Understanding DNS resolution on Archlinux

Inxsible · 2023-08-16 15:01:10

DNS is not my forte, so please excuse me if all of this is very basic.

I needed to update the firmware for my Eaton UPS and unfortunately the update software is Windows only. So I had to download Windows 11. When downloading I got this error:

Error
We are unable to complete your request at this time. Some users, entities and locations are banned from using this service. For this reason, leveraging anonymous or location hiding technologies when connecting to this service is not generally allowed. If you believe that you encountered this problem in error, please try again. If the problem persists you may contact Microsoft Support – Contact Us page for assistance.

This was strange because I don't use a VPN. However, I do have AdGuard Home plugin on my OpnSense router which points to Unbound (again on OpnSense) as it's upstream router in resolver mode. I don't use any other DNS servers. I haven't had any problems in resolving any domain names prior to this as far as I know. When I got this error, I started looking into it and read that it could be a DNS issue.

On my Archlinux box, I am using a static /etc/resolv.conf with very basic configuration. I have disabled systemd-resolved service.

domain lan.mydomain.com
nameserver 192.168.1.1

So I added google's 8.8.8.8 as another nameserver after my local one.

domain lan.mydomain.com
nameserver 192.168.1.1
nameserver 8.8.8.8

but that didn't work and I got the same error. So I commented out my router's nameserver and only used Google's. This time the download worked, but obviously local name resolutions for my various services like password manager, nextcloud etc stopped working.

Questions:

My understanding was, that if the first nameserver fails to respond, it should automatically try the next one listed. so why didn't it work when I had my router's DNS listed first and Google's listed as 2nd?
Also, if I list google's DNS first followed by my local router's, the local resolution fails.
systemd-resolved can work as a DNS Forwarder and I understand how to set it up by linking it to stub-resolver. However, if I use systemd-resolved, how can I circumvent such an issue if it happens in the future? I tried adding 8.8.8.8 as an upstream DNS server in Adguard Home DNS settings, while running systemd-resolved on archlinux, but I still couldn't download the Windows iso in this setup and got the same error. It seemed like systemd-resolved wasn't using the 8.8.8.8 or the FallbackDNS servers

Thanks in advance

Basically, I guess I am trying to understand if I am doing DNS correctly. I would want to use the DNS provided by the DHCP server instead of having different settings in each machine, so I guess I should be using systemd-resolved, but can someone guide me how to add public DNS servers in AdGuard Home temporarily, so I don't have to do this on my individual arch boxes?

Last edited by Inxsible (2023-08-16 15:04:30)

progandy · 2023-08-16 17:09:31

My understanding was, that if the first nameserver fails to respond, it should automatically try the next one listed. so why didn't it work when I had my router's DNS listed first and Google's listed as 2nd?

Your server did not fail to respond, it probably responded with NXDOMAIN, i.e. told your archlinux that the domain does not exist.
The problem might be some adblock rule in adguard. If you want to keep the adblocker you should not try to circumvent the adguard dns.

Last edited by progandy (2023-08-16 17:11:23)

Inxsible · 2023-08-16 18:29:46

progandy wrote:

My understanding was, that if the first nameserver fails to respond, it should automatically try the next one listed. so why didn't it work when I had my router's DNS listed first and Google's listed as 2nd?
Your server did not fail to respond, it probably responded with NXDOMAIN, i.e. told your archlinux that the domain does not exist.
The problem might be some adblock rule in adguard. If you want to keep the adblocker you should not try to circumvent the adguard dns.

Oh yes, I thought about that possibility that my router's DNS probably answered which is why it didn't ask Google's DNS. But would Google's DNS also respond with NXDOMAIN for some of my local network hosts because local DNS resolution also failed when I had google DNS listed first followed by my router's DNS server? I do own a valid domain but I haven't set up every host's A record in the Cloudflare DNS entries as I never access them from the web. Only via Wireguard VPN. The local hosts are set up as host overrides in Unbound configuration.

Ok, if I were to switch over to using systemd-resolved with a symlink to /etc/resolv.conf -- and in the future if I find a similar issue can I simply modify the /etc/resolv.conf (temporarily) to use a public DNS and perform the download or what have you. A subsequent reboot will overwrite the /etc/resolv.conf and bring me back to the way things were, correct?

Like I said, I would want to continue using the local Unbound resolver, and I didn't have a problem for multiple years. If I can temporarily do it, then yes, I definitely don't want to circumvent the adguard dns which is nothing but my Unbound resolver.

