Arch Linux systemd-resolve not resolving dns

H

hi52

New Member
Joined
Apr 11, 2025
Messages
15
Reaction score
2
Credits
164
Hi I have a small desktop/home network that local applications aren't able to resolve dns on.
For example:
Code: 
dig reddit.com
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.20.7 <<>> reddit.com
;; global options: +cmd
;; no servers could be reached


Golang also fails to install:

go install -v golang.org/x/tools/gopls@latest
go: golang.org/x/tools/gopls@latest: module golang.org/x/tools/gopls: Get "https://proxy.golang.org/golang.org/x/tools/gopls/@v/list": dial tcp: lookup proxy.golang.org on [::1]:53: read udp [::1]:51901->[::1]:53: read: connection refused


ping works
ping reddit.com
PING reddit.com (2a04:4e42::396) 56 data bytes
64 bytes from 2a04:4e42::396: icmp_seq=1 ttl=54 time=25.9 ms
64 bytes from 2a04:4e42::396: icmp_seq=2 ttl=54 time=23.3 ms


I suspect that systemd-resolve or systemd-network is not setup or working properly.
This is my current configuration:

cat /etc/systemd/network/25-wireless.network
[Match]
Name=wlp1s0f0u10

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes
IgnoreCarrierLoss=3s
#DNS=127.0.0.1


cat /etc/systemd/network/20-wired.network
[Match]
Name=enp8s0

[Link]
RequiredForOnline=no

[Network]
Address=20.21.22.1/24
DHCPServer=true
IPMasquerade=ipv4

[DHCPServer]
PoolOffset=100
PoolSize=20
EmitDNS=yes
#DNS=8.8.8.8


cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file (or a copy of it placed in
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in
# the /etc/systemd/resolved.conf.d/ directory. The latter is generally
# recommended. Defaults can be restored by simply deleting the main
# configuration file and all drop-ins located in /etc/.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
FallbackDNS=8.8.4.4
#FallbackDNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
ReadEtcHosts=no
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0


(I think this was generated automatically, I think it works)
sudo nft list ruleset
table ip io.systemd.nat {
    set masq_saddr {
        type ipv4_addr
        flags interval
        elements = { 20.21.22.0/24 }
    }

    map map_port_ipport {
        type inet_proto . inet_service : ipv4_addr . inet_service
    }

    chain prerouting {
        type nat hook prerouting priority dstnat + 1; policy accept;
        fib daddr type local dnat ip to meta l4proto . th dport map @map_port_ipport
    }

    chain output {
        type nat hook output priority dstnat + 1; policy accept;
        ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th dport map @map_port_ipport
    }

    chain postrouting {
        type nat hook postrouting priority srcnat + 1; policy accept;
        ip saddr @masq_saddr masquerade
    }
}
table ip6 io.systemd.nat {
    set masq_saddr {
        type ipv6_addr
        flags interval
    }

    map map_port_ipport {
        type inet_proto . inet_service : ipv6_addr . inet_service
    }

    chain prerouting {
        type nat hook prerouting priority dstnat + 1; policy accept;
        fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
    }

    chain output {
        type nat hook output priority dstnat + 1; policy accept;
        ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
    }

    chain postrouting {
        type nat hook postrouting priority srcnat + 1; policy accept;
        ip6 saddr @masq_saddr masquerade
    }
}


resolvectl status
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8
Fallback DNS Servers: 8.8.4.4

Link 2 (enp8s0)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
     Default Route: no

Link 3 (wlp1s0f0u10)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 206.248.154.170
       DNS Servers: 206.248.154.22 206.248.154.170 2607:f2c0::1 2607:f2c0::2
     Default Route: yes


sudo ss -tlnup
Netid  State   Recv-Q  Send-Q                               Local Address:Port         Peer Address:Port       Process                                         
udp    UNCONN  0       0                                       127.0.0.54:53                0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=22))      
udp    UNCONN  0       0                                    127.0.0.53%lo:53                0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=20))      
udp    UNCONN  0       0                                   0.0.0.0%enp8s0:67                0.0.0.0:*           users:(("systemd-network",pid=452,fd=33))      
udp    UNCONN  0       0                         192.168.0.51%wlp1s0f0u10:68                0.0.0.0:*           users:(("systemd-network",pid=452,fd=38))      
udp    UNCONN  0       0                                      224.0.0.251:5353              0.0.0.0:*           users:(("chrome",pid=1088,fd=188))             
udp    UNCONN  0       0                                      224.0.0.251:5353              0.0.0.0:*           users:(("chrome",pid=1088,fd=183))             
udp    UNCONN  0       0                                          0.0.0.0:5353              0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=15))      
udp    UNCONN  0       0                                          0.0.0.0:5355              0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=11))      
udp    UNCONN  0       0          [fe80::4a8f:4cff:fef6:d2db]%wlp1s0f0u10:546                  [::]:*           users:(("systemd-network",pid=452,fd=39))      
udp    UNCONN  0       0                                             [::]:5353                 [::]:*           users:(("systemd-resolve",pid=432,fd=16))      
udp    UNCONN  0       0                                             [::]:5355                 [::]:*           users:(("systemd-resolve",pid=432,fd=13))      
tcp    LISTEN  0       4096                                 127.0.0.53%lo:53                0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=21))      
tcp    LISTEN  0       4096                                       0.0.0.0:5355              0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=12))      
tcp    LISTEN  0       4096                                    127.0.0.54:53                0.0.0.0:*           users:(("systemd-resolve",pid=432,fd=23))      
tcp    LISTEN  0       4096                                          [::]:5355                 [::]:*           users:(("systemd-resolve",pid=432,fd=14))      


resolvectl query reddit.com
reddit.com: 2a04:4e42:400::396                 -- link: wlp1s0f0u10
            2a04:4e42:600::396                 -- link: wlp1s0f0u10
            2a04:4e42::396                     -- link: wlp1s0f0u10
            2a04:4e42:200::396                 -- link: wlp1s0f0u10
            151.101.65.140                     -- link: wlp1s0f0u10
            151.101.1.140                      -- link: wlp1s0f0u10
            151.101.193.140                    -- link: wlp1s0f0u10
            151.101.129.140                    -- link: wlp1s0f0u10

-- Information acquired via protocol DNS in 31.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
 
Last edited:


If ping works by hostname, then DNS is working. I do see port 53 couldn't dig to reddit. Is your proxy blocking it?

