[Bug 1850762] Re: stub-resolver no longer optional, systemd dns broken

ts 1850762 at bugs.launchpad.net
Thu Oct 31 13:26:59 UTC 2019 

OK, I've just talked to the admins for quite some time and while I'm
sure that the previous workaround was fine I'm now not so sure how to
deal with the situation (or: why it worked).

Here we go:

Connecting to the wifi configures two wifi-internal DNS servers and one
internal search zone ( say IPv4_1 and IPv4_2 and search cc.dd.edu)
correctly.

Connecting to the lan configures two LAN-internal DNS servers and one
internal search zone correctly (say IPv4_3 and search xx.dd.edu) - but
from the LAN the system is not allowed to send UDP DNS requests to
IPv4_1 nor IPv4_2 (nor direct UDP DNS requests to anything else than a
set of accepted local DNS servers, which is fine, of course).

Now, being connected to _both_ wifi and LAN and searching for a name
within the former zone (name1.cc.dd.edu) the system seems to attempt to
reach IPv4_1 (which would be fine to reach on the wifi but can't be
reached from lan).

I don't know why circumventing systemd stub resolution solved the issue
before, but I guess what I would need is the ubuntu name resolution to
respect the configuration of the interface that is actually used to send
the DNS queries (hence: ignore the search zone cc.dd.edu, do not attempt
to send the request to the respective DNS server (configured for wifi)
through the interface which in this case is "wrong" (namely: LAN)).

Any static setting doesn't help, stuff works when I'm connected to wifi
or LAN, I just can't resolve names from the search zone configured
through wifi when also connected to the LAN (and interestingly enough I
cannot reach some of the services in the search zone cc.dd.edu from the
wifi, for security reasons - so I have to go through the LAN)...

Testing the hypothesis and manually disconnecting from the wifi does
solve the connection problem (but of course this is no solution to the
underlying issue).


Brief explanatory output:

$ resolvectl status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNS Domain: xx.dd.edu
                      cc.dd.edu
          DNSSEC NTA: 10.in-addr.arpa

--8<---

Link 5 (enx00249b4c7732)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: IPv4_3
         DNS Servers: IPv4_3              <- not allowed to be reached on UDP/53 through LAN
                      IPv4_4
          DNS Domain: ~.
                      xx.dd.edu

--8<---

Link 3 (wlp61s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: IPv4_1
         DNS Servers: IPv4_1
                      IPv4_2
          DNS Domain: ~.
                      cc.dd.edu

--8<---

Link 2 (enp0s31f6)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

(that last nic isn't configured nor connected)



$ dig name.cc.dd.edu

; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> name.cc.dd.edu
;; global options: +cmd
;; connection timed out; no servers could be reached


$ dig @IPv4_3 name.cc.dd.edu

; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> @IPv4_3 name.cc.dd.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6951
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 463b1ed1f09e7286207545c95dbad8797c7593d8a2de32d5 (good)
;; QUESTION SECTION:
;name.cc.dd.edu.		IN	A

;; ANSWER SECTION:
name.cc.dd.edu.	51243	IN	A	SOME_IP

;; Query time: 2 msec
;; SERVER: IPv4_3#53(IPv4_3)
;; WHEN: Thu Oct 31 13:50:01 CET 2019
;; MSG SIZE  rcvd: 88



$ dig @IPv4_1 name.cc.dd.edu

; <<>> DiG 9.11.5-P4-5.1ubuntu2-Ubuntu <<>> @IPv4_1 name.cc.dd.edu
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached



Thanks

-- ts

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1850762

Title:
  stub-resolver no longer optional, systemd dns broken

Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  systemd name resolution is broken in professional setups.

  https://askubuntu.com/a/974482 used to provide a solution, simply
  ignore stub-resolution (which is broken) and fall back to the normal
  name resolution as configured (e.g. through dhcp).

  this solution does not seem to be available after upgrading to ubuntu
  19.10 - there is no clean resolv.conf left.

  please advise as to how systemd name resolution through its local
  service can be disabled now (as it is broken).

  Thanks


  $ lsb_release -rd
  Description:	Ubuntu 19.10
  Release:	19.10


  $ apt-cache policy systemd
  systemd:
    Installed: 242-7ubuntu3
    Candidate: 242-7ubuntu3
    Version table:
   *** 242-7ubuntu3 500
          500 http://de.archive.ubuntu.com/ubuntu eoan/main amd64 Packages
          100 /var/lib/dpkg/status


  I expected my computer to resolve names (it used to do so after the
  workaround for the systemd bug)

  It does not resolve all names anymore (and the old workaround doesn't
  work anymore).

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: systemd 242-7ubuntu3
  ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1
  Uname: Linux 5.3.0-19-generic x86_64
  ApportVersion: 2.20.11-0ubuntu8.1
  Architecture: amd64
  CurrentDesktop: MATE
  Date: Thu Oct 31 10:02:05 2019
  InstallationDate: Installed on 2019-04-10 (203 days ago)
  InstallationMedia: Ubuntu-MATE 19.04 "Disco Dingo" - Alpha amd64 (20190326.1)
  MachineType: LENOVO 20L8S29W00
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=fddb227e-dc5d-4f78-b605-443eeb5bf5c9 ro quiet splash vt.handoff=7
  SourcePackage: systemd
  UpgradeStatus: Upgraded to eoan on 2019-10-24 (6 days ago)
  dmi.bios.date: 09/13/2018
  dmi.bios.vendor: LENOVO
  dmi.bios.version: N22ET49W (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 20L8S29W00
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0R32862 WIN
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: None
  dmi.modalias: dmi:bvnLENOVO:bvrN22ET49W(1.26):bd09/13/2018:svnLENOVO:pn20L8S29W00:pvrThinkPadT480s:rvnLENOVO:rn20L8S29W00:rvrSDK0R32862WIN:cvnLENOVO:ct10:cvrNone:
  dmi.product.family: ThinkPad T480s
  dmi.product.name: 20L8S29W00
  dmi.product.sku: LENOVO_MT_20L8_BU_Think_FM_ThinkPad T480s
  dmi.product.version: ThinkPad T480s
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1850762/+subscriptions

More information about the foundations-bugs mailing list