systemd-resolved can't resolve at all, need to add nameservers to resolve.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm running Ubuntu 18.04 (upgraded from 17.10) on a machine with both ethernet and wifi interfaces. When I boot, my ethernet connection enp0s31f6 is brought up by Network Manager and given three nameserver addresses via DHCP, 10.1.13.10, 10.1.141.10, 10.1.13.36. Running nmcli shows the three nameservers under "DNS configuration". Running "systemd-resolve --status" shows them under a "Link 2 (enp0s31f6)" section. I can do a "ip route get to X" and ping each one successfully. No other connection is active.
testuser ☼ systemd-resolve --status
Global
DNS Domain: orgsdomain.net
DNSSEC NTA: 10.in-addr.arpa
Link 3 (wlp4s0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (enp0s31f6)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.1.13.10
DNS Domain: orgsdomain.net
However, when I actually try to resolve a name, even the name of one of the nameservers, dig claims that "connection timed out: no servers could be reached".
testuser ☼ dig dcpdc001.
; <<>> DiG 9.11.3-
;; global options: +cmd
;; connection timed out; no servers could be reached
Note that this name should resolve to 10.1.13.10, the first nameserver. The "+nocookie" option is there to work around an issue with Windows DNS servers. But other than that, the servers themselves work fine if I tell dig where to look:
testuser ☼ dig dcpdc001.
; <<>> DiG 9.11.3-
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61294
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dcpdc001.
;; ANSWER SECTION:
dcpdc001.
;; Query time: 2 msec
;; SERVER: 10.1.13.
;; WHEN: Fri Jul 20 10:56:27 AEST 2018
;; MSG SIZE rcvd: 65
I have configured resolvconf to use dynamic updates. /etc/resolv.conf points to /run/resolvconf
nameserver 127.0.0.53
search orgsdomain
If I add "nameserver 10.1.13.10" to this file manually, suddenly dig can resolve again (without the @...), and anything else that needs to resolve names can do so. Removing the nameserver breaks that again.
I don't know much about the servers. They're part of a Windows-based network, but since I can use them if I edit resolv.conf or give dig the address, I don't think they're the issue (except in the sense that maybe they require a feature that systemd-resolved doesn't support?).
I increased the logging level of systemd-resolved to "debug" and "journalctl -f -u systemd-resolved" shows this during a failed query:
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
Jul 20 10:33:23 heerij-ubuntu systemd-
This repeats dozens of times, trying the other nameservers too. Note that there is substantially less than a second between the "Processing query..." message and the "Timeout reached..." message. (There are also problems with the other servers not having port 53 open, so I also get "Using degraded feature set..." messaged for them. But again, the first server seems to work fine with everything except systemd-resolved.)
Things I have tried:
* Enabling DNSSEC. It's supported, but doesn't fix the issue.
* Explicitly setting nameservers in Netplan's config. Is accepted, but doesn't change anything.
Sorry for the lack of the usual bug report attachments, but getting anything out of this machine and on to the internet is now a massive pain. Let me know what other debugging info might help and I'll try to add it.
Note also that upstream claim that "resolved is not supposed to be a DNS server"[1], so I'm a bit confused as to why Ubuntu is configured to pass every DNS query through it. Do I need to reconfigure something?
[1] https:/ /github. com/systemd/ systemd/ issues/ 4621#issuecomme nt-260050033