[SOLVED] The return of the systemd-resolved DEMON

[NameNotQuality]

Edit: Answer is in 3rd and 5th replies.

Hello! After first installing gentoo the DNS wasn't working fluently and I often needed to try a few times before I could actually get connected to a domain. Later I forgot about the issue because it slowly dissapeared and it was possible earlier to live with slower connection. However, the problem randomly returned 3 days ago, several weeks after my first update and 2-3 months after first gentoo install. However, this time the issue is worse.

After a boot 3 days ago, I was able to access domains I commonly used the previous day after a few tries, however other domains were basically innaccessible. After a bit of searching, I edited /etc/systemd/resolv.conf to remove the fallback DNSs (somehow the default ones were going to the worst companies, e.g. google more like snoople) and select the DNS to be my local ip got from 'ip a' where it says it after 'inet'. It seemingly worked while using my flatpaked librewolf browser, however other apps don't at all. I also tried symlinking /etc/resolv.conf to /run/systemd/resolve/resolv.conf and resolv-stub.conf (now it is symlinked to the latter) however nothing seemingly changed. Right now I'm at this state of only my browser working and other apps not. Edit: nevermind, now after computer sleeping trying to resolve got slower and browser now starts to fail:

Code: Select all

Aug 24 21:36:33 FastPenguinHacker systemd-resolved[11732]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 21:36:24 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question www.codeberg.org IN A: no-signature
Aug 24 21:36:24 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question www.codeberg.org IN AAAA: no-signature
Aug 24 21:36:24 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question codeberg.org IN DS: no-signature
Aug 24 21:36:24 FastPenguinHacker systemd-resolved[11732]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 21:36:21 FastPenguinHacker systemd-resolved[11732]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 21:36:17 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question www.codeberg.org IN A: no-signature
Aug 24 21:36:17 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question www.codeberg.org IN AAAA: no-signature
Aug 24 21:36:12 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question codeberg.org IN AAAA: no-signature
Aug 24 21:36:12 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question codeberg.org IN A: no-signature
Aug 24 21:36:12 FastPenguinHacker systemd-resolved[11732]: [] DNSSEC validation failed for question codeberg.org IN DS: no-signature

My configs:
/etc/resolv.conf is a symbolic link to /run/systemd/resolve/stub-resolv.conf:

Code: Select all

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

/run/systemd/resolve/resolv.conf:

Code: Select all

# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver (local ip)
nameserver (local ip has 3 chars at end normally, this one has 1 only = local ip1)
search .

/etc/systemd/resolv.conf:

Code: Select all

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=(local ip)
FallbackDNS=
#Domains=
#DNSSEC=allow-downgrade
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0

Sometimes systemd-resolved decided to work for a short time.
The logs look like this during it:

Code: Select all

Aug 24 15:33:57 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:33:56 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:33:56 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:33:55 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:33:54 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:33:54 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:33:53 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:33:53 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:33:46 FastPenguinHacker wpa_supplicant[581]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.BSS dbus_property=RSN getter failed
Aug 24 15:33:46 FastPenguinHacker wpa_supplicant[581]: dbus: Failed to construct signal
Aug 24 15:33:46 FastPenguinHacker wpa_supplicant[581]: dbus: wpa_dbus_get_object_properties: failed to get object properties: (org.freedesktop.DBus.Error.Failed) failed to parse RSN IE
Aug 24 15:33:46 FastPenguinHacker wpa_supplicant[581]: dbus: fill_dict_with_properties dbus_interface=fi.w1.wpa_supplicant1.BSS dbus_property=RSN getter failed
Aug 24 15:33:01 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:33:01 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:32:59 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:32:59 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)

Not sure if wpa_supplicant is actually related to it.

Else:

Code: Select all

Aug 24 15:19:26 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN AAAA: no-signature
Aug 24 15:19:26 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN DS: no-signature
Aug 24 15:19:26 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question libera.chat IN DNSKEY: no-signature
Aug 24 15:19:26 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:19:26 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:19:25 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN A: no-signature
Aug 24 15:19:25 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN AAAA: no-signature
Aug 24 15:19:25 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN DS: no-signature
Aug 24 15:19:25 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question libera.chat IN DNSKEY: no-signature
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN AAAA: no-signature
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN A: no-signature
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN DS: no-signature
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question libera.chat IN DNSKEY: no-signature
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:19:24 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)
Aug 24 15:18:58 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN A: no-signature
Aug 24 15:18:58 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN AAAA: no-signature
Aug 24 15:18:58 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN DS: no-signature
Aug 24 15:18:58 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question libera.chat IN DNSKEY: no-signature
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN A: no-signature
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN AAAA: no-signature
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question irc.libera.chat IN DS: no-signature
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: [] DNSSEC validation failed for question libera.chat IN DNSKEY: no-signature
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set UDP instead of TCP for DNS server (local ip)
Aug 24 15:18:57 FastPenguinHacker systemd-resolved[6481]: Using degraded feature set TCP instead of UDP for DNS server (local ip)

resolvectl status:

