You are not logged in.
Nothing on my machine is able to resolve DNS queries anymore after a recent update. I'm not doing anything fancy in my configs.
Currently, I have systemd-resolved set to use 8.8.8.8, which is NOT ping-able. I have tried disabling DNSSEC, per a suggestion on another forum, to no avail.
I have my own unbound DNS running on my OpnSense router, and I know that one also works because the other machines in my LAN use it properly.
Machines on my LAN are, of course, accessible by IP without DNS.
resolvectl error is not illuminating:
➜ ~ resolvectl query google.com
google.com: resolve call failed: Lookup failed due to system error: Connection refused
Neither is nslookup:
➜ ~ nslookup google.com
;; Got SERVFAIL reply from 127.0.0.53
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find google.com: SERVFAIL
and my status looks like:
➜ ~ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8 ::1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
Link 2 (enp0s25)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 3 (wlp3s0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 4 (ipv6leakintrf0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: ::1
DNS Servers: ::1
DNS Domain: ~.
Link 5 (docker0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
and my config looks like:
➜ ~ cat /etc/systemd/resolved.conf
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
Can you please help me understand why DNS is broken on my machine? I would really be grateful for your help, as you can imagine, it is super frustrating having a machine that cannot resolve DNS and trying to troubleshoot it without easily-accessible Internet references. Thank you so much!!
Last edited by TheChuckster (2024-05-18 21:16:15)
Offline
Hi, please post
systemd-analyze cat-config systemd/resolved.conf
Please use code tag, when posting the the log.
Which is your network manager ?
EDIT: and if ping to an IP does not work, it's not a DNS issue, but a network issue.
Last edited by ua4000 (2024-05-18 16:21:54)
Offline
if ping to an IP does not work, it's not a DNS issue, but a network issue.
Machines on my LAN are, of course, accessible by IP without DNS.
…
8.8.8.8, which is NOT ping-able
ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
Offline
> EDIT: and if ping to an IP does not work, it's not a DNS issue, but a network issue.
I'm using NetworkManager.
This might be a two-for-one special. I can ping 8.8.8.8 on my LTE hotspot but not on my LAN. 8.8.8.8 is ping-able on other machines connected to my LAN. Both networks experience the same DNS symptoms, though. I will continue diagnosing this on only my LAN in the interest of consistency.
➜ ~ systemd-analyze cat-config systemd/resolved.conf
# /etc/systemd/resolved.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
➜ ~ ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 3c:97:0e:92:c7:39 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f4:7b:09:c9:ce:da brd ff:ff:ff:ff:ff:ff
inet 192.168.1.70/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp3s0
valid_lft 7008sec preferred_lft 7008sec
inet6 2605:a601:aa26:d300::10bf/128 scope global dynamic noprefixroute
valid_lft 7011sec preferred_lft 4311sec
inet6 fe80::eb29:8e57:772c:86fb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ipv6leakintrf0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 62:c7:88:50:5f:1f brd ff:ff:ff:ff:ff:ff
inet6 fdeb:446c:912d:8da::/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::9ca:8606:bcb:c00f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:50:31:9e:d1 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.70 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.70 metric 600
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
avahi-daemon.service | multi-user.target.wants
avahi-daemon.socket | sockets.target.wants
bluetooth.service | bluetooth.target.wants
dbus-org.bluez.service | system
dbus-org.freedesktop.Avahi.service | system
dbus-org.freedesktop.NetworkManager.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service | system
dbus-org.freedesktop.timesync1.service | system
display-manager.service | system
docker.service | multi-user.target.wants
gcr-ssh-agent.socket | sockets.target.wants
getty@tty1.service | getty.target.wants
gnome-keyring-daemon.socket | sockets.target.wants
NetworkManager.service | multi-user.target.wants
nfs-client.target | multi-user.target.wants
nfs-client.target | remote-fs.target.wants
nmb.service | multi-user.target.wants
ntpdate.service | multi-user.target.wants
p11-kit-server.socket | sockets.target.wants
pipewire-media-session.service | pipewire.service.wants
pipewire-session-manager.service | user
pipewire.socket | sockets.target.wants
postgresql.service | multi-user.target.wants
pulseaudio.socket | sockets.target.wants
remote-fs.target | multi-user.target.wants
smb.service | multi-user.target.wants
sshd.service | multi-user.target.wants
systemd-resolved.service | sysinit.target.wants
systemd-timesyncd.service | sysinit.target.wants
tlp.service | multi-user.target.wants
windscribe.service | multi-user.target.wants
xdg-user-dirs-update.service | default.target.wants
Last edited by TheChuckster (2024-05-18 18:40:16)
Offline
ipv6leakintrf0 / windscribe.service ?
Some sort of VPN ? You didn't mention a VPN service so far on this machine. My proposal would be to disable or remove it, at least for testing.
Offline
Thank you, and apologies for not mentioning it, because I thought it was deactivated; that explains everything. ProtonVPN has a built-in "kill switch" that I had to deactivate. I also removed Windscribe completely. (Almost) everything works now.
sudo protonvpn-cli ks --off
Incidentally, I still cannot ping 8.8.8.8 on this machine on my home network, but I can still ping it on other machines?
Offline
Please reboot your machine, and then please post again the output "seth" has requested.
Offline
New output after reboot:
➜ ~ ip a; ip r; ping -c1 8.8.8.8; find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 3c:97:0e:92:c7:39 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f4:7b:09:c9:ce:da brd ff:ff:ff:ff:ff:ff
inet 192.168.1.70/24 brd 192.168.1.255 scope global dynamic wlp3s0
valid_lft 7127sec preferred_lft 7127sec
inet6 2605:a601:aa26:d300::10bf/128 scope global dynamic noprefixroute
valid_lft 7128sec preferred_lft 4428sec
inet6 fe80::5f2e:a464:9e79:4e27/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:90:e3:6d:ec brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.70 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.70 metric 600
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
avahi-daemon.service | multi-user.target.wants
avahi-daemon.socket | sockets.target.wants
bluetooth.service | bluetooth.target.wants
dbus-org.bluez.service | system
dbus-org.freedesktop.Avahi.service | system
dbus-org.freedesktop.NetworkManager.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service | system
dbus-org.freedesktop.timesync1.service | system
display-manager.service | system
docker.service | multi-user.target.wants
gcr-ssh-agent.socket | sockets.target.wants
getty@tty1.service | getty.target.wants
gnome-keyring-daemon.socket | sockets.target.wants
NetworkManager.service | multi-user.target.wants
nfs-client.target | multi-user.target.wants
nfs-client.target | remote-fs.target.wants
nmb.service | multi-user.target.wants
ntpdate.service | multi-user.target.wants
p11-kit-server.socket | sockets.target.wants
pipewire-media-session.service | pipewire.service.wants
pipewire-session-manager.service | user
pipewire.socket | sockets.target.wants
postgresql.service | multi-user.target.wants
pulseaudio.socket | sockets.target.wants
remote-fs.target | multi-user.target.wants
smb.service | multi-user.target.wants
sshd.service | multi-user.target.wants
systemd-resolved.service | sysinit.target.wants
systemd-timesyncd.service | sysinit.target.wants
tlp.service | multi-user.target.wants
xdg-user-dirs-update.service | default.target.wants
Offline
systemd-resolved & avahi often clash.
check https://wiki.archlinux.org/title/Avahi# … om_working to verify if that's the case for you.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Looks okay:
➜ ~ host -t SOA local
Host local not found: 3(NXDOMAIN)
➜ ~ host -t SOA localdomain
Host localdomain not found: 3(NXDOMAIN)
Offline
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
you have a lease and a route and it looks ok, but the traffic gets intercepted.
Firewall?
Can you
dig @8.8.8.8 google.com
?
Offline
➜ ~ dig @8.8.8.8 google.com
; <<>> DiG 9.18.27 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55127
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 273 IN A 142.250.115.139
google.com. 273 IN A 142.250.115.113
google.com. 273 IN A 142.250.115.100
google.com. 273 IN A 142.250.115.102
google.com. 273 IN A 142.250.115.101
google.com. 273 IN A 142.250.115.138
;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sat May 18 15:52:03 CDT 2024
;; MSG SIZE rcvd: 135
Offline
Firewall let ICMP pass through (IP redacted):
WAN 2024-05-18T15:53:48-05:00 x.x.x.x 8.8.8.8 icmp let out anything from firewall host itself (force gw)
Offline
Yes, *out*. What about the echo?
dig, ie. DNS works, ping is most likely the firewall.
Edit: Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Last edited by seth (2024-05-18 21:15:24)
Offline
I don't see any ICMP traffic arriving in from 8.8.8.8 -- it's not even "blocked"
Offline
Temporarily disable the firewall, can you then ping 8.8.8.8 ?
Offline