-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolved’s 127.0.0.53 breaks ‘dig +trace’ by refusing queries on root zone (.) with RD bit #5897
Comments
This is really by design. The DNS stub in resolved is not supposed to be a full DNS server. All it shall be able to do is reply to simply local lookups, i.e. RD lookups done by nss-dns or similar local implementations. resolved is not a DNS server, and it's not going to become one. Sorry! |
Will close this as duplicate of #4621, as both are minifestations of the same cause: resolved not being a DNS server, but a only a simply DNS lookup stub... (And I figure we should log about this fact whenever we receieve such a query, so that people are not surprised...) |
I need dig +trace print, but it does not work with resolved's 127.0.0.53. The only way I can achieve dig+trace is to kill 127.0.0.53 in /etc/resolv.conf, and replace it with real dns IP address. In that case, I cannot see the benefits of resolved’s 127.0.0.53. Could you please advise why we need this 127.0.0.53 in the first place? |
@lawipac The 127.0.0.53 is there mainly because Glibc has broken resolver (AFAIK). |
It's a real pain in daily business. Linux servers and clients are only showing "127.0.0.53" as DNS server. Therefore it's not possible to debug a DNS problem. I have tested it in (K)Ubuntu 17.10 and Ubuntu server 18.04. I can understand that resolved is not a DNS server, but that answer doesn't solve the problem at all. Is there any way to solve this behaviour so that newer releases of resolved will resolve the correct IP addresses of the DNS servers? |
This seems like a simple fix. When resolved is queried for the root NS with recursion disabled, just make the query to the real resolver without recursion and return the answer. That doesn't require a massive change in functionality, it just requires treating one query special so that backwards compatibility with popular diagnostic tools actually works as expected. RE: #5897 (comment) @poettering, if resolved can't fix the issue that breaks diagnostic tools, then maybe we need to remove the functionality entirely. This simple problem complicates maintenance, security, and stability issues. Breaking such important functionality without a replacement and without real gains is truly unacceptable to system admins. |
It seems that unbound shows the same "REFUSED" behavior with +norecurse/+trace. So this doesn't really seem to behave consistently among real DNS daemons. |
In my prod env I shall to disable systemd resolve and replace it with unbound or resolvconf because our staff need dig trace function... |
Wow, it's "by design" to break existing diagnostic tools and force them to manually change software components (or worse, try to direct others to remotely or over the phone) to be able to run those diagnostics? This hurts my head so badly. If resolved is incapable of handling the request, it would make sense to me at least for it to redirect, forward, or otherwise mitigate it so that the user gets an appropriate response, not just "derp I don't understand this query" with no useful information on how to get around it. |
What does that mean? |
FYI, I submitted a bug report on ISC BIND (which contains the |
A fix for this issue was just merged to ISC BIND Git Master: https://gitlab.isc.org/isc-projects/bind9/commit/8ddc54e20054e91e6e2dd32a4510a5eecc777548 |
This comment was marked as abuse.
This comment was marked as abuse.
This comment has been minimized.
This comment has been minimized.
It didn't work due to a bug in the ISC
|
This comment was marked as abuse.
This comment was marked as abuse.
Imagine being so small-minded and petty as to use GitHub as a platform for airing your personal grievances over a problem that's had a solution for five years already 😳 |
Submission type
systemd version the issue has been seen with
232-21ubuntu3
Used distribution
Ubuntu 17.10
In case of bug report: Expected behaviour you didn't see
The
dig +trace HOSTNAME
command begins by performing a query on the configured nameserver for the root zone NS records with the RD (recursion disabled) bit. This should return a list of nameservers:In case of bug report: Unexpected behaviour you saw
When the configured nameserver is systemd-resolved’s 127.0.0.53, systemd-resolved refuses this query.
Therefore,
dig +trace
does not work.In case of bug report: Steps to reproduce the problem
Run
dig +norecurse . NS
ordig +trace github.com
.The text was updated successfully, but these errors were encountered: