Arch Linux

ariadnavigo

Member

Registered: 2023-05-31

Posts: 3

[SOLVED] systemd-resolved: Setting 'Domains=~.' globally breaks Google

Hi everyone,
I'm a bit baffled with this issue I'm encountering using systemd-resolved. I followed the instructions on the wiki and I found that everything worked, except that anything related to Google timed out when resolving their DNS... This happened at least with Google's own Public DNS, as well as Cloudfare's. Other sites might be broken, but I haven't found out yet.

My configuration for systemd-resolved looks as follows. I'm using systemd-networkd as network manager and wpa_supplicant for WiFi management.

$ systemd-analyze cat-config systemd/resolved.conf
# /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dn>
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

# /etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Domains=~.

The issue disappears if I remove the Domains setting in the resolved.conf.d drop-in file.

Moreover, resolvectl shows something I do not fully understand but seems wrong to me, at least at a first glance. You'll find below that resolvectl reports two "Current DNS Servers," the one intended, under Global, but also a link-specific DNS Server that I have absolutely no idea where it's coming from.

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
                      2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp3s0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp2s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.148.202
       DNS Servers: 192.168.148.202

I have not set any custom .link files for that interface, only a .network file, where no DNS attribute has been set. So I don't see where that may come from, except DHCP? But even so, the global Domains attribute should ensure all DNS resolution goes through the servers listed as global... regardless whether there's a second mysterious link-specific DNS server "active." It makes no sense that deleting that attribute makes everything work as intended... but using which DNS server, in that case?

Is there anything I'm missing here? Thank you all!

Last edited by ariadnavigo (2023-06-01 07:14:28)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: [SOLVED] systemd-resolved: Setting 'Domains=~.' globally breaks Google

So I don't see where that may come from, except DHCP? But even so, the global Domains attribute should ensure all DNS resolution goes through the servers listed as global... regardless whether there's a second mysterious link-specific DNS server "active."

Yep - this DNS server is acquired via DHCP and is ignored as long as the global "Domains" directive is set.

The issue disappears if I remove the Domains setting in the resolved.conf.d drop-in file.

Most likely the link specific DNS server takes over. You can verify this by issuing a "drill" command and observe the "SERVER:" value in the answer.

I'm a bit baffled with this issue I'm encountering using systemd-resolved. I followed the instructions on the wiki and I found that everything worked, except that anything related to Google timed out when resolving their DNS... This happened at least with Google's own Public DNS, as well as Cloudfare's. Other sites might be broken, but I haven't found out yet.

Can you show us - maybe with an example - what you mean by "except that anything related to Google timed out when resolving their DNS"?

ariadnavigo

Member

Registered: 2023-05-31

Posts: 3

Re: [SOLVED] systemd-resolved: Setting 'Domains=~.' globally breaks Google

Most likely the link specific DNS server takes over. You can verify this by issuing a "drill" command and observe the "SERVER:" value in the answer.

I tested the command with and without the Domains setting set and in both cases it reports 127.0.0.53, the resolved interface, as its server. The setting does affect the IPs reported though:

$ drill google.com # WITH Domains=~.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57622
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.	IN	A

;; ANSWER SECTION:
google.com.	156	IN	A	142.250.178.174

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:16:17 2023
;; MSG SIZE  rcvd: 44

$ drill google.com  # WITHOUT Domains=~.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48006
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.	IN	A

;; ANSWER SECTION:
google.com.	120	IN	A	216.58.215.142

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 40 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:14:11 2023
;; MSG SIZE  rcvd: 44

However, I've noticed this fails with Domains=~. set:

$ drill www.google.com
Error: error sending query: Could not send or receive, because of network error

And this relates to your other point:

Can you show us - maybe with an example - what you mean by "except that anything related to Google timed out when resolving their DNS"?

I found the problem out on Firefox, where google.com seems to always be redirected to www.google.com. It just waits for over a minute to resolve and then spits out the FF error page telling you that it was "Unable to connect." I tried my own www subdomain on my own website and it does work both on FF and using drill:

$ drill www.ariadnavigo.xyz
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25826
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.ariadnavigo.xyz.	IN	A

;; ANSWER SECTION:
www.ariadnavigo.xyz.	21600	IN	CNAME	ariadnavigo.xyz.
ariadnavigo.xyz.	21600	IN	A	212.71.238.109

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 209 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:23:33 2023
;; MSG SIZE  rcvd: 67

On the other hand, have a look at this: youtube.com is fine, but www.youtube.com is not... reddit.com and www.reddit.com both work fine:

$ drill www.youtube.com
Error: error sending query: Could not send or receive, because of network error
$ drill youtube.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43879
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; youtube.com.	IN	A

;; ANSWER SECTION:
youtube.com.	300	IN	A	142.250.178.174

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 65 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:25:40 2023
;; MSG SIZE  rcvd: 45
$ drill www.reddit.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 10289
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.reddit.com.	IN	A

;; ANSWER SECTION:
www.reddit.com.	6603	IN	CNAME	reddit.map.fastly.net.
reddit.map.fastly.net.	25	IN	A	151.101.1.140
reddit.map.fastly.net.	25	IN	A	151.101.65.140
reddit.map.fastly.net.	25	IN	A	151.101.129.140
reddit.map.fastly.net.	25	IN	A	151.101.193.140

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 70 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:25:46 2023
;; MSG SIZE  rcvd: 131
$ drill reddit.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9316
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; reddit.com.	IN	A

;; ANSWER SECTION:
reddit.com.	47	IN	A	151.101.65.140
reddit.com.	47	IN	A	151.101.193.140
reddit.com.	47	IN	A	151.101.129.140
reddit.com.	47	IN	A	151.101.1.140

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 54 msec
;; SERVER: 127.0.0.53
;; WHEN: Wed May 31 22:25:51 2023
;; MSG SIZE  rcvd: 92

Could it be some problem on Google's side? Or maybe there's some protocol that I've failed to activate to make Google happy? For example, DNSSEC is deactivated on this system. I'm copying resolvectl's output below again to show the protocols that are active:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.4.4
         DNS Servers: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
                      2001:4860:4860::8888#dns.google
          DNS Domain: ~.

Link 2 (enp3s0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp2s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.148.202
       DNS Servers: 192.168.148.202

I apologize for the lengthy reply; I wanted to be as thorough as I could!

Last edited by ariadnavigo (2023-05-31 20:35:08)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: [SOLVED] systemd-resolved: Setting 'Domains=~.' globally breaks Google

I tested the command with and without the Domains setting set and in both cases it reports 127.0.0.53, the resolved interface, as its server. The setting does affect the IPs reported though:

My error - I tend to forget that systemd-resolved works via loopback.

There is something odd here - you post a successful "drill google.com" with "Domains=~." and an unsuccessful one.
Do those errors happen sometimes? mostly? rarely?

I found the problem out on Firefox, where google.com seems to always be redirected to www.google.com. It just waits for over a minute to resolve and then spits out the FF error page telling you that it was "Unable to connect."
[...]
On the other hand, have a look at this: youtube.com is fine, but www.youtube.com is not... reddit.com and www.reddit.com both work fine:

Please do this:

drill www.google.com @8.8.8.8
drill www.google.com @192.168.148.202

drill www.youtube.com @8.8.8.8
drill www.youtube.com @192.168.148.202

If those four commands succeed, try

resolvectl query www.google.com

ariadnavigo

Member

Registered: 2023-05-31

Posts: 3

Re: [SOLVED] systemd-resolved: Setting 'Domains=~.' globally breaks Google

I found out the solution, although I honestly don't really understand why it works: removing Google's IPv6 DNS servers from resolved configuration, only leaving 8.8.8.8 and 8.8.4.4 as custom servers. That solves all DNS resolution problems regarding Google, for some reason. Before removal, drill was failing, but resolvectl did always return the domains' IPv6 addresses (without any IPv4 one).

However, even restricting myself to IPv4 DNS servers, Google domains still report IPv6 addresses via resolvectl?

$ resolvectl query google.com
google.com: 2a00:1450:4003:803::200e           -- link: wlp2s0
            142.250.185.14                     -- link: wlp2s0

-- Information acquired via protocol DNS in 61.1ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
$ resolvectl query www.google.com
www.google.com: 142.250.200.132                -- link: wlp2s0
                2a00:1450:4003:80f::2004       -- link: wlp2s0

-- Information acquired via protocol DNS in 45.0ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache network

In any case, everything looks fine now. Marking this as solved!