[Bug 1727237] Re: systemd-resolved is not finding a domain

Pete launchpad at kthxbye.us
Wed Apr 25 19:18:34 UTC 2018 

I freshly installed the latest Kubuntu Bionic nightly image from today
night. That should be rather close to tomorrow's release.

There systemd 237-3ubuntu10 is installed. However, it still does not
work. I can not resolve dns out of the box in my Hotel wifi (Quality
Hotel Augsburg, Germany).

The support of the hotspot provider forwarded me to this bug and assumed
it to be solved in 18.04.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1727237

Title:
  systemd-resolved is not finding a domain

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Triaged
Status in systemd source package in Zesty:
  Won't Fix
Status in systemd source package in Artful:
  Triaged
Status in systemd source package in Bionic:
  Fix Released

Bug description:
  
  [Impact] 

   * Certain WiFi captive portals do not support EDNS0 queries, as per RFC.
   * Instead of responding with the captive portal IP address, they resond with domain not found
   * This prevents the user from hitting the captive portal login page, able to authenticate, and gain access to the internets.

  [The Fix]

   * As per tcp dumps, the problem arrises from receiving NXDOMAIN when queried with EDNS0
   * And receiving the right response without EDNS0
   * The solution was to downgrade transactions, and retry EDNS0 + NXDOMAIN result without EDNS0 with a hope of getting the right answer.

  [Test Case]

  * systemd-resolve securelogin.example.com
  * journalctl -b -u systemd-resolve | grep DVE-2018

  You should obverse that a warning message that transaction was retried
  with a reduced feature level e.g. UDP or TCP.

  After this test case is performed the result will be cached, therefore
  to revert to pristine state perform

  * systemd-resolve --flush-caches

  [Regression Potential]

   * The code retries, and then caches, NXDOMAIN results for certain
  queries (those that have 'secure' in them) with and without EDNS0.

   * Thus initial query for these domains may take longer, but hopefully
  will manage to receive the correct response.

   * Manufacturers are encouraged to correctly support EDNS0 queries,
  with flag D0 set to zero.

  [Other Info]
   
   * This issue is tracked as a dns-violation at
  https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md

  [Original Bug report]

  I have an odd network situation that I have so far managed to narrow
  down to the inability to resolve a domain via systemd-resolved which
  is resolvable with nslookup. If I use nslookup against the two
  nameservers on this network I get answers for the domain, but ping
  says it is unable to resolve the same domain (as do browsers and
  crucially the captive portal mechanism).

  Here are details:

  NSLOOKUP:

  ~$ nslookup securelogin.arubanetworks.com 208.67.220.220
  Server:		208.67.220.220
  Address:	208.67.220.220#53

  Non-authoritative answer:
  Name:	securelogin.arubanetworks.com
  Address: 172.22.240.242

  ~$ nslookup securelogin.arubanetworks.com 208.67.222.222
  Server:		208.67.222.222
  Address:	208.67.222.222#53

  Non-authoritative answer:
  Name:	securelogin.arubanetworks.com
  Address: 172.22.240.242

  PING:

  ~$ ping securelogin.arubanetworks.com
  ping: securelogin.arubanetworks.com: Name or service not known
  mark at mark-X1Y2:~$

  DIG:

  ~$ dig @208.67.222.222 securelogin.arubanetworks.com

  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @208.67.222.222 securelogin.arubanetworks.com
  ; (1 server found)
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9416
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.	IN	A

  ;; AUTHORITY SECTION:
  arubanetworks.com.	1991	IN	SOA	dns5.arubanetworks.com. hostmaster.arubanetworks.com. 1323935888 3600 200 1209600 86400

  ;; Query time: 34 msec
  ;; SERVER: 208.67.222.222#53(208.67.222.222)
  ;; WHEN: Wed Oct 25 10:31:10 CEST 2017
  ;; MSG SIZE  rcvd: 144

  MORE DIG:

  ~$ dig securelogin.arubanetworks.com

  ; <<>> DiG 9.10.3-P4-Ubuntu <<>> securelogin.arubanetworks.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3924
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;securelogin.arubanetworks.com.	IN	A

  ;; Query time: 0 msec
  ;; SERVER: 127.0.0.53#53(127.0.0.53)
  ;; WHEN: Wed Oct 25 10:34:01 CEST 2017
  ;; MSG SIZE  rcvd: 58

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1727237/+subscriptions

More information about the foundations-bugs mailing list