systemd resolved 127.0.0.53 stub is broken by default

[fermulator]

systemd version the issue has been seen with

10.3

ii  systemd                               237-3ubuntu10.3                   amd64        system and service manager

$ uname -a
Linux (snip) 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Used distribution

Ubuntu 18.04 server

Expected behaviour you didn't see

install Ubuntu 18.04, ping/nslookup a local hostname (which is a static DHCP entry on tomato router firmware), and it should resolve to local IPv4 address

Unexpected behaviour you saw

but it does not resolve on newer systems that default to systemd-resolve :(

BASIC TEST:

$ systemd-resolve fermmy-git
fermmy-git: resolve call failed: No appropriate name servers or networks for name found

Steps to reproduce the problem
0. baseline, Ubuntu 18.04 fresh install, greenfield; I am not interested in this stupid "netplan" crap for configuring static IP addresses ... so ...

1. revert system to ifdown (/etc/network/interfaces) w/ static IP for server

$ cat /etc/network/interfaces
(snip)

auto ens3 
iface ens3 inet static
        address 1.0.0.51
        netmask 255.255.255.0
        broadcast 1.0.0.255
        gateway 1.0.0.1
	dns-nameservers 1.0.0.1

2. nslookup/ping local host (via router DNS/gateway) doesn't work

$ ping fermmy-git
ping: fermmy-git: Temporary failure in name resolution

$ nslookup fermmy-git
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find fermmy-git: SERVFAIL

$ systemd-resolve fermmy-git
fermmy-git: resolve call failed: No appropriate name servers or networks for name found

resolvconf

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

clearly, resolveconf is setup to utilize the systemd-resolve stub service...

$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (ens3)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 1.0.0.1

well it DOES have my router IP as the DNS server ... wtf

So then ...

** Workarounds **

$ cat /etc/resolv.conf
(snip)

nameserver 1.0.0.1        <--- ADD THIS
nameserver 127.0.0.53

Then tada:

$ ping fermmy-git
PING fermmy-git (1.0.0.54) 56(84) bytes of data.
64 bytes from fermmy-git (1.0.0.54): icmp_seq=1 ttl=64 time=0.873 ms
^C
--- fermmy-git ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.873/0.873/0.873/0.000 ms

$ nslookup fermmy-git
Server:		1.0.0.1
Address:	1.0.0.1#53

Name:	fermmy-git
Address: 1.0.0.54

Other notes:

• at some point in my debug I apt installed resolveconf btw to try to get basic local name resolution working .. (not sure if/when this is required - but it wasn't working before that)
• my older/existing server systems (Ubuntu 16.04 that still have resolveconf by default w/ static IP and force local router nameserver work fine ... ); existing desktop systems on DHCP also work fine; TLDR not my router/network problem

---

Why doesn't the systemd-resolve stub service work?
(if we're going to switch to systemd services galore by default for Linux systems everywhere, can we make sure they work? so frustrating!)

[fermulator]

Another workaround (suggested elsewhere on the Internet) is to symlink /etc/resolv.conf

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Again, stupid/unnecessary.

Would like to understand what's wrong with the systemd-resolve stub service

[fermulator]

I'm also annoyed by this comment:

https://superuser.com/questions/1317623/nslookup-failed-but-systemd-resolved-works

My point was that it doesn't boil down to gethostbyname(). The nslookup tool still uses resolv.conf but actually speaks DNS directly. And the systemd-resolve tool does not speak DNS at all, it speaks D-Bus. – grawity Apr 27 at 6:00

WHAT why doesn't systemd-resolve speak DNS? - ffs, talk to my gateway if the DNS is set to it! (I want my router/gateway to own all things DNS so that it can serve out local DNS records first, else supply whatever site-wide DNS settings it is configured for).

[floppym]

I'm also annoyed by this comment

The comment is factually accurate. I'm not sure why you are bringing it up on this issue.

[floppym]

I winder if there might be some bug in v237 that is preventing it from using the DNS server configured on your network interface. Can you try using the latest version?

[wosc]

I'm seeing the same issue with lxc containers, namely that systemd-resolved responds with "fail" to some (but not all) queries, even though the actual DNS server (that is proxied by systemd-resolved) responds successfully to all of them! I've run this on an Ubuntu 18.04 host, which resulted in systemd version 237-3ubuntu10.4

$ sudo lxc-create -n test-resolve1 -t ubuntu -- --release bionic --arch amd64
$ sudo lxc-create -n test-resolve2 -t ubuntu -- --release bionic --arch amd64
$ sudo lxc-start -n test-resolve1
$ sudo lxc-start -n test-resolve2
$ sudo lxc-attach -n test-resolve1

Now we're innside the lxc container:

$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 14 (eth0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.0.3.1

Note that it correctly lists the "proxied" DNS Server (I don't know what the correct term in systemd lingo is, sorry) runs on the lxc host. And "general" queries do work just fine using systemd-resolved. But queries about other lxc containers, that the "real" DNS server does answer properly, fail in systemd-resolved:

$ sudo apt install dnsutils

$ dig google.de
google.de.		297	IN	A	172.217.18.3
;; SERVER: 127.0.0.53#53(127.0.0.53)

$ dig test-resolve2
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36848
;; SERVER: 127.0.0.53#53(127.0.0.53)

$ dig test-resolve2 @10.0.3.1
test-resolve2. 0	IN	A	10.0.3.55
;; SERVER: 10.0.3.1#53(10.0.3.1)

(I'll use this workaround to not use the stub-resolver inside the containers, for the time being.)

[BryanQuigley]

Also for testing purposes made workingtest.irongiantdesign.com which works fine as it has just 25 A records.

[fermulator]

This original report was submitted after upgrading a headless server to Ubuntu 18.04 and and having it auto-switch from resolvconf to systemd-resolve.

My main rig was upgraded to 18.04 and also suffers nearly the exact same.

Sharing the same set of sequences:

fermulator@fermmy:~$ ping fermmy-git
ping: fermmy-git: Name or service not known

fermulator@fermmy:~$ nslookup fermmy-git
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find fermmy-git: SERVFAIL

fermulator@fermmy:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

fermulator@fermmy:~$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 7 (docker0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

(snip)

Link 2 (eth0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 1.0.0.1

As before, clearly, my router still knows about this.

fermulator@fermmy:~$ nslookup fermmy-git 1.0.0.1
Server:		1.0.0.1
Address:	1.0.0.1#53

Name:	fermmy-git
Address: 1.0.0.54

As much time has passed, here are the versions (I'm running latest as of this week roughly).

rc  libnss-resolve:amd64                                             234-2ubuntu12.1                                     amd64        nss module to resolve names via systemd-resolved
ii  systemd                                                          237-3ubuntu10.31                                    amd64        system and service manager
rc  systemd-services                                                 204-5ubuntu20.19                                    amd64        systemd runtime services

$ uname -a
Linux fermmy 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/issue
Ubuntu 18.04.3 LTS \n \l

[fermulator]

As far as I see it, this all boils down to a bad design choice that breaks backwards compatibility in #2514

[fermulator]

I'm going to close this, as I have summarized my issue into #13763.