Thanks @progandy

Last edited by Inxsible (2023-08-16 18:36:50)

seth · 2023-08-16 19:51:49

But would Google's DNS also respond with NXDOMAIN for some of my local network hosts

dig @8.8.8.8 snafu

("Yes")

if I were to switch over to using systemd-resolved with a symlink to /etc/resolv.conf

you'll make things probably worse because w/ resolved the nameserver used for the resolution is no longer per-process. Also nss will resolve IPs out of the cache, whatever you do to resolv.conf at the time.

A subsequent reboot will overwrite the /etc/resolv.conf and bring me back to the way things were, correct?

I would want to use the DNS provided by the DHCP server

If you're getting the DNS via dhcp and resolveconf or similar, that'll happen anyway, however I'm not sure whether that's correct either, because

I am using a static /etc/resolv.conf

You can however also use a systemd service that restores or writes a static /etc/resolv.conf during the boot.

This is because some service doesn't like your adblocker, but you don't want to scrap your adblocker, correct?
You'll have to excempt the naughty service, resorting to google to resolve every domain your local DNS doesn't want to resolve defeats your purpose of having a local DNS - or did I get that wrong?
Alternatively you'll have to temporarily switch the DNS config (resolv.conf) to to google and then back to your own one (but that oc. impacts the entire system for every connection during that time)

progandy · 2023-08-16 19:57:15

Yes, google dns will answer to all queries it receives and tell you the domain does not exist if it does not know it.

I do not use systemd-resolved, but if you change the resolv.conf file, then it will not be restored after a reboot. Or do you mean editing the file the symlink points to? That might work, but it might also change sometime during runtime. systemd-resolved has a dbus-api as well, some programs might prefer that and not use /etc/resolv.conf if it is available.

I would want to use the DNS provided by the DHCP server instead of having different settings in each machine

There are different options to set that up. systemd-resolved is one, openresolv another: https://wiki.archlinux.org/title/Openresolv

Edit: seth was faster

Last edited by progandy (2023-08-16 20:06:53)

Inxsible · 2023-08-16 19:59:12

seth wrote:

This is because some service doesn't like your adblocker, but you don't want to scrap your adblocker, correct?

Correct

seth wrote:

You'll have to excempt the naughty service, resorting to google to resolve every domain your local DNS doesn't want to resolve defeats your purpose of having a local DNS - or did I get that wrong?

Agreed, but in this case, I was just downloading the Windows 11 iso. How do I figure out which adblock rule is causing the failure. And yes, I don't want to resort to Google DNS or any other public DNS which is why I mentioned I wanted to do this temporarily in case I encounter something similar in the future

seth wrote:

Alternatively you'll have to temporarily switch the DNS config (resolv.conf) to to google and then back to your own one (but that oc. impacts the entire system for every connection during that time)

I guess I can live with that since I am aware of the change I made to the /etc/resolv.conf. Secondly, I have been using a local resolver for almost a decade and haven't had an issue before. I will admit that I put in AdGuard Home recently --say about 8-9 months ago.

Thanks both for your explanations. I will keep using the static /etc/resolv.conf pointing to my local DNS server.

progandy · 2023-08-16 20:07:06

Some information for allowing some domains through the adguard filter:

https://0x2142.com/how-to-set-up-adguar … -filtering
https://adguard.com/en/blog/in-depth-re … ml#filters

Maybe the Microsoft allowlist here can help to choose the domains to allow (or the statistics of your adguard installation)
https://github.com/hl2guide/AdGuard-Hom … MODULES.md
https://adguard.com/en/blog/in-depth-re … l#querylog

Inxsible · 2023-08-16 21:27:14

Good info. I'll go through it and see what I can use. The Microsoft allow list might be relevant for the current Windows download issue.

Arch Linux

#1 2023-08-16 15:01:10

Understanding DNS resolution on Archlinux

#2 2023-08-16 17:09:31

Re: Understanding DNS resolution on Archlinux

#3 2023-08-16 18:29:46

Re: Understanding DNS resolution on Archlinux

#4 2023-08-16 19:51:49

Re: Understanding DNS resolution on Archlinux

#5 2023-08-16 19:57:15

Re: Understanding DNS resolution on Archlinux

#6 2023-08-16 19:59:12

Re: Understanding DNS resolution on Archlinux

#7 2023-08-16 20:07:06

Re: Understanding DNS resolution on Archlinux

#8 2023-08-16 21:27:14

Re: Understanding DNS resolution on Archlinux

Board footer