systemd-resolved is not finding a domain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Triaged
|
High
|
Unassigned | ||
Zesty |
Won't Fix
|
Undecided
|
Unassigned | ||
Artful |
Won't Fix
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* Certain WiFi captive portals do not support EDNS0 queries, as per RFC.
* Instead of responding with the captive portal IP address, they resond with domain not found
* This prevents the user from hitting the captive portal login page, able to authenticate, and gain access to the internets.
[The Fix]
* As per tcp dumps, the problem arrises from receiving NXDOMAIN when queried with EDNS0
* And receiving the right response without EDNS0
* The solution was to downgrade transactions, and retry EDNS0 + NXDOMAIN result without EDNS0 with a hope of getting the right answer.
[Test Case]
* systemd-resolve securelogin.
* journalctl -b -u systemd-resolve | grep DVE-2018
You should obverse that a warning message that transaction was retried with a reduced feature level e.g. UDP or TCP.
After this test case is performed the result will be cached, therefore to revert to pristine state perform
* systemd-resolve --flush-caches
[Regression Potential]
* The code retries, and then caches, NXDOMAIN results for certain queries (those that have 'secure' in them) with and without EDNS0.
* Thus initial query for these domains may take longer, but hopefully will manage to receive the correct response.
* Manufacturers are encouraged to correctly support EDNS0 queries, with flag D0 set to zero.
[Other Info]
* This issue is tracked as a dns-violation at
https:/
[Original Bug report]
I have an odd network situation that I have so far managed to narrow down to the inability to resolve a domain via systemd-resolved which is resolvable with nslookup. If I use nslookup against the two nameservers on this network I get answers for the domain, but ping says it is unable to resolve the same domain (as do browsers and crucially the captive portal mechanism).
Here are details:
NSLOOKUP:
~$ nslookup securelogin.
Server: 208.67.220.220
Address: 208.67.220.220#53
Non-authoritative answer:
Name: securelogin.
Address: 172.22.240.242
~$ nslookup securelogin.
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: securelogin.
Address: 172.22.240.242
PING:
~$ ping securelogin.
ping: securelogin.
mark@mark-X1Y2:~$
DIG:
~$ dig @208.67.222.222 securelogin.
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @208.67.222.222 securelogin.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9416
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;securelogin.
;; AUTHORITY SECTION:
arubanetworks.com. 1991 IN SOA dns5.arubanetwo
;; Query time: 34 msec
;; SERVER: 208.67.
;; WHEN: Wed Oct 25 10:31:10 CEST 2017
;; MSG SIZE rcvd: 144
MORE DIG:
~$ dig securelogin.
; <<>> DiG 9.10.3-P4-Ubuntu <<>> securelogin.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3924
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;securelogin.
;; Query time: 0 msec
;; SERVER: 127.0.0.
;; WHEN: Wed Oct 25 10:34:01 CEST 2017
;; MSG SIZE rcvd: 58
Changed in systemd (Ubuntu): | |
status: | Incomplete → New |
status: | New → Confirmed |
Changed in systemd (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
tags: | added: id-5a1c75741121466ff62dc286 |
tags: | added: id-5ab9403dee8a8479eed4dba6 |
Changed in systemd (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
assignee: | Mathieu Trudel-Lapierre (cyphermox) → Dimitri John Ledkov (xnox) |
Changed in systemd (Ubuntu Artful): | |
assignee: | Mathieu Trudel-Lapierre (cyphermox) → nobody |
description: | updated |
Changed in systemd (Ubuntu Bionic): | |
assignee: | Dimitri John Ledkov (xnox) → Tony (toekneemi) |
Changed in systemd (Ubuntu Bionic): | |
assignee: | Tony (toekneemi) → nobody |
Changed in systemd (Ubuntu Artful): | |
status: | Triaged → Won't Fix |
What is the release / package version in use of systemd?
How is the networking configured: netplan, ifupdown, networkd, networkmanager?
What is the contents of /etc/resolv.conf?
Where does the symlink of /etc/resolv.conf point to? (if it is a symlink)
What is the contents of /etc/systemd/ resolved. conf ?
Is libnss-resolve package installed?
What is the output of $ systemd-resolve --status ?
(if --status option is available)
Is this a captive portal hostage situation with Ubuntu failing to get to the captive portal to enable internet?