You are not logged in.

#1 2024-05-18 16:13:18

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

[SOLVED] Unable to resolve DNS system-wide

Nothing on my machine is able to resolve DNS queries anymore after a recent update. I'm not doing anything fancy in my configs.

Currently, I have systemd-resolved set to use 8.8.8.8, which is NOT ping-able. I have tried disabling DNSSEC, per a suggestion on another forum, to no avail.

I have my own unbound DNS running on my OpnSense router, and I know that one also works because the other machines in my LAN use it properly.

Machines on my LAN are, of course, accessible by IP without DNS.

resolvectl error is not illuminating:

➜  ~ resolvectl query google.com
google.com: resolve call failed: Lookup failed due to system error: Connection refused

Neither is nslookup:

➜  ~ nslookup google.com
;; Got SERVFAIL reply from 127.0.0.53
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find google.com: SERVFAIL

and my status looks like:

➜  ~ resolvectl status
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8 ::1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (enp0s25)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp3s0)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (ipv6leakintrf0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: ::1
       DNS Servers: ::1
        DNS Domain: ~.

Link 5 (docker0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

and my config looks like:

➜  ~ cat /etc/systemd/resolved.conf 
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0

Can you please help me understand why DNS is broken on my machine? I would really be grateful for your help, as you can imagine, it is super frustrating having a machine that cannot resolve DNS and trying to troubleshoot it without easily-accessible Internet references. Thank you so much!!

Last edited by TheChuckster (2024-05-18 21:16:15)

Offline

#2 2024-05-18 16:19:38

ua4000
Member
Registered: 2015-10-14
Posts: 452

Re: [SOLVED] Unable to resolve DNS system-wide

Hi, please post

systemd-analyze cat-config systemd/resolved.conf

Please use code tag, when posting the the log.

Which is your network manager ?


EDIT: and if ping to an IP does not work, it's not a DNS issue, but a network issue.

Last edited by ua4000 (2024-05-18 16:21:54)

Offline

#3 2024-05-18 16:30:29

seth
Member
Registered: 2012-09-03
Posts: 54,443

Re: [SOLVED] Unable to resolve DNS system-wide

ua4000 wrote:

if ping to an IP does not work, it's not a DNS issue, but a network issue.

Machines on my LAN are, of course, accessible by IP without DNS.

8.8.8.8, which is NOT ping-able

ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

Online

#4 2024-05-18 18:38:45

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

> EDIT: and if ping to an IP does not work, it's not a DNS issue, but a network issue.

I'm using NetworkManager.

This might be a two-for-one special. I can ping 8.8.8.8 on my LTE hotspot but not on my LAN. 8.8.8.8 is ping-able on other machines connected to my LAN. Both networks experience the same DNS symptoms, though. I will continue diagnosing this on only my LAN in the interest of consistency.

➜  ~ systemd-analyze cat-config systemd/resolved.conf                                                                                                        
# /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
➜  ~ ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 3c:97:0e:92:c7:39 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:7b:09:c9:ce:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.70/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp3s0
       valid_lft 7008sec preferred_lft 7008sec
    inet6 2605:a601:aa26:d300::10bf/128 scope global dynamic noprefixroute 
       valid_lft 7011sec preferred_lft 4311sec
    inet6 fe80::eb29:8e57:772c:86fb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: ipv6leakintrf0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 62:c7:88:50:5f:1f brd ff:ff:ff:ff:ff:ff
    inet6 fdeb:446c:912d:8da::/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::9ca:8606:bcb:c00f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:50:31:9e:d1 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.70 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.70 metric 600 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

avahi-daemon.service                     | multi-user.target.wants
avahi-daemon.socket                      | sockets.target.wants
bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.Avahi.service       | system
dbus-org.freedesktop.NetworkManager.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
display-manager.service                  | system
docker.service                           | multi-user.target.wants
gcr-ssh-agent.socket                     | sockets.target.wants
getty@tty1.service                       | getty.target.wants
gnome-keyring-daemon.socket              | sockets.target.wants
NetworkManager.service                   | multi-user.target.wants
nfs-client.target                        | multi-user.target.wants
nfs-client.target                        | remote-fs.target.wants
nmb.service                              | multi-user.target.wants
ntpdate.service                          | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-media-session.service           | pipewire.service.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
postgresql.service                       | multi-user.target.wants
pulseaudio.socket                        | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
smb.service                              | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
tlp.service                              | multi-user.target.wants
windscribe.service                       | multi-user.target.wants
xdg-user-dirs-update.service             | default.target.wants

Last edited by TheChuckster (2024-05-18 18:40:16)

Offline

#5 2024-05-18 18:51:03

ua4000
Member
Registered: 2015-10-14
Posts: 452

Re: [SOLVED] Unable to resolve DNS system-wide

ipv6leakintrf0 / windscribe.service ?

Some sort of VPN ? You didn't mention a VPN service so far on this machine. My proposal would be to disable or remove it, at least for testing.

