Ubuntu DNS adjustment

Aiko · September 15, 2018, 10:04am

Ubuntu Netplan

How to Change DNS

working within the systemd paradigm add a link DNS

systemd.network manual page

using ubuntu 17.10+ add a *.network file sudo nano /lib/systemd/network/100-somecustom.network :

[Match] 
Name=wlo1 

[Network] # add multiple DNS 
DNS=8.8.8.8 
DNS=208.67.222.222

Then restart:

sudo service systemd-networkd restart

Also look into:

netplan apply

Then check:

systemd-resolve --status wlo1

From info page info systemd.network :

In addition to /etc/systemd/network, drop-in “.d” directories can be placed in /lib/systemd/network or /run/systemd/network directories. Drop-in files in /etc take precedence over those in /run which in turn take precedence over those in /lib. Drop-in files under any of these directories take precedence over the main netdev file wherever located. (Of course, since /run is temporary and /usr/lib is for vendors, it is unlikely drop-ins should be used in either of those places.)

Another approach disable the DNSStubListener:

sudo nano /etc/systemd/resolved.conf

# 
DNSStubListener=false

How to resolve “Temporary failure in name resolution” issue

sudo ufw allow out 53,113,123/udp

Aiko · September 15, 2018, 4:55pm

https://ubuntuforums.org/showthread.php?t=2391351&s=adb88d3358fcc695b8480334fcbe2ba9&p=13765197#post13765197

I’ve experienced it after upgrading (server edition) from 16.04 to 18.04, and apparently solution was to disable systemd-resolved as:

sudo systemctl disable systemd-resolved

and then reboot

sudo reboot

I found info about that here:

It appears that on server edition, systemd-resolved is conflicting with netplan.

Aiko · September 15, 2018, 4:59pm

Ubuntu Network testing command

apt policy netplan

ip address

ip route

cat /etc/network/interfaces

cat /etc/resolv.conf

cat /etc/nsswitch.conf

nslookup ubuntu.com

dig ubuntuforums.org

ping 192.168.40.20

Aiko · September 15, 2018, 7:38pm

Ping

Can you ping the name servers from pfsense?

What about tracerouting to them?

Can you try these commands instead of using nslookup?

dig @8.8.8.8 www.google.com
dig @208.67.220.220 www.google.com
dig @208.67.222.222 www.google.com

My guess is there’s something about the source address being used for your DNS queries sourced from pfSense that’s not routable somehow.

You can set the bind address (source address) for the outgoing query like this. It has to ba an address on pfSense itself:

dig -b 192.168.1.1 @208.67.222.222 www.google.com

In the quick testing I just did, that will succeed if there is outbound NAT for 192.168.1.0/24 and fail (timeout) if not so it appears to be doing what’s intended.

I couldn’t quickly find a way to tell dig to report the bind address used automatically. You might be able to catch it looking at the states. Certainly if you enable a floating match rule for TCP/UDP 53 on WAN out with logging you should get the address being used in the firewall logs.

Aiko · September 16, 2018, 5:58pm

Finally I found the problem place: it was iptables issue. I didn’t remember where I change this rule, but all UDP packets were set to DROP:

iptables -A INPUT -p udp -i $EXT_INTERFACE -j DROP

Setting to ACCEPT resolve problem:

iptables -A INPUT -p udp -i $EXT_INTERFACE -j ACCEPT

Aiko · September 16, 2018, 6:08pm

This is an old post, but I just resolved this exact issue, which in my case turned out to be having DNSSEC enabled. Try disabling DNSSEC to see if your clients can then resolve names.

Aiko · September 16, 2018, 6:09pm

Configuring iptables on Ubuntu 14.04

Aiko · September 16, 2018, 6:16pm

DNSSEC validation error

https://www.hecticgeek.com/2017/04/ubuntu-17-04-systemd-dns-issues/

So obviously it is a DNSSEC validation error. Now DNSSEC is a DNS related security check that verifies the integrity of the DNS data. ‘systemd-resolved’ does let you turn the DNSSEC checking OFF. So that’s what I did next (it’s easy. You just have to open /etc/systemd/resolved.conf and comment out “DNSSEC” and replace “allow-downgrade” with “off“) and it worked liked a charm.

However, since DNSSEC is there to protect you from outside infiltration, it’s not recommended to turn it OFF. So what is the solution then? Well, the easiest solution I saw was to totally disable the troublesome ‘systemd-resolved’ service and replace it with a similar utility, one that actually works.

Then as shown in the below screenshot, comment out #DNSSEC=allow-downgrade and replace allow-downgrade with off .

Once done press Ctrl + x keys to save the changes, and when asked to confirm, press y and then hit Enter. Then simply restart ‘systemd-resolved’ service so the changes are applied. For that, enter the below command:

sudo systemctl restart systemd-resolved

That’s it. But remember, now you’re running DNS queries without DNSSEC which could create security risks. If you don’t feel comfortable with this, then roll back the changes you made to the configuration file and simply follow the below steps to replace ‘systemd-resolved’ with ‘unbound’.

Aiko · September 16, 2018, 6:30pm

How To List and Delete Iptables Firewall Rules on Ubuntu 16.04

Flush All Rules, Delete All Chains, and Accept All
Note: This will effectively disable your firewall. You should only follow this section if you want to start over the configuration of your firewall.

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X