systemd-resolved (237) incorrect configuration after dhcp

[upuv]

Submission type

• Bug report

systemd 234 & 237

Used distribution

ubuntu server 17.10 BUG
ubuntu server 18.04 BUG
ubuntu server 16.04 SUCCESS ( Used to validate it was a local host bug. )

In case of bug report: Unexpected behaviour you saw

When trying to resolve names in the local dns that are cnames a failure occurs. In that nothing is resolved. Even though most operating systems can resolve it just fin

In case of bug report: Steps to reproduce the problem

• On a network with DHCP
• On a network where local DNS has cnames in the database. ( dnsmasq or bind )
• DHCP sets domain for client
• DHCP sets DNS for client
• example names in pseudocode.
  a record a.local = 192.128.0.20
  cname c.local => a.local
• In 3 VM's install distributions 18.04 17.10 16.04 all server variants. Ensure networking is bridged
• from each console perform the following commands. ( Alter names as appropriate for your network )
  dig a.local
  dig c.local

From the output it's clear that 17.10 and 18.04 resolve incorrectly for c.local.

It should be noted that windows, android, IOS, my TV all resolve correctly. Only the ubuntu server installations with systemd are failing.

[upuv]

OK I have more data now. There is most definitely a bug here.

Some background.

Local DNS is:       192.168.0.200
domain is:           home   
default route:       192.168.0.1

DNS records in play are in the home domain:

dns -> 192.168.0.200
logging -> 192.168.0.57
kibana -> logging  ( kibana is a cname of logging )

On a offending machine:

prompt> systemd --version
systemd 237
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid

prompt> cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
search home

prompt> systemd-resolve --status
Global
         DNS Servers: 192.168.0.200
          DNS Domain: home
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp0s3)
      Current Scopes: DNS
       LLMNR setting: yes

Works

prompt> dig logging.home

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> logging.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;logging.home.			IN	A

;; ANSWER SECTION:
logging.home.		2985	IN	A	192.168.0.57

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 29 05:04:11 UTC 2018
;; MSG SIZE  rcvd: 57

Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Got DNS stub UDP query packet for id 26679
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Looking up RR for logging.home IN A.
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Positive cache hit for logging.home IN A
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Transaction 50178 for <logging.home IN A> on scope dns on */* now comp
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Cache miss for logging.home IN A
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Transaction 64061 for <logging.home IN A> scope dns on enp0s3/*.
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Using feature level UDP+EDNS0 for transaction 64061.
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Using DNS server 192.168.0.200 for transaction 64061.
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Sending query packet with id 64061.
Apr 29 05:12:31 ubuntu1804 systemd-resolved[687]: Freeing transaction 50178.

Doesn't Work
Note this works perfectly fine on non-resolved hosts. Pick an operating system it works. Only on systemd does it not.

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> logging
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3835
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;logging.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 29 05:18:53 UTC 2018
;; MSG SIZE  rcvd: 36

Apr 29 05:16:49 ubuntu1804 systemd-resolved[687]: Got DNS stub UDP query packet for id 6118
Apr 29 05:16:49 ubuntu1804 systemd-resolved[687]: Looking up RR for logging IN A.
Apr 29 05:16:49 ubuntu1804 systemd-resolved[687]: Sending response packet with id 6118 on interface 1/AF_INET.
Apr 29 05:16:49 ubuntu1804 systemd-resolved[687]: Processing query...
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Got DNS stub UDP query packet for id 5649
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Looking up RR for ubuntu1804.home IN A.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Positive cache hit for ubuntu1804.home IN A
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Transaction 30636 for <ubuntu1804.home IN A> on scope dns on */* now c
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Cache miss for ubuntu1804.home IN A
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Transaction 20475 for <ubuntu1804.home IN A> scope dns on enp0s3/*.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Using feature level UDP+EDNS0 for transaction 20475.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Using DNS server 192.168.0.200 for transaction 20475.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Sending query packet with id 20475.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Freeing transaction 30636.
Apr 29 05:17:00 ubuntu1804 systemd-resolved[687]: Freeing transaction 20475.

Also Doesn't work

prompt> dig kibana.home

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> kibana.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44351
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kibana.home.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 29 05:22:08 UTC 2018
;; MSG SIZE  rcvd: 40

Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Got DNS stub UDP query packet for id 32547
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Looking up RR for kibana.home IN A.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Positive cache hit for kibana.home IN A
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Transaction 33677 for <kibana.home IN A> on scope dns on */* now compl
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Cache miss for kibana.home IN A
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Transaction 15744 for <kibana.home IN A> scope dns on enp0s3/*.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Using feature level UDP+EDNS0 for transaction 15744.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Using DNS server 192.168.0.200 for transaction 15744.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Sending query packet with id 15744.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Freeing transaction 33677.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Freeing transaction 15744.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Following CNAME/DNAME kibana.home → logging.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Sending response packet with id 32547 on interface 1/AF_INET.
Apr 29 05:20:45 ubuntu1804 systemd-resolved[687]: Processing query...
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Got DNS stub UDP query packet for id 38058
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Looking up RR for ubuntu1804.home IN A.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Positive cache hit for ubuntu1804.home IN A
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Transaction 17848 for <ubuntu1804.home IN A> on scope dns on */* now c
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Cache miss for ubuntu1804.home IN A
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Transaction 37082 for <ubuntu1804.home IN A> scope dns on enp0s3/*.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Using feature level UDP+EDNS0 for transaction 37082.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Using DNS server 192.168.0.200 for transaction 37082.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Sending query packet with id 37082.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Freeing transaction 17848.
Apr 29 05:20:50 ubuntu1804 systemd-resolved[687]: Freeing transaction 37082.

Note: It clearly knows it's a cname.

We also know that the search domain is set. That was way up at the top. But it's obvious resolved is not doing a search properly.

[upuv]

Frankly this bug is holding back a number of upgrades on my networks at home and in the office. I simply can not trust the dns results. Which opens up a huge issue around security.

I am currently working on a simplified process to neuter resolved and install dnsmasq as a replacement local resolver. Which I can then add to my automation scripts.

[upuv]

However another way to get around systemd-resolvd borkness is to:

# Just making sure I'm out of the / dir
cd /etc
# resolv.conf is a link to ../run/systemd/resolve/stub-resolv.conf Which directs thing to use the local resolved.  So I nuke it.
sudo rm resolve.conf
# Then I go and use the actual resolv.conf that actually works.
sudo ln -s ../run/systemd/resolve/resolv.conf resolv.conf 

[poettering]

Do you have ".local" in a unicast DNS domain, did I get this right?

Since RFC 6762 ".local" is assigned to MulticastDNS usage (also see https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml), hence resolved won't consider it for classic DNS lookups by default. This is a security precaution: multicast DNS names have an inherent local focus, and we should not permit them to leak onto the public internet (i.e. classic DNS with its global focus) by default.

That said, resolved is fine with looking up ".local" in unicast DNS domains, for compatibility with networks that have been set up that way a long time ago. But it's opt-in. To enable this make sure to declare ".local" and search or routing domain on the same interface where you configure your DNS server. If you configure your DNS server directly in /etc/resolv.conf then it's sufficient to add "search local" to it, to make that happen. Alternatively, edit /etc/systemd/resolved.conf, and set Domains= to "~local" which is to configure the domain for routing queries, but not for suffix searching.

Anyway, I don't think there's any real bug here. The current behaviour is in-line with today's IETF recommendation and IANA assignments. Yes, old DNS implementations didn't work that way, but that's mostly because they predate these definitions. And yes, it's unfortunate that MulticastDNS conflicts conceptually with other uses of the .local domain, but it is the way it is...

I hope this makes some sense.

I'll leave this bug open, and turn into into a documentation issue. We should make this behaviour clearer in the systemd-resolved man page i guess, since this comes up regularly.

[upuv]

There is no local in the DNS domain. local is NOT part of domain structure at all.

I only used the word local to describe that the network is my physically local as in lan. So please ignore the use of the word local above as it clearly is causing confusion.

The domain in the above is .home .

And the resolve.conf does have
search home
in it. This as set by dhcp. The DHCP server is the same server as the DNS. Thus it is setting it on that interface. As shown above this was mapped to the global configuration. In this setup above there are only two interfaces on the client host. The loopback and the eth interfaces. The DHCP client process correctly populated the file /run/systemd/resolve/stub-resolv.conf with the default link between /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf being present as out of the box configuration. There are NO configuration changes at all present on the host shown above. All configuration was done either by installation process of the OS and via DHCP.

It is clearly not searching the home domain dns. In the above we clearly see that home is the search domain.

Also note this can be replicated on a fresh install of ubuntu 18.04. Absolutely no changes other than the usual apt update apt upgrade after install. I have replicated this behaviour above with a Intel NUC, Virtual box VM ( Bridged network ) and a Dell workstation. On all of those devices when I install Ubuntu Server 16.04 everything works perfectly.

The documentation clearly states that if the Domains= is left blank the search domain of /etc/resolv.conf is used. Again in the above it is clear that the search domain of home is clearly set. The default configuration of resolved is that Domains=blank.

Domains=
           A space-separated list of domains. These domains are used as search suffixes when resolving single-label host names (domain names which contain no dot), in order to qualify them into
           fully-qualified domain names (FQDNs). Search domains are strictly processed in the order they are specified, until the name with the suffix appended is found. For compatibility reasons,
           if this setting is not specified, the search domains listed in /etc/resolv.conf are used instead, if that file exists and any domains are configured in it. This setting defaults to the
           empty list.

The resolved.conf file.

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
#DNS=
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#Cache=yes
#DNSStubListener=yes

From everything I have explored the above behaviour as shown by test output is incorrect and does not match documentation. Therefore I still feel this is a bug.

[upuv]

Also note: That when I do switch the link from stub-resolv.conf to resolv.conf things work.

stub-resolv.conf

nameserver 127.0.0.53
search home

resolv.conf

nameserver 192.168.0.200
search home

Thus it is clear that resolved is not working as intended. It is not using the search directive.

[upuv]

It should also be noted that when I explicitly set the Domains= in resolved.conf to home searching still fails.

This does set the interface configuration however.

Link 2 (enp0s3)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.200
          DNS Domain: home

But no actual change to behaviour.

Again note the DNS is fine. It's rock solid. All other devices and OS's that are non-systemd-resolved work out of the box perfectly. The DHCP service on the DNS host is working fine. All devices require no additional configuration in order to properly resolve home domain names both a cname records.

It's clear that the systemd host shown above is getting the correct DHCP information as the /run/systemd/resolve/resolv.conf file is properly configured with data that came from DHCP.

[mdrmike]

@upuv your issue seems to exhibit the same DNS symptoms as bug: 1766969 on launchpad. But other than this issue, I can't find another on github/systemd/issues that's similar to: 1766969.

[RussianNeuroMancer]

@upuv

However another way to get around systemd-resolvd borkness is to

Thanks! Helped immediately.

[laxdragon]

I also get SERVFAIL when trying to resolve my private local DNS domain.

Is there a way to fix this on the server side, as in, anything I can change on my DHCP/DNS to get local hosts on my LAN to resolve? Or is changing the Domains= line the only work around for now?

[poettering]

hmm, so, if i get this right, then the issue here is specific to CNAME handling in the DNS stub server of resolved. when the client does a lookup for an A RR and there's a CNAME RR defined, we won't propagate that properly. That's of course a real bug.

[poettering]

Following CNAME/DNAME kibana.home → logging.

OK, so this is where things are broken: It appears your zone file is simple incorrectly set up. Your CNAME record redirects kibana.home. to logging., and not to logging.home. Can you provide your home domain's zone file?

[poettering]

This appears to be caused by a local zone file issue, hence dropping the milestone.

[upuv]

That is an example of how it doesn't work. Any cname will not work also local searches do not work with systemd-resolved. And again this works for every other OS resolver that I have tested.

logging also does not redirect to logging.home. The search does not occur.
I'm using dnsmasq. btw for this example:

So just to be 100% here.

• logging.home <<-- is the fqdn.
• logging <<- is the registered name in dnsmasq assigned ip 192.168.0.59 via dhcp.
• home <<-- search domain.
• kibana is a cname for logging
• kibana.home is a cname for logging.

The only resolve that works is dig @dns logging.home

As per dnsmasq configuration:

cname=kibana,logging
cname=kibana.home,logging

Dig command of all host combinations above.

user@ubuntu1804:~$ dig logging.home

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> logging.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;logging.home.			IN	A

;; ANSWER SECTION:
logging.home.		3600	IN	A	192.168.0.57

;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 08 09:43:25 UTC 2018
;; MSG SIZE  rcvd: 57

user@ubuntu1804:~$ dig logging

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> logging
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;logging.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 08 09:43:52 UTC 2018
;; MSG SIZE  rcvd: 36

user@ubuntu1804:~$ dig kibana

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> kibana
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44601
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kibana.				IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 08 09:44:35 UTC 2018
;; MSG SIZE  rcvd: 35

user@ubuntu1804:~$ dig kibana.home

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> kibana.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22864
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;kibana.home.			IN	A

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 08 09:44:45 UTC 2018
;; MSG SIZE  rcvd: 40

Here is the debug output of those very same dig commands.

Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Looking up RR for logging.home IN A.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Switching to DNS server 192.168.0.200 for interface enp0s3.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Cache miss for logging.home IN A
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Transaction 37382 for <logging.home IN A> scope dns on enp0s3/*.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Using feature level UDP+EDNS0 for transaction 37382.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Using DNS server 192.168.0.200 for transaction 37382.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Sending query packet with id 37382.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Processing query...
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Processing incoming packet on transaction 37382. (rcode=SUCCESS)
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Verified we get a response at feature level UDP+EDNS0 from DNS server 192.168.0.200.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Added positive unauthenticated cache entry for logging.home IN A 3600s on */INET/192.168.0.200
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Transaction 37382 for <logging.home IN A> on scope dns on enp0s3/* now complete with <success> from network (unsigned).
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Sending response packet with id 34514 on interface 1/AF_INET.
Jun 08 09:43:25 ubuntu1804 systemd-resolved[14015]: Freeing transaction 37382.
Jun 08 09:43:52 ubuntu1804 systemd-resolved[14015]: Got DNS stub UDP query packet for id 32353
Jun 08 09:43:52 ubuntu1804 systemd-resolved[14015]: Looking up RR for logging IN A.
Jun 08 09:43:52 ubuntu1804 systemd-resolved[14015]: Sending response packet with id 32353 on interface 1/AF_INET.
Jun 08 09:43:52 ubuntu1804 systemd-resolved[14015]: Processing query...
Jun 08 09:44:35 ubuntu1804 systemd-resolved[14015]: Got DNS stub UDP query packet for id 14766
Jun 08 09:44:35 ubuntu1804 systemd-resolved[14015]: Looking up RR for kibana IN A.
Jun 08 09:44:35 ubuntu1804 systemd-resolved[14015]: Sending response packet with id 14766 on interface 1/AF_INET.
Jun 08 09:44:35 ubuntu1804 systemd-resolved[14015]: Processing query...
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Got DNS stub UDP query packet for id 20569
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Looking up RR for kibana.home IN A.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Cache miss for kibana.home IN A
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Transaction 12135 for <kibana.home IN A> scope dns on enp0s3/*.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Using feature level UDP+EDNS0 for transaction 12135.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Using DNS server 192.168.0.200 for transaction 12135.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Sending query packet with id 12135.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Processing query...
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Processing incoming packet on transaction 12135. (rcode=SUCCESS)
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Added positive unauthenticated cache entry for kibana.home IN CNAME 3600s on */INET/192.168.0.200
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Added positive unauthenticated cache entry for logging IN A 3600s on */INET/192.168.0.200
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Transaction 12135 for <kibana.home IN A> on scope dns on enp0s3/* now complete with <success> from network (unsigned).
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Following CNAME/DNAME kibana.home → logging.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Sending response packet with id 20569 on interface 1/AF_INET.
Jun 08 09:44:45 ubuntu1804 systemd-resolved[14015]: Freeing transaction 12135.

