0

Hi I have a small desktop/home network that local applications aren't able to resolve dns on. For example:

dig reddit.com

;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ; <<>> DiG 9.20.7 <<>> reddit.com ;; global options: +cmd ;; no servers could be reached

Golang also fails to install:

go install -v

go: golang.org/x/tools/gopls@latest: module golang.org/x/tools/gopls: Get "https://proxy.golang.org/golang.org/x/tools/gopls/@v/list": dial tcp: lookup proxy.golang.org on [::1]:53: read udp [::1]:51901->[::1]:53: read: connection refused

ping works

ping reddit.com

PING reddit.com (2a04:4e42::396) 56 data bytes 64 bytes from 2a04:4e42::396: icmp_seq=1 ttl=54 time=25.9 ms 64 bytes from 2a04:4e42::396: icmp_seq=2 ttl=54 time=23.3 ms

I suspect that systemd-resolve or systemd-network is not setup or working properly. This is my current configuration:

cat /etc/systemd/network/25-wireless.network

[Match] Name=wlp1s0f0u10 [Link] RequiredForOnline=routable [Network] DHCP=yes IgnoreCarrierLoss=3s #DNS=127.0.0.1

cat /etc/systemd/network/20-wired.network

[Match] Name=enp8s0 [Link] RequiredForOnline=no [Network] Address=20.21.22.1/24 DHCPServer=true IPMasquerade=ipv4 [DHCPServer] PoolOffset=100 PoolSize=20 EmitDNS=yes #DNS=8.8.8.8

cat /etc/systemd/resolved.conf

# This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Entries in this file show the compile time defaults. Local configuration # should be created by either modifying this file (or a copy of it placed in # /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in # the /etc/systemd/resolved.conf.d/ directory. The latter is generally # recommended. Defaults can be restored by simply deleting the main # configuration file and all drop-ins located in /etc/. # # Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. # # See resolved.conf(5) for details. [Resolve] # Some examples of DNS servers which may be used for DNS= and FallbackDNS=: # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com # Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google # Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net DNS=8.8.8.8 FallbackDNS=8.8.4.4 #FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google #Domains= #DNSSEC=no #DNSOverTLS=no #MulticastDNS=yes #LLMNR=yes #Cache=yes #CacheFromLocalhost=no #DNSStubListener=yes #DNSStubListenerExtra= ReadEtcHosts=no #ResolveUnicastSingleLabel=no #StaleRetentionSec=0

resolvectl status

Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Current DNS Server: 8.8.8.8 DNS Servers: 8.8.8.8 Fallback DNS Servers: 8.8.4.4 Link 2 (enp8s0) Current Scopes: LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Default Route: no Link 3 (wlp1s0f0u10) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 206.248.154.170 DNS Servers: 206.248.154.22 206.248.154.170 2607:f2c0::1 2607:f2c0::2 Default Route: yes

sudo ss -tlnup

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=22)) udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=20)) udp UNCONN 0 0 0.0.0.0%enp8s0:67 0.0.0.0:* users:(("systemd-network",pid=452,fd=33)) udp UNCONN 0 0 192.168.0.51%wlp1s0f0u10:68 0.0.0.0:* users:(("systemd-network",pid=452,fd=38)) udp UNCONN 0 0 224.0.0.251:5353 0.0.0.0:* users:(("chrome",pid=1088,fd=188)) udp UNCONN 0 0 224.0.0.251:5353 0.0.0.0:* users:(("chrome",pid=1088,fd=183)) udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=15)) udp UNCONN 0 0 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=11)) udp UNCONN 0 0 [fe80::4a8f:4cff:fef6:d2db]%wlp1s0f0u10:546 [::]:* users:(("systemd-network",pid=452,fd=39)) udp UNCONN 0 0 [::]:5353 [::]:* users:(("systemd-resolve",pid=432,fd=16)) udp UNCONN 0 0 [::]:5355 [::]:* users:(("systemd-resolve",pid=432,fd=13)) tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=21)) tcp LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=12)) tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=432,fd=23)) tcp LISTEN 0 4096 [::]:5355 [::]:* users:(("systemd-resolve",pid=432,fd=14))

(I think this was generated automatically, I think it works)

sudo nft list ruleset

table ip io.systemd.nat { set masq_saddr { type ipv4_addr flags interval elements = { 20.21.22.0/24 } } map map_port_ipport { type inet_proto . inet_service : ipv4_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority dstnat + 1; policy accept; ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip saddr @masq_saddr masquerade } } table ip6 io.systemd.nat { set masq_saddr { type ipv6_addr flags interval } map map_port_ipport { type inet_proto . inet_service : ipv6_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority dstnat + 1; policy accept; ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip6 saddr @masq_saddr masquerade } }

resolvectl query reddit.com

reddit.com: 2a04:4e42:400::396 -- link: wlp1s0f0u10 2a04:4e42:600::396 -- link: wlp1s0f0u10 2a04:4e42::396 -- link: wlp1s0f0u10 2a04:4e42:200::396 -- link: wlp1s0f0u10 151.101.65.140 -- link: wlp1s0f0u10 151.101.1.140 -- link: wlp1s0f0u10 151.101.193.140 -- link: wlp1s0f0u10 151.101.129.140 -- link: wlp1s0f0u10 -- Information acquired via protocol DNS in 31.6ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network

edit: Hi thanks for replies.

pinging gateway

ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=5.65 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=8.57 ms 64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=5.95 ms

curl -v reddit.com

* Host reddit.com:80 was resolved. * IPv6: 2a04:4e42:200::396, 2a04:4e42:600::396, 2a04:4e42::396, 2a04:4e42:400::396 * IPv4: 151.101.1.140, 151.101.129.140, 151.101.65.140, 151.101.193.140 * Trying [2a04:4e42:200::396]:80... * Connected to reddit.com (2a04:4e42:200::396) port 80 * using HTTP/1.x > GET / HTTP/1.1 > Host: reddit.com > User-Agent: curl/8.13.0 > Accept: */* > * Request completely sent off < HTTP/1.1 301 Moved Permanently < Connection: close < Content-Length: 0 < Retry-After: 0 < Location: https://reddit.com/ < Accept-Ranges: bytes < Date: Sat, 12 Apr 2025 03:09:09 GMT < Via: 1.1 varnish < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < Cache-Control: private, max-age=3600 < Server: snooserv < Report-To: {"group": "w3-reporting-nel", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-nel.reddit.com/reports" }]}, {"group": "w3-reporting", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting.reddit.com/reports" }]}, {"group": "w3-reporting-csp", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-csp.reddit.com/reports" }]} < NEL: {"report_to": "w3-reporting-nel", "max_age": 14400, "include_subdomains": false, "success_fraction": 1.0, "failure_fraction": 1.0} < * shutting down connection #0

After a brief google I found ideas I may try: https://github.com/systemd/systemd/issues/32092 https://askubuntu.com/questions/1370794/systemd-resolved-not-resolving-any-domains https://askubuntu.com/questions/1113360/systemd-resolved-not-resolving-specific-domains?rq=1

I also updated the nft rules, tested, same problem.

flush ruleset table ip filter { # allow LAN to firewall, disallow WAN to firewall chain input { iifname "enp8s0" accept type filter hook input priority 0; policy drop; ct state invalid counter drop comment "early drop of invalid packets" ct state {established, related} counter accept comment "accept all connections related to connections made by us" iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" iif lo accept comment "accept loopback" ip protocol icmp counter accept comment "accept all ICMP types" #tcp dport 22 counter accept comment "accept SSH" counter comment "count dropped packets" } # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection chain forward { type filter hook forward priority 0; policy drop; iifname "enp8s0" oifname "wlp1s0f0u10" accept iifname "wlp1s0f0u10" oifname "enp8s0" ct state related,established accept } }

edit: cat /etc/resolv.conf 

# Generated by NetworkManager
Improve this question
6
  • 3
    always use code formatting for printouts for legibility ... did it for you Commented Apr 11 at 22:11
  • Disconnect the Ethernet cable and try pinging your Wireless Router's gateway. You should never need a DNS entry as that is provided in your router by your ISP along with your public IP Address. Remove the DNS entry from resolved.conf and then troubleshoot from your router gateway out.... Commented Apr 11 at 22:54
  • Thanks the Ethernet cable is disconnected. I have the entry because it's much faster than what the Isp provided. Commented Apr 12 at 3:23
  • I updated my comment with the ping result. Commented Apr 12 at 3:45
  • What is the content of /etc/resolv.conf? I guess 127.0.0.53 is missing... Commented Apr 12 at 3:47

3 Answers 3

Reset to default
1

The problem is that applications are checking /etc/resolv.conf but no nameserver is configured there. So they use localhost as a fallback but systemd-resolved does not run on 127.0.0.1 (in general) but on 127.0.0.53 and 127.0.0.54 instead and for some reason it does not run on ::1 on your system.

NetworkManager

The probably best solution is to add 127.0.0.53 to your NM configuration. Then the necessary entry should be created by NM.

Manual fix

This will probably be overwritten every time NM starts. So mainly as an explanation:

nameserver 127.0.0.53

If that is added to /etc/resolv.conf then dig and everything else should work again.

Improve this answer
1
  • Hi thanks that sounds good. I don't have NetworkManager enabled at the moment it's just systemd-network and resolve. Commented Apr 14 at 18:50
1

Install /etc/resolv.conf as described in the systemd-resolved wiki page:

# ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Improve this answer
0
0

Ok it works now I didn't setup the symlink properly.

dig reddit.com

; <<>> DiG 9.20.7 <<>> reddit.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36965 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;reddit.com. IN A ;; ANSWER SECTION: reddit.com. 289 IN A 151.101.193.140 reddit.com. 289 IN A 151.101.129.140 reddit.com. 289 IN A 151.101.1.140 reddit.com. 289 IN A 151.101.65.140 ;; Query time: 30 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Mon Apr 14 14:38:36 EDT 2025 ;; MSG SIZE rcvd: 103

sudo ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

At one point I tried something like this but it wasn't the correct command(I don't think).

Go also installs now.

Improve this answer
1
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. Commented Apr 14 at 19:32

You must log in to answer this question.