 20:17:37)

Offline

#3 2023-05-02 07:00:01

-thc
Member
Registered: 2017-03-15
Posts: 647

Re: How to use a single DNS setup? (aka I am lost with DNS setup)

There are several things to unpack here.

Wpq wrote:

I am in a catch-22 situation because pi-hole needs a DNS server to correctly start, and it is the DNS server.
I was hoping to be able to rely on a backup DNS during the time of the startup of pi-hole.

Using Pi-Hole as an Ad-Blocker via DNS means Pi-Hole itself should not use itself as a DNS server - it should be manually configured to either use the DNS forwarder in your router, one of the DNS servers of your provider or a public DNS server of your choice.

Wpq wrote:

I therefore have the following configuration in /etc/systemd/resolved.conf

[Resolve]
DNS=192.168.10.2
FallbackDNS=8.8.8.8 1.1.1.1

This configuration is not useful: If you manually configure a DNS server here the fallback servers will never be used.
This "FallBackDNS" does not work as a secondary DNS server.

Wpq wrote:

resolvectl status says

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 192.168.10.2
         DNS Servers: 192.168.10.2
Fallback DNS Servers: 8.8.8.8 1.1.1.1

Link 2 (enp3s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3
       DNS Servers: 2a01:e0a:407:d3c0:2e2:69ff:fe59:33a3

Link 3 (enp4s0f0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (enp4s0f1)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (br-04c6573bdc82)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

(.... more docker virtual interfaces like this one ...)

You have an additional problem here: Your router provides an IPv6 DNS server most likely via router advertisement - this server belongs to your internet provider (ProXad / Free SAS). Every piece of software that chooses to use DNSv6 instead bypasses your Pi-Hole entirely (IPv6 bypass).

Wpq wrote:

When I disabled pihole (and therefore there are no local servers) I expected to be able to resolve via google or cloudflare servers. I tried to resolve lemonde.fr:

root@srv ~# dig lemonde.fr

; <<>> DiG 9.18.14 <<>> lemonde.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30077
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;lemonde.fr.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon May 01 21:30:37 CEST 2023
;; MSG SIZE  rcvd: 39

Please note the address of the server that was queried: 127.0.0.53. Why?

This is how systemd-resolved works - it sets a stub entry in resolv.conf:

Wpq wrote:

/etc/resolv.conf indeed points to that server:

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

With the information in the comment I am officially lost.

Again: "FallbackDNS" does not work as a secondary DNS server.
With an unreachable primary DNS server this is exactly as it should be.

Please configure Pi-Hole via pi-hole-ftl as mentioned above. I only use dnsmasq - but the configuration should be similar.

You should configure systemd-resolved neither to accept DNSv6 via DHCPv6 nor accept RA's:

[DHCPv6]
UseDomains=false

[IPv6AcceptRA]
UseDomains=false

Disable "FallbackDNS":

/etc/systemd/resolved.conf.d/fallback_dns.conf

[Resolve]
FallbackDNS=

Offline

Board footer

Powered by FluxBB