Ubuntu – 18.04 server – systemd-resolve returns cached cname NODATA for A lookup

dnsnetworkingserversystemd-resolved

Summary: DNS A record lookups fail to resolve due to cached CNAME NODATA lookups.

Details: Mail log reports errors with DNS lookups:

 Host or domain name not found. Name service error for name=google.com type=A: Host found but no data record of requested type

After enabling resolve debugging, I see that dns lookups first query the CNAME record for the domain. This is often the root domain which has no CNAME and the lookup correctly returns NODATA.

However, when subsequent A lookups are performed, the NODATA result for the CNAME lookup is returned from the cache instead of doing an A lookup.

I can recreate this consistently by issuing the following commands:

~$ dig google.com CNAME
~$ dig google.com A

Here are the results from the debug log:

Aug 08 11:09:04 leopard systemd-resolved[555]: Transaction 17304 for <domain.com IN CNAME> scope dns on eth0/*.
Aug 08 11:09:04 leopard systemd-resolved[555]: Using feature level UDP+EDNS0 for transaction 17304.
Aug 08 11:09:04 leopard systemd-resolved[555]: Using DNS server 8.8.8.8 for transaction 17304.
Aug 08 11:09:04 leopard systemd-resolved[555]: Sending query packet with id 17304.
Aug 08 11:09:04 leopard systemd-resolved[555]: Processing query...
Aug 08 11:09:04 leopard systemd-resolved[555]: Processing incoming packet on transaction 17304. (rcode=SUCCESS)
Aug 08 11:09:04 leopard systemd-resolved[555]: Added NODATA cache entry for google.com IN CNAME 1799s
Aug 08 11:09:04 leopard systemd-resolved[555]: Transaction 17304 for <google.com IN CNAME> on scope dns on eth0/* now complete with <success> from network (unsigned).
Aug 08 11:09:04 leopard systemd-resolved[555]: Sending response packet with id 22860 on interface 1/AF_INET.
Aug 08 11:09:04 leopard systemd-resolved[555]: Freeing transaction 17304.

Results of the A record look-up:

Aug 08 11:09:37 leopard systemd-resolved[555]: Processing query...
Aug 08 11:09:51 leopard systemd-resolved[555]: Got DNS stub UDP query packet for id 3119
Aug 08 11:09:51 leopard systemd-resolved[555]: Looking up RR for google.com IN A.
Aug 08 11:09:51 leopard systemd-resolved[555]: NODATA cache hit for google.com IN A
Aug 08 11:09:51 leopard systemd-resolved[555]: Transaction 45189 for <google.com IN A> on scope dns on eth0/* now complete with <success> from cache (unsigned).
Aug 08 11:09:51 leopard systemd-resolved[555]: Freeing transaction 45189.
Aug 08 11:09:51 leopard systemd-resolved[555]: Sending response packet with id 3119 on interface 1/AF_INET.

Further Info: the server is running a LEMP stack. It appears that nginx does a DNS lookup before every request, and it starts with a CNAME lookup, then A lookup, then AAAA lookup. This causes the CNAME NODATA to be cached. Subsequently, when the mail server tries to send mail, it gets the cached NODATA record from resolve, leading to the error above.

Questions: is this expected behavoir (CNAME returned for A lookup)? Is there some configuration I can change to prevent the cached CNAME look-ups being returned for the A look-ups?

Diagnostic info:

~$ ip route
default via 85.159.215.1 dev eth0 proto static 
85.159.215.0/24 dev eth0 proto kernel scope link src 85.159.215.159 


~$ sudo systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (eth0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 8.8.8.8
                      8.8.4.4


~$ cat /etc/resolv.conf
nameserver 127.0.0.53

Best Answer

This seems like a real problem on the version of systemd Ubuntu 18.04 is using at this moment. https://github.com/systemd/systemd/issues/9833 and also on launchpad https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1818527

Not sure if Ubuntu will upgrade systemd version though.

Related Solutions

List DNS Server Order in systemd-resolve

It is stupid, but you can't!

systemd-resolved follows internal rules to choose the "correct" DNS. This might be different for each query. It uses things like if a server worked or failed in the past, interface order and even what domains allocated to each interface. It's difficult to manage with some VPN setups.

The best you can do is check the /run/systemd/resolve/resolv.conf file. That is the resolv.conf file generated by systemd-resolved.

Ubuntu – DNS Problem in Ubuntu 19.04

From the comments...

The symlink for /etc/resolv.conf was set to /run/systemd/resolve/stub-resolv.conf which contains options edns0. Some networks don't respond to this DNS extension, and DNS resolution breaks.

We reset the symlink with:

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

This would have probably also worked:

sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf

Postnote:

One problem you may also have is with the MTU setting for your DSL connection.

There's a MTU setting in Ubuntu's network configuration, and a WAN MTU setting in your router.

For DSL, a common MTU setting is 1492. Just go ahead and try this value first and see if your web sites are now accessible.

To determine the correct setting, start with all MTU settings = 1500 and VPN = off. (VPN requires different testing).

In terminal:

ping [-c count] [-M do] [-s packet_size] [host]

The options used are:

c count: number of times to ping
M hint: Select Path MTU Discovery strategy. may be either do (prohibit fragmentation, even local one), want (do PMTU discovery, fragment locally when packet size is large), or dont (do not set DF flag).
s packet_size: Specifies the number of data bytes to be sent.

You should always start at 1472 and work your way down by 10 each time. Once you get a reply, go up by 1 until you get a fragmented packet. Take that value (last good value) and add 28 to the value to account for the various TCP/IP headers. Eg. let's say that 1452 was the proper packet size (where you first got an ICMP reply to your ping). The actual MTU size would be 1480, which is the optimum for the network we're working with.

ping -c 4 -M do -s 1472 8.8.8.8 # this will probably show fragmentation

ping -c 4 -M do -s 1462 8.8.8.8 # may show fragmentation

ping -c 4 -M do -s 1452 8.8.8.8 # no fragmentation?

ping -c 4 -M do -s 1453 8.8.8.8 # still no fragmentation?

reference: How to determine the proper MTU size with ICMP pings

Best Answer

Related Solutions

List DNS Server Order in systemd-resolve

Ubuntu – DNS Problem in Ubuntu 19.04

Related Question