Re: systemd-resolved resolving fails sometimes on Debian12

[jeremy ardley <jeremy.ardley@gmail.com>]

On 3/3/24 22:39, Victor Sudakov wrote:
> jeremy ardley wrote:
> > On 3/3/24 12:43, Victor Sudakov wrote:
> > > Not that I would use bind9 as a caching resolver but still, how
> > > do you pass the dynamically obtained AWS DNS server address from
> > > systemd-networkd to bind9 ?
> >
> > The AWS DNS resolver IPs are static and are widely published.
> Do you mean 169.254.169.253?


That IP address is a non-routable AWS internal address for internal DNS 
services. It is not the public IP address

There is some convention that address 2 in non routable address ranges 
allocatted to customers is also a DNS server address. So 10.0.0.2 is a 
DNS server.

The actual public source addresses used by AWS DNS servers are not well 
defined and may vary by region

> > It is permissible to not use AWS resolvers for upstream.
> >
> > If you want to use AWS resolvers you may run into the problem that some RBL
> > services reject queries from 'well known' free DNS servers; that may include
> > AWS resolver addresses.
> >
> > systemd-networkd without systemd-resolved maintains a list of DNS servers in
> > /etc/resolv.conf that can be used by local services.
> Do you just disable the systemd-resolved service or do you remove the
> systemd-resolved package completely?

I completely removed system-resolved as when it is installed it changes 
the DNS configuration to be non-standard


> If you disable it, you are also supposed to remove the "resolve"
> service from nsswitch.conf, right?

I am not sure what you mean by resolve service. The current user manual 
manual for  nsswitch has

hosts:          dns [!UNAVAIL=return] files

which seems to be some new spin. It has always been the practice to use 
files and then dns if nothing found

hosts: files dns

in neither case is systemd-resolved required. The resolution uses the 
contents of /etc/resolv.conf to choose a resolver.


> > You can override dynamic setting of the dns resolvers in the
> > systemd-networkd configuration to use a local caching resolver such as
> > bind9, usually listening at 127.0.0.1:53
> What would this be for? Sorry, I did not understand this step.

I was in error stating that. You need to manually edit /etc/resolv.conf 
to contain a line

nameserver 127.0.0.1

and configure bind9 to listen to that

options {
    listen-on { 127.0.0.1; };
    // other options like directory, allow-query, etc.
    recursion yes;
    // Additional configuration to ensure it acts as a caching server
};


> > You can then configure bind 9 as a caching only DNS resolver and set
> > appropriate upstream (forwarder) sites, or none at all defaulting to the
> > root servers.
> Thank you for the ideas, I may use them but first I would like to do
> something about the obvious bug in systemd-resolved.