I'd have to write a script or something to generate a zone file. And that sorta defeats the evidence gathering process.

[poettering]

hmm, so, are you saying that you have addresses and CNAMES assigned to "dotless" domains?

resolved won't resolve those via classic DNS, following these IAB recommendations:

https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/

dotless domains are resolved via LLMNR or search domains, but CNAMES won't be allowed to redirect to LLMNR or search domains, since that would allow outside DNS servers to reference private names and we can't allow that.

But I am really puzzled by all this, I really don't follow what your set up is like. First you used the ".local" domain (which is reserved via RFC for a different purpose), now you appear to use dotless domains (aka "single-label" domains, aka "TLDs") for A/CNAME records. In the middle it was about CNAME redirection and search domains. I am seriously confused about all of this.

[upuv]

I have never used .local anywhere. I only used the word "local" to refer figuratively to the local physical network. Again ".local" HAS NEVER BEEN A DOMAIN in this networks configuration.

[upuv]

But dotless domains are still in the standard. They are only considered harmful in discussion papers. However the spec still allows them. Until the spec depreciates them it is still standard.

PS This discussion paper has not progressed at all since 2013.

[poettering]

well, you should be able to define "." as routing domain, so that single-label domains are resolved via classic DNS.

But we try to make things secure and somewhat up-to-date with today's intended use of DNS, hence we won't do A/AAAA/PTR lookups on single-label names on DNS normally. I mean, besides the fact that everyone recommends against having domains set up like this, this also creates security issues (as dotless domains are usually assumed to be in local context and shouldn't leak onto the internet) and ambiguity issues (as you invade TLD territory like this, and they keep adding new TLDs every other week or so these days, so you might sooner or later run into conflicts with maybe an official TLD being created called ".logging"...

Anyway, consider adding Domains=~. to /etc/systemd/resolved.conf. That will result in a routing domain being defined that any domain ending in the top level domain (i.e. all domains) will be routed to classic DNS. But of course, routing all single-label domains to classic DNS is on you then, and the security and ambigituity issues this creates.

[upuv]

Domains=~.

Does not resolve the issue. Tested.

As an aside this really needs much much better documentation. As this is the only implementation of a resolver that does not resolve dotless domains. You are effectively breaking from the standard.

I would also suggest that this is covered in the debug output of resolved as well. As it stands now it simply looks like it stops working.

I will validate this by migrating this network to a "dotted domain". For now I'm willing to have this thread moved to closed. But again the debug output of systemd-resolved needs to highlight this divergence from standard definitions.

If further testing on a "dotted domain" reveals the same behaviour I will raise a NEW issue.

[poettering]

If Domains=~. doesn't work, we should really make it work though, leaving the bug open hence. And yes, it could also use some documentation.

[laxdragon]

I noticed today that modifying Domains= with my networks search domains does not work after a fresh reboot. I have to manually sudo service systemd-resolved each time I boot. Only then will it work. WTF?

Why can't it correctly just use the search domains provided by DHCP like it is supposed to?

[kmleow]

systemd-resolve --status shows my network adapter having 3 DNS servers,
only 1 of them was actually issued by DHCP, the other 2 are IPv6 which I have no idea how they came about.

As @laxdragon said, restarting systemd-resolved resolves the issue.

[bissli82]

Same issues here... still open>?

[tzot]

systemd-resolve --status shows my network adapter having 3 DNS servers,
only 1 of them was actually issued by DHCP, the other 2 are IPv6 which I have no idea how they came about.

They probably were reported by your router as your provider's DNS servers. At least that's what my additional 2 ipv6 addresses were, and I verified it by a reverse lookup :)

[keszybz]

It seems that the setup that is reported as broken has single-label tlds that are supposed to resolve for A records. We don't support this by default, but it can now be optionally allowed after 3b5bd7d. Please reopen if either a) that interpretation was incorrect, or b) it doesn't work with that option enabled, or c) it still doesn't work after removing use of single-label names.