systemd-resolved: How to clear DNS cache?

[paulmenzel]

Sometimes it’s needed to clear the DNS cache. Restarting systemd-resolved doesn’t do it. How can the DNS cache be cleared?

[teg]

That sounds wrong. resolved does not save its cache to disk, so I don't see how restarting it does not clear the cache. Moreover, what's the usecase for forcibly clearing the cache (outside of DNS debugging I guess)?

[teg]

To verify, please run systemd-resolved with SYSTEMD_LOG_LEVEL=debug in its Environment=. You will then see "Cache hit" and "Cache miss" messages.

[paulmenzel]

$ more /etc/resolv.conf
# This file is managed by systemd-resolved(8). Do not edit.
#
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.

nameserver 192.168.180.1
nameserver 8.8.8.8
nameserver 8.8.4.4
# Too many DNS servers configured, the following entries may be ignored
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
$ dig @192.168.180.1 smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> @192.168.180.1 smb-staging.gomus.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9896
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   86400   IN  A   185.15.194.199

;; Query time: 41 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 17:36:30 CEST 2015
;; MSG SIZE  rcvd: 54

$ dig smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> smb-staging.gomus.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31048
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   86394   IN  A   185.15.194.199

;; Query time: 0 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 17:36:36 CEST 2015
;; MSG SIZE  rcvd: 54

$ host smb-staging.gomus.de
smb-staging.gomus.de has address 148.251.9.237
$ sudo systemctl restart systemd-resolved
$ host smb-staging.gomus.de
smb-staging.gomus.de has address 148.251.9.237

[teg]

Hm, lots of stuff that could be going wrong here. My guess would be that resolved is pointing at a different DNS server than what you use for dig (in case you are not aware dig circumvents nss/resolved completely).

If you could try with debug output from resolved we would see what is going on.

[paulmenzel]

I added Environment=SYSTEMD_LOG_LEVEL=debug to /lib/systemd/system/systemd-resolved.service and did sudo systemctl restart systemd-resolved and sudo systemctl daemon-reload.

What command can I run to force a name resolution over systemd-resolved?

[paulmenzel]

@falconindy told me in systemd@irc.freenode.net to use getent hosts smb-staging.gomus.de, but that also shows the “old” IP address.

$ getent hosts smb-staging.gomus.de
148.251.9.237   smb-staging.gomus.de
$ dig smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> smb-staging.gomus.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   83374   IN  A   185.15.194.199

;; Query time: 1 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 18:26:56 CEST 2015
;; MSG SIZE  rcvd: 54

Judging from the SERVER line in the output from dig, the DNS server is used. @falconindy wrote in #systemd@irc.freenode.net that dig and host use libdns.

[paulmenzel]

$ grep hosts /etc/nsswitch.conf
hosts:          files dns

[crrodriguez]

@paulmenzel resolved isn't even active in your configuration. you need to use
hosts: files resolve

[paulmenzel]

What does dns use then?

I ran strace hosts … and /etc/resolv.conf is read in.

[falconindy]

'dns' uses /usr/lib/libnss_dns.so. 'resolve' would use /usr/lib/libnss_resolve.so, and so on...

[paulmenzel]

[…]
open("/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb774a000
read(6, "#\n# OpenSSL example configuratio"..., 4096) = 4096
read(6, "Netscape crash on BMPStrings or "..., 4096) = 4096
read(6, " this to avoid interpreting an e"..., 4096) = 2643
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0xb774a000, 4096)                = 0
futex(0xb711b058, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/i386-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\2605\0\0004\0\0\0"..., 512) = 512
fstat64(6, {st_mode=S_IFREG|0644, st_size=94872, ...}) = 0
mmap2(NULL, 93476, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0xb7734000
mmap2(0xb7749000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x15000) = 0xb7749000
close(6)                                = 0
mprotect(0xb7749000, 4096, PROT_READ)   = 0
open("/usr/share/locale/de_DE.UTF-8/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.UTF-8/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0xb77118c4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0xb7711924, FUTEX_WAKE_PRIVATE, 2147483647) = 0
time(NULL)                              = 1439405568
open("/etc/resolv.conf", O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=483, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7733000
read(6, "# This file is managed by system"..., 4096) = 483
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0xb7733000, 4096)                = 0
futex(0xb6c8f05c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c8f058, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigaction(SIGHUP, {0xb7150210, ~[RTMIN RT_1], 0}, NULL, 8) = 0
rt_sigsuspend([], 8smb-schulung.gomus.de has address 148.251.9.237
)                    = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGTERM {si_signo=SIGTERM, si_code=SI_TKILL, si_pid=11114, si_uid=1000} ---
sigreturn() (mask [HUP INT TERM])       = -1 EINTR (Interrupted system call)
futex(0xb6c8f05c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c8f058, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xb6c8f05c, FUTEX_CMP_REQUEUE_PRIVATE, 1, 2147483647, 0xb6c8f018, 12) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
write(4, "\0\0\0\0\377\377\377\377", 8) = 8
epoll_ctl(5, EPOLL_CTL_DEL, 3, bf931070) = 0
close(5)                                = 0
close(3)                                = 0
close(4)                                = 0
futex(0xb6c900c4, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c900c0, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6488ba8, FUTEX_WAIT, 11116, NULL) = 0
open("/proc/sys/vm/overcommit_memory", O_RDONLY|O_CLOEXEC) = 3
read(3, "0", 1)                         = 1
close(3)                                = 0
madvise(0xb5321000, 180224, MADV_DONTNEED) = 0
munmap(0xb7734000, 93476)               = 0
munmap(0xb6c8a000, 266240)              = 0
exit_group(0)                           = ?
+++ exited with 0 +++

[crrodriguez]

@paulmenzel yes, glibc has to read /etc/resolv.conf for name resolution functions to work.

[teg]

@paulmenzel in case it is still unclear: you need to change 'dns' into 'resolve' in /etc/nsswitch.conf, otherwise this is not a systemd issue.

[fsateler]

FWIW, debian does not yet ship the resolve nss module. AFAICT the only issue here is that there is no doc for nss-resolve and how is it useful (ie, why would I want to go through resolved instead of directly to the dns servers)

[fsateler]

And this info was not here but on IRC I gathered paul was using debian.

[paulmenzel]

As @fsateler wrote, Debian 8.1 (Jessie) is used. It looks like, systemd-resolved is not yet integrated that well in Debian 8.1 and I made some wrong assumptions.

[q2dg]

On Ubuntu (17.10) "libnss-resolve" package must be installed on hand