[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iwd + systemd-networkd + resolvconf wrinkles

David Wright wrote:

As I said, I tried that.


Ack. I must have glossed over that. Sorry. The rest of my mail stands,
though.


You can configure various settings for the DNS resolver in your
systemd-networkd setting and in /etc/systemd/resolved.conf.


Like what?


Full description here:
https://www.freedesktop.org/software/systemd/man/systemd.network.html#%5BDHCPv4%5D%20Section%20Options
https://www.freedesktop.org/software/systemd/man/resolved.conf.html

But what I find useful is to be able to select per interface if DNS
should be used from the DHCP server, if there is a clash.
I also ended up disabling DNSSEC on some machines due to a broken
server.


On bookworm you also have the resolvectl tool, which helps debugging DNS
issues.


And bullseye has that too. I don't really know how to use it.


Cool. If you just type resolvectl, it will show you which information it
got on each interface.
You can also debug your slow queries by using "resolvectl query
google.com". It will show you which interface the query goes out on and
how long it took to get the response.


There seem to be timeouts involved in most cases, so   time ping -c 1 foo
will typically take 15sec, and host lookups will take 10 or 20sec.


That is far too long. A wild guess: you may have received a bunch of
unresponsive DNS servers from your DHCP reply, and your machine is
trying to use them in turn, until it finds a working server?
DNSSEC problem? Or do you get IPv6 addresses for the DNS server, but
they are not reachable?

You can try debugging this with the resolvectl tool, to find out the
list of the servers. Then query them with the dig tool from the
bind9-dnsutils package:

dig google.com @8.8.8.8

Replace the IP address in @8.8.8.8 with the an IP from the output of
resolvectl.


# resolvectl query smtp.lionunicorn.co.uk   answered in 57.6 secs.
# resolvectl query lionunicorn.co.uk   failed with:
lionunicorn.co.uk: resolve call failed: Query timed out


On my machine I get:

# resolvectl query smtp.lionunicorn.co.uk
smtp.lionunicorn.co.uk: 149.255.60.149         -- link: vlan3512

-- Information acquired via protocol DNS in 31.0ms.
-- Data is authenticated: no

Try running the queries with dig, as described above.


The debug output is difficult to interpret, though I did notice that
it was reporting "cache misses" repeatedly on the same address (but
there must be some caching going on, because there was an occasional
hit being reported).


It really sounds like some of the DNS servers are not reachable.


The idea of "debugging DNS issues" doesn't exactly thrill me. I'm
imagining a scenario where I'm sitting in an airport or motel room,
having managed to make a connection with iwd and negotiate their
captive portal or whatever, and then run into /this/ problem.


Ack, fully understand. I do think there is something broken in your
network setup or the server that gives you the list of DNS server is not
configured correctly.

If you have found a way to fix the problem, or work around it, by using
another tool, and this works for you, all the power to you. :-)

Cheers
Thomas
Reply to: