systemd-resolved: How to clear DNS cache? #940

Closed
paulmenzel opened this Issue Aug 12, 2015 · 17 comments

Comments

Projects
None yet
7 participants

Sometimes it’s needed to clear the DNS cache. Restarting systemd-resolved doesn’t do it. How can the DNS cache be cleared?

Contributor

teg commented Aug 12, 2015

That sounds wrong. resolved does not save its cache to disk, so I don't see how restarting it does not clear the cache. Moreover, what's the usecase for forcibly clearing the cache (outside of DNS debugging I guess)?

Contributor

teg commented Aug 12, 2015

To verify, please run systemd-resolved with SYSTEMD_LOG_LEVEL=debug in its Environment=. You will then see "Cache hit" and "Cache miss" messages.

$ more /etc/resolv.conf
# This file is managed by systemd-resolved(8). Do not edit.
#
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.

nameserver 192.168.180.1
nameserver 8.8.8.8
nameserver 8.8.4.4
# Too many DNS servers configured, the following entries may be ignored
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
$ dig @192.168.180.1 smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> @192.168.180.1 smb-staging.gomus.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9896
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   86400   IN  A   185.15.194.199

;; Query time: 41 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 17:36:30 CEST 2015
;; MSG SIZE  rcvd: 54

$ dig smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> smb-staging.gomus.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31048
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   86394   IN  A   185.15.194.199

;; Query time: 0 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 17:36:36 CEST 2015
;; MSG SIZE  rcvd: 54

$ host smb-staging.gomus.de
smb-staging.gomus.de has address 148.251.9.237
$ sudo systemctl restart systemd-resolved
$ host smb-staging.gomus.de
smb-staging.gomus.de has address 148.251.9.237
Contributor

teg commented Aug 12, 2015

Hm, lots of stuff that could be going wrong here. My guess would be that resolved is pointing at a different DNS server than what you use for dig (in case you are not aware dig circumvents nss/resolved completely).

If you could try with debug output from resolved we would see what is going on.

I added Environment=SYSTEMD_LOG_LEVEL=debug to /lib/systemd/system/systemd-resolved.service and did sudo systemctl restart systemd-resolved and sudo systemctl daemon-reload.

What command can I run to force a name resolution over systemd-resolved?

@falconindy told me in systemd@irc.freenode.net to use getent hosts smb-staging.gomus.de, but that also shows the “old” IP address.

$ getent hosts smb-staging.gomus.de
148.251.9.237   smb-staging.gomus.de
$ dig smb-staging.gomus.de

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> smb-staging.gomus.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smb-staging.gomus.de.      IN  A

;; ANSWER SECTION:
smb-staging.gomus.de.   83374   IN  A   185.15.194.199

;; Query time: 1 msec
;; SERVER: 192.168.180.1#53(192.168.180.1)
;; WHEN: Wed Aug 12 18:26:56 CEST 2015
;; MSG SIZE  rcvd: 54

Judging from the SERVER line in the output from dig, the DNS server is used. @falconindy wrote in #systemd@irc.freenode.net that dig and host use libdns.

$ grep hosts /etc/nsswitch.conf
hosts:          files dns
Contributor

crrodriguez commented Aug 12, 2015

@paulmenzel resolved isn't even active in your configuration. you need to use
hosts: files resolve

What does dns use then?

I ran strace hosts … and /etc/resolv.conf is read in.

Contributor

falconindy commented Aug 12, 2015

'dns' uses /usr/lib/libnss_dns.so. 'resolve' would use /usr/lib/libnss_resolve.so, and so on...

[…]
open("/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=10835, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb774a000
read(6, "#\n# OpenSSL example configuratio"..., 4096) = 4096
read(6, "Netscape crash on BMPStrings or "..., 4096) = 4096
read(6, " this to avoid interpreting an e"..., 4096) = 2643
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0xb774a000, 4096)                = 0
futex(0xb711b058, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/i386-linux-gnu/openssl-1.0.0/engines/libgost.so", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\2605\0\0004\0\0\0"..., 512) = 512
fstat64(6, {st_mode=S_IFREG|0644, st_size=94872, ...}) = 0
mmap2(NULL, 93476, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0xb7734000
mmap2(0xb7749000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x15000) = 0xb7749000
close(6)                                = 0
mprotect(0xb7749000, 4096, PROT_READ)   = 0
open("/usr/share/locale/de_DE.UTF-8/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.UTF-8/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de/LC_MESSAGES/libdns.cat", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0xb77118c4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0xb7711924, FUTEX_WAKE_PRIVATE, 2147483647) = 0
time(NULL)                              = 1439405568
open("/etc/resolv.conf", O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=483, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7733000
read(6, "# This file is managed by system"..., 4096) = 483
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0xb7733000, 4096)                = 0
futex(0xb6c8f05c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c8f058, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigaction(SIGHUP, {0xb7150210, ~[RTMIN RT_1], 0}, NULL, 8) = 0
rt_sigsuspend([], 8smb-schulung.gomus.de has address 148.251.9.237
)                    = ? ERESTARTNOHAND (To be restarted if no handler)
--- SIGTERM {si_signo=SIGTERM, si_code=SI_TKILL, si_pid=11114, si_uid=1000} ---
sigreturn() (mask [HUP INT TERM])       = -1 EINTR (Interrupted system call)
futex(0xb6c8f05c, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c8f058, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xb6c8f05c, FUTEX_CMP_REQUEUE_PRIVATE, 1, 2147483647, 0xb6c8f018, 12) = 1
futex(0xb6c8f018, FUTEX_WAKE_PRIVATE, 1) = 1
write(4, "\0\0\0\0\377\377\377\377", 8) = 8
epoll_ctl(5, EPOLL_CTL_DEL, 3, bf931070) = 0
close(5)                                = 0
close(3)                                = 0
close(4)                                = 0
futex(0xb6c900c4, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0xb6c900c0, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1
futex(0xb6488ba8, FUTEX_WAIT, 11116, NULL) = 0
open("/proc/sys/vm/overcommit_memory", O_RDONLY|O_CLOEXEC) = 3
read(3, "0", 1)                         = 1
close(3)                                = 0
madvise(0xb5321000, 180224, MADV_DONTNEED) = 0
munmap(0xb7734000, 93476)               = 0
munmap(0xb6c8a000, 266240)              = 0
exit_group(0)                           = ?
+++ exited with 0 +++
Contributor

crrodriguez commented Aug 12, 2015

@paulmenzel yes, glibc has to read /etc/resolv.conf for name resolution functions to work.

Contributor

teg commented Aug 12, 2015

@paulmenzel in case it is still unclear: you need to change 'dns' into 'resolve' in /etc/nsswitch.conf, otherwise this is not a systemd issue.

Member

fsateler commented Aug 12, 2015

FWIW, debian does not yet ship the resolve nss module. AFAICT the only issue here is that there is no doc for nss-resolve and how is it useful (ie, why would I want to go through resolved instead of directly to the dns servers)

Member

fsateler commented Aug 12, 2015

And this info was not here but on IRC I gathered paul was using debian.

As @fsateler wrote, Debian 8.1 (Jessie) is used. It looks like, systemd-resolved is not yet integrated that well in Debian 8.1 and I made some wrong assumptions.

@paulmenzel paulmenzel closed this Aug 13, 2015

@poettering poettering added the resolve label Aug 16, 2015

q2dg commented Jan 3, 2018

On Ubuntu (17.10) "libnss-resolve" package must be installed on hand

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment