Systemd-Resolved – Why Doesn’t It Use My Local DNS Server?

binddigdnssystemd-resolvedUbuntu

I'm using a local BIND9 server to host some local dns records. When trying to dig for a local domain name I can't find it if I don't explicitly tell dig to use my local BIND9 server.

user@heimdal:~$ dig +short heimdal.lan.se
user@heimdal:~$ dig +short @192.168.1.7 heimdal.lan.se
192.168.1.2

Ubuntu 17.04 and systemd-resolved are used. This is the content of my /etc/resolved

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

And the output from systemd-resolve –status

Global
         DNS Servers: 192.168.1.7
                      192.168.1.1
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

The DNS Servers section does seem to have rightfully configured 192.168.1.7 as the main DNS server (my local BIND9 instance). I can't understand why it's not used … ?

Best Answer

So, changing my wired eth0 interface to be managed solved this issue for me.

Changing ifupdown to managed=true in /etc/NetworkManager/NetworkManager.conf

[ifupdown]
managed=true

Then restart NetworkManager

sudo systemctl restart NetworkManager

After this it works flawlessly..

This was not 100%. I also applied theses changes to try and kill resolver

sudo service resolvconf disable-updates
sudo update-rc.d resolvconf disable
sudo service resolvconf stop

Big thanks to this blog post regarding the subject: https://ohthehugemanatee.org/blog/2018/01/25/my-war-on-systemd-resolved/

Lets pray this works.. This whole systemd-resolve business is just so ugly.

Confusing names that people often get wrong.

In the terminology of RFC 1034, there are "resolvers" and there are "name servers". "resolver" describes the entire subsystem that user programs use to access "name servers", without regard to any particular architecture. It's the subsystem that queries one or more "name servers" for the data that they publish and pieces together from those data a final answer for the querying application, in the manner described in RFC 1034 § 5.3.3. A "resolver" is the overall subsystem that does query resolution.

The RFC theoretically allows, because it isn't intended to be Unix-centric, systems where all of the query resolution mechanism is potentially in some form of shared subsystem that runs inside each individual applications program.

In RFC 1034 terminology, a "stub resolver" is what is generally employed in the Unix and Linux world: a fairly dumb DNS client library running in the application processes, talking the same DNS/UDP and DNS/TCP protocols to an external program running as another process, that actually does the grunt work of query resolution by making back-end transactions and building up the front-end response from them.

"resolver" is such a confusing term, and so often used contrary to the RFCs, that years ago I took to explaining the DNS to people using terminology borrowed from HTTP: proxy servers, content servers, and client libraries linked into applications.

The DNS client library in your applications is almost always going to be the BIND DNS client library from ISC. Most C libraries on Unix and Linux systems incorporate the BIND DNS client library. Several other DNS client libraries exist, though, and a minority of applications use them instead.
The DNS client library does name qualification and finds out what DNS proxy server(s) to talk to, in the manners described in further reading.
The initial DNS proxy server is, in this particular setup, systemd-resolved listening on 127.0.0.53.
Other Unix and Linux softwares that perform this rôle include Daniel J. Bernstein's dnscache, unbound, dnsmasq, the PowerDNS Recursor, the MaraDNS Recursor ("Deadwood"), and so forth.
I personally have a local instance of modified dnscache (that can inherit its listening sockets) on every machine listening on 127.0.0.1, which is also the default place that the BIND DNS client library expects a proxy DNS server to be, in the absence of explicit configuration.
systemd-resolved talks to other proxy DNS servers, which may well talk to yet further proxy servers, forwarding the query along a chain until the query reaches a resolving proxy server.
- By default, as the systemd people ship things and unless the person who built the binary package or the local system administrator changes it, the resolving proxy DNS server will be a server run by Google as part of Google Public DNS, and there will be a chain of forwarding proxy DNS servers of length 1.
- If the system administrator has configured systemd-resolved to use other proxy DNS servers instead of Google's, the chain will be longer. Examples of such configuration include (in a rough best-to-worst order) using a local resolving proxy DNS server on the LAN, using a proxy DNS server that is running in a router/gateway at the edge of the LAN, or using a third-party proxy DNS server that is out on Internet at large.
The resolving proxy DNS server at the far end of the chain does the grunt work of query resolution, querying content DNS servers around the world as needed for data which it stitches together to form the final answer, which is then returned back along the chain of proxy DNS servers, including systemd-resolved at the near end of that chain, to the DNS client library in the applications.

In RFC 1034 terms, for contrast, the "resolver" here is in fact a huge black box encompassing the BIND DNS Client library, systemd-resolved, and Google Public DNS, because it is defined by the RFC as having "user programs" on one side and content DNS servers (providing referrals and database information "directly") on the other. People often will mis-use the term, sometimes because they misunderstand the RFC 1034 architecture-neutral concept of a "resolver" to be the same as one single Unix or Linux server program, which it is not. HTTP terminology does not have the huge black box.

Jonathan de Boyne Pollard (2000). "content" and "proxy" DNS servers. Frequently Given Answers.
Jonathan de Boyne Pollard (2004). What DNS query resolution is . Frequently Given Answers.
Jonathan de Boyne Pollard (2017). What DNS name qualification is. Frequently Given Answers.
Jonathan de Boyne Pollard (2003). Whence one obtains proxy DNS service. Frequently Given Answers.
Jonathan de Boyne Pollard (2018). "The dnscache, tinydns, and axfrdns services". nosh Guide. Softwares.
https://unix.stackexchange.com/a/449092/5132

DNSSEC – Going All-In on DNS Security Extensions

If both dnscrypt-proxy and systemd-resolved are using 127.0.0.1:53, this should not be the case. You need to disable systemd-resolved as recommended by dnscrypt-proxy wiki, and also lock /etc/resolv.conf for possible changes made by your Network Manager. So, here are the steps:

Disable systemd-resolved:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

Check if there is anything else using the same address:port pair as dnscrypt-proxy: sudo ss -lp 'sport = :domain'. If there are, disable them.
If dnscrypt-proxy is listening on 127.0.0.1:53 and resolv.conf has nameserver 127.0.0.1, add options edns0(required to enable DNS Security Extensions) below the nameserver entry in resolv.conf so that it looks like:

nameserver 127.0.0.1
options edns0

Lock /etc/resolv.conf file for changes: sudo chattr +i /etc/resolv.conf.
You might want to restart dnscrypt-proxy.

Overall, the point is to make sure that:

Only dnscrypt-proxy is using 127.0.0.1:53
resolv.conf has the same address used by dnscrypt-proxy
resolv.conf is protected from changes made by other software such as your Network Manager.

Also, just because the dnsleak test shows Google IPs does not mean that the dns resolver service is operated by Google. It could be that the servers are owned by Google but operated by another entity. If you dont' want it, you can choose a different resolver from dnscrypt-proxy public resolvers list. Make sure that dnssec support is present for the selected resolver. I personally use dnscrypt.eu resolvers, which are no-log, no-filter, non-google and dnssec-enabled.

References:

Best Answer

Related Solutions

What are DNS server, resolver and stub resolver

Confusing names that people often get wrong.

Further reading

DNSSEC – Going All-In on DNS Security Extensions

Related Question