What is the output from
resolvectl

does
curl -v reddit.com
work?
 
Last edited:
Hi thanks for the reply.





resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
Fallback DNS Servers: 8.8.4.4

Link 2 (enp8s0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: no

Link 3 (wlp1s0f0u10)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 206.248.154.170
DNS Servers: 206.248.154.22 206.248.154.170 2607:f2c0::1 2607:f2c0::2
Default Route: yes




curl -v reddit.com
  • Host reddit.com:80 was resolved.
  • IPv6: 2a04:4e42:200::396, 2a04:4e42:600::396, 2a04:4e42::396, 2a04:4e42:400::396
  • IPv4: 151.101.1.140, 151.101.129.140, 151.101.65.140, 151.101.193.140
  • Trying [2a04:4e42:200::396]:80...
  • Connected to reddit.com (2a04:4e42:200::396) port 80
  • using HTTP/1.x
GET / HTTP/1.1
Host: reddit.com
User-Agent: curl/8.13.0
Accept: /
Click to expand...
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Connection: close
< Content-Length: 0
< Retry-After: 0
< Location: https://reddit.com/
< Accept-Ranges: bytes
< Date: Sat, 12 Apr 2025 03:09:09 GMT
< Via: 1.1 varnish
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Cache-Control: private, max-age=3600
< Server: snooserv
< Report-To: {"group": "w3-reporting-nel", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-nel.reddit.com/reports" }]}, {"group": "w3-reporting", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting.reddit.com/reports" }]}, {"group": "w3-reporting-csp", "max_age": 14400, "include_subdomains": true, "endpoints": [{ "url": "https://w3-reporting-csp.reddit.com/reports" }]}
< NEL: {"report_to": "w3-reporting-nel", "max_age": 14400, "include_subdomains": false, "success_fraction": 1.0, "failure_fraction": 1.0}
<
* shutting down connection #0



After a brief google I found ideas I may try:
github.com

No more DNS resolution with stub resolver and systemd-resolve 255.4-2 on EndeavourOS/Arch · Issue #32092 · systemd/systemd

systemd version the issue has been seen with 255.4-2 Used distribution EndeavourOS rolling Linux kernel version used 6.8.2-arch2-1 CPU architectures issue was seen on x86_64 Component systemd-resol...
github.com github.com
askubuntu.com

systemd-resolved not resolving any domains

My NetworkManager connects to the internet but I do not have any internet access due to a bad DNS configuration. I do not have much experience with DNS settings, but it appears the issue is with sy...
askubuntu.com askubuntu.com
askubuntu.com

systemd-resolved not resolving specific domains

I have a very strange problem with Ubuntu 18.04.1 Server, where the default resolver, systemd-resolved, isn't resolving some specific domain names. The one it reliably fails on is stephenreescarte...
askubuntu.com askubuntu.com


I also updated the nft rules, tested, same problem.


flush ruleset

table ip filter {
# allow LAN to firewall, disallow WAN to firewall
chain input {
iifname "enp8s0" accept

type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif lo accept comment "accept loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
#tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}

# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}

# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy drop;
iifname "enp8s0" oifname "wlp1s0f0u10" accept
iifname "wlp1s0f0u10" oifname "enp8s0" ct state related,established accept
}
}
 
I suppose your problem is you're missing firewall rule for loopback NIC.
You're dropping spoofed looback but don't allow legitimate loopback anywhere, you only allow physical NIC's.

To quickly test it disable firewall and try dig again.

Bash: 
sudo nft flush ruleset
sudo systemctl stop nftables

dig linux.org
 
Hi thanks good idea I tried it and got the same thing.:)

dig linux.org
Code: 
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.20.7 <<>> linux.org
;; global options: +cmd
;; no servers could be reached
 
Ok it works now I didn't setup the symlink properly.


dig reddit.com
Code: 
; <<>> DiG 9.20.7 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36965
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;reddit.com.            IN    A

;; ANSWER SECTION:
reddit.com.        289    IN    A    151.101.193.140
reddit.com.        289    IN    A    151.101.129.140
reddit.com.        289    IN    A    151.101.1.140
reddit.com.        289    IN    A    151.101.65.140

;; Query time: 30 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Apr 14 14:38:36 EDT 2025
;; MSG SIZE  rcvd: 103



sudo ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

At one point I tried something like this but it wasn't the correct command(I don't think).

Go also installs now.
 
You must log in or register to reply here.

Similar threads

CaffeineAddict
Tutorial Configure encrypted DNS on Linux including DNSSEC
Replies
5
Views
742
AlphaObeisance
AlphaObeisance
P
bgp tweaks quagga debian linux hamnet
Replies
2
Views
3K
KGIII
KGIII
A
DNS resolve not working can you please advice.
2
Replies
25
Views
17K
au190
A
L
surf internet with windows 10 client and DNS server Bind
Replies
0
Views
2K
linuxnewbie70
L


Follow Linux.org

Staff online

Members online

Total: 4,303 (members: 4, guests: 4,299)

Latest posts

Top