Another systemd-resolved problem in 17.04

Tom H tomh0665 at gmail.com
Thu Jun 22 00:13:54 UTC 2017 

On Wed, Jun 21, 2017 at 6:41 PM, Karl Auer <kauer at biplane.com.au> wrote:
> On Wed, 2017-06-21 at 18:07 -0400, Tom H wrote:
>> Jun 21 09:54:38 t470 systemd-resolved[961]: Using DNS server
>>>
>>> fe80::1e74:dff:fe9d:5b1c%3 for transaction 37661.
>>
>> resolved is querying the wrong server because "fe80::..." is an ipv6
>> link-local address.
>
> Maybe, but not necessarily. In small networks the local DNS server is
> often on the same link. Of course, if it is not listening on all
> addresses it may not respond when queried on that address. It's not
> clear (to me, but I'm not that familiar with systemd messages) whether
> that "REFUSED" is a DNS failure or a failure to reach the server. That
> is, was it that the DNS server heard the query and refused to answer,
> or was the connection refused?
>
> You should be able to do this to find out:
>
>    dig daisy.ubuntu.com @fe80::1e74:dff:fe9d:5b1c%3
>
> This is what I get when I use my local nameserver's link local address,
> actual address truncated:
>
> kauer at kt:~$ dig +short daisy.ubuntu.com @fe80::xxxx%wlan0
> 162.213.33.133
> 162.213.33.164
>
> If the nameserver is listening, but refusing to serve you, you'll get a
> response with a REFUSED status. Don't use "+short" or you won't see it:
>
> kauer at kt:~$ dig daisy.ubuntu.com @dns1.ethz.ch
> [...]
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33381
> ;; flags: qr rd ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> [...]
>
> If the nameserver is not there or not listening on that address, you'll
> get a timeout like this:
>
> kauer at kt:~$ dig +short daisy.ubuntu.com @fe80::xxxx%wlan0
> ;; connection timed out; no servers could be reached

This is what you get on a standard 17.10 install

# ss -ntul | column -t | grep -v Netid
udp    UNCONN  0       0       127.0.0.53%lo:53  *:*
udp    UNCONN  0       0       *:5355            *:*
udp    UNCONN  0       0       :::5355           :::*
tcp    LISTEN  0       128     *:22              *:*
tcp    LISTEN  0       128     *:5355            *:*
tcp    LISTEN  0       128     :::22             :::*
tcp    LISTEN  0       128     :::5355           :::*

There's nothing listening on a link-local address, ipv4 or ipv6.

I'd assumed that the "REFUSED" was part of a dbus message but it might
very well a dns message. That implies that there's a server listening
on fe80 but that the client isn't allowed to query this server.

That would be a non-standard Ubuntu setup given the above, but also
because I can't think of a resolved option that'll allow it to listen
on fe80 unless it's specified in resolved.conf or a resolved option
that'll allow it to refuse to resolve a (local) query. Maybe there is
but I can't check the man pages at the moment.

-- 
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

More information about the ubuntu-users mailing list