Code: Select all

nnq@FastPenguinHacker ~ % resolvectl status
Global
         Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported
  resolv.conf mode: stub
Current DNS Server: (local ip)
       DNS Servers: (local ip)

Link 2 (wlp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: (local ip1)
       DNS Servers:(local ip1)

Note: (local ip) was shown after "inet" under the 2nd link in the output of 'ip a' command, while (public ip1) was not. The 127.0.0.53 is also similar to the 127.0.0.1/8 of the loopback shown by 'ip a'

My network setup: Network Manager, which should be configured correctly, I don't remember installing another DNS resolver so none should be conflicting with systemd-resolved.
Also, I can switch from resolved to another DNS resolver if there is no good fix or systemd-resolved is unreliable in general.
Lastly, I can provide more info when needed.

Thank you!

[sMueggli]

Can you please comment out all lines in /etc/systemd/resolved.conf and restart either the system or at least the service? Without any custom settings it should use some default values.

[NameNotQuality]

Alright, I did comment out everything except the fallback DNS because it working but using a spyware fallback DNS would not be desirable:

Code: Select all

nnq@FastPenguinHacker ~ % resolvectl status
Global
         Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
  resolv.conf mode: stub

Link 2 (wlp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: (local ip1)
       DNS Servers: (local ip1)

It seems like it took some effect. Now, I'm not at the state of the tries taking longer like after the computer sleep I described earlier anymore. However the browser doesn't work with some domains.
Edit: I also just tried with the default fallback DNSs but it didn't say in the logs that it fell back. Also, the messages for downgrading the connection for the local ip have dissapeared.

[pietinger]

[...] However the browser doesn't work with some domains. [...]

What happens if you use this swiss DNS resolver (systemd wants DoT) ?
https://github.com/DigitaleGesellschaft/DNS-Resolver
=>
dns.digitale-gesellschaft.ch

[sMueggli]

Where is this

Code: Select all

(local ip1)

coming from?

[NameNotQuality]

Actually, right I was thinking of switching to another DNS while you were responding instead of relying on my ISP so e.g. I can have DoT on, pietinger

I just tried out quad9 because I'm not sure how to configure Digitale gesellschaft (their website doesn't even have an english version and the dns url on their git didn't work) and found out they're actually a privacy respecting non-profit. I also turned on DoT of course.

Code: Select all

DNS=9.9.9.9
DNSOverTLS=yes

After restarting the service, I think it works! I can access any domain now, and there's nothing printed by resolved. Thank you!


sMueggli, I didn't want to expose my local IPs because I wasn't sure if it was a good idea, so I masked them as variables. Local ip1 was explained in the 3rd code block of my 1st message. However, I also thank you for trying to help!


I will report any more problems here if they appear. However, I think there should be none, as now, once again, I can access any domain.

Code: Select all

 % resolvectl status
Global
         Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported
  resolv.conf mode: stub
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9

Link 2 (wlp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: (local ip1)
       DNS Servers: (local ip1)

[pietinger]

[...] I'm not sure how to configure Digitale gesellschaft (their website doesn't even have an english version and the dns url on their git didn't work) and found out they're actually a privacy respecting non-profit. I also turned on DoT of course.

I am sorry, I know only this german privacy handbook ... but here are only trustworthy (no logging - no censorship) organisations listed:
https://www.privacy-handbuch.de/handbuch_93d.htm
( scroll down a little )

P.S.: Maybe also interesting:
https://www.grc.com/dns/dns.htm

[NameNotQuality]

Right I could use a different DNS provider though since I'm kind of new to quad9 and am not sure if they're completely trustworthy.

I can try out other providers, e.g. the page lists Mullvad, I think I heard of it. I just realised my browser has a translate function (librewolf), so I can read that page.

[NameNotQuality]

Nevermind, for some reason actually nothing in the german handbook works (ping takes forever and nothing is printed in the logs) except adguard DNS, which I think is hosted in russia and I do not trust. I even tried an ipv6 address instead of ipv4. I don't think I wanna use quad9 because I just found out they have a seperate privacy poicy where they collect your ip adress when they declare you are attacking them, which they could assume anytime https://www.quad9.net/privacy/anomalous-conditions/.

My /etc/systemd/resolve.conf

Code: Select all

DNS=89.233.43.71
FallbackDNS=
DNSOverTLS=yes

I think I'll want to use UncensoredDNS. It already works with DoH in my browser https://unicast.uncensoreddns.org/dns-query. However, as I said, for some reason it doesn't work in resolved.
Edit: for some reason it doesn't work anymore when I set the uncensoredDNS ip in resolved. However when resolved works (e.g. with quad9) I can connect to domains in the browser, and a dns test site shows uncensoredDNS as my provider.

Edit: Nevermind, it works now! It turns out I needed to do this:

Code: Select all

DNS=89.233.43.71#unicast.uncensoreddns.org