Offline

#6 2024-05-18 19:09:21

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

Thank you, and apologies for not mentioning it, because I thought it was deactivated; that explains everything. ProtonVPN has a built-in "kill switch" that I had to deactivate. I also removed Windscribe completely. (Almost) everything works now.

sudo protonvpn-cli ks --off

Incidentally, I still cannot ping 8.8.8.8 on this machine on my home network, but I can still ping it on other machines?

Offline

#7 2024-05-18 19:13:08

ua4000
Member
Registered: 2015-10-14
Posts: 452

Re: [SOLVED] Unable to resolve DNS system-wide

Please reboot your machine, and then please post again the output "seth" has requested.

Offline

#8 2024-05-18 20:04:22

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

New output after reboot:

➜  ~ ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 3c:97:0e:92:c7:39 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:7b:09:c9:ce:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.70/24 brd 192.168.1.255 scope global dynamic wlp3s0
       valid_lft 7127sec preferred_lft 7127sec
    inet6 2605:a601:aa26:d300::10bf/128 scope global dynamic noprefixroute 
       valid_lft 7128sec preferred_lft 4428sec
    inet6 fe80::5f2e:a464:9e79:4e27/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:90:e3:6d:ec brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.70 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.70 metric 600 
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

avahi-daemon.service                     | multi-user.target.wants
avahi-daemon.socket                      | sockets.target.wants
bluetooth.service                        | bluetooth.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.Avahi.service       | system
dbus-org.freedesktop.NetworkManager.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service    | system
dbus-org.freedesktop.timesync1.service   | system
display-manager.service                  | system
docker.service                           | multi-user.target.wants
gcr-ssh-agent.socket                     | sockets.target.wants
getty@tty1.service                       | getty.target.wants
gnome-keyring-daemon.socket              | sockets.target.wants
NetworkManager.service                   | multi-user.target.wants
nfs-client.target                        | multi-user.target.wants
nfs-client.target                        | remote-fs.target.wants
nmb.service                              | multi-user.target.wants
ntpdate.service                          | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-media-session.service           | pipewire.service.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
postgresql.service                       | multi-user.target.wants
pulseaudio.socket                        | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
smb.service                              | multi-user.target.wants
sshd.service                             | multi-user.target.wants
systemd-resolved.service                 | sysinit.target.wants
systemd-timesyncd.service                | sysinit.target.wants
tlp.service                              | multi-user.target.wants
xdg-user-dirs-update.service             | default.target.wants

Offline

#9 2024-05-18 20:32:43

Lone_Wolf
Forum Moderator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,375

Re: [SOLVED] Unable to resolve DNS system-wide

systemd-resolved & avahi often clash.
check https://wiki.archlinux.org/title/Avahi# … om_working to verify if that's the case for you.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building to complicated ?
Try clean chroot manager by graysky

Offline

#10 2024-05-18 20:48:34

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

Looks okay:

➜  ~ host -t SOA local      
Host local not found: 3(NXDOMAIN)
➜  ~ host -t SOA localdomain
Host localdomain not found: 3(NXDOMAIN)

Offline

#11 2024-05-18 20:51:41

seth
Member
Registered: 2012-09-03
Posts: 54,443

Re: [SOLVED] Unable to resolve DNS system-wide

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

you have a lease and a route and it looks ok, but the traffic gets intercepted.
Firewall?
Can you

dig @8.8.8.8 google.com

?

Online

#12 2024-05-18 20:52:26

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

➜  ~ dig @8.8.8.8 google.com

; <<>> DiG 9.18.27 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55127
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		273	IN	A	142.250.115.139
google.com.		273	IN	A	142.250.115.113
google.com.		273	IN	A	142.250.115.100
google.com.		273	IN	A	142.250.115.102
google.com.		273	IN	A	142.250.115.101
google.com.		273	IN	A	142.250.115.138

;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sat May 18 15:52:03 CDT 2024
;; MSG SIZE  rcvd: 135

Offline

#13 2024-05-18 20:55:18

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

Firewall let ICMP pass through (IP redacted):

	WAN		2024-05-18T15:53:48-05:00	x.x.x.x	8.8.8.8	icmp	let out anything from firewall host itself (force gw)

Offline

#14 2024-05-18 21:15:10

seth
Member
Registered: 2012-09-03
Posts: 54,443

Re: [SOLVED] Unable to resolve DNS system-wide

Yes, *out*. What about the echo?

dig, ie. DNS works, ping is most likely the firewall.

Edit: Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Last edited by seth (2024-05-18 21:15:24)

Online

#15 2024-05-18 21:16:49

TheChuckster
Member
Registered: 2013-07-19
Posts: 23

Re: [SOLVED] Unable to resolve DNS system-wide

I don't see any ICMP traffic arriving in from 8.8.8.8 -- it's not even "blocked"

Offline

#16 2024-05-18 21:21:21

seth
Member
Registered: 2012-09-03
Posts: 54,443

Re: [SOLVED] Unable to resolve DNS system-wide

Temporarily disable the firewall, can you then ping 8.8.8.8 ?

Online

Board footer

Powered by FluxBB