5

I have a home network. DHCP lease works for every other system / appliance but Ubuntu 22 in that I lease out local DNS server with its local subnet / zones as primary DNS server 172.16.100.22. And DHCP lists secondary DNS server as 8.8.8.8 which is fallback in case my local DNS server(services) dies or I am fixing things and so revert back to google if my lab is fubar (keep wife / kids happy).

But ...

ubuntu resolver

resolvectl status

Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub


Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported


Current DNS Server: 8.8.8.8
       DNS Servers: 172.16.100.22 8.8.8.8 fe80::9e65:f9ff:fe38:6d27%21971
        DNS Domain: lan penguinpages.local
Link 3 (eth1)


Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

DHCP lease for Winows VMs

Ethernet adapter vEthernet (External):

Connection-specific DNS Suffix  . : penguinpages.local
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 80-6D-97-05-09-12
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.100.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, June 27, 2022 8:33:22 AM
   Lease Expires . . . . . . . . . . : Tuesday, July 5, 2022 12:03:02 PM
   Default Gateway . . . . . . . . . : 172.16.100.1
   DHCP Server . . . . . . . . . . . : 172.16.100.1
   DNS Servers . . . . . . . . . . . : 172.16.100.22
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

/etc/resolve.conf

nameserver 127.0.0.53
options edns0 trust-ad
search penguinpages.local

I don't want to rip apart anything standard within Ubuntu, but I need it to stop flipping around on DNS.

Fresh boot DNS lookup

nerd@lt:~/.ssh$ resolvectl status
Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 172.16.100.22
         DNS Servers: 172.16.100.22
Fallback DNS Servers: 8.8.8.8
          DNS Domain: penguinpages.local

Link 2 (eth0)
nerd@lt:~/.ssh$ nslookup ados.penguinpages.local
Server:         127.0.0.53
Address:        127.0.0.53#53


Non-authoritative answer:
Name:   ados.penguinpages.local
Address: 172.16.100.22
Name:   ados.penguinpages.local
Address: 172.16.101.22

but 20 min later.....

nerd@lt:~$ resolvectl status
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
       DNS Servers: 172.16.100.22 8.8.8.8 fe80::9e65:f9ff:fe38:6d27%21971
        DNS Domain: lan penguinpages.local
Link 3 (eth1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
nerd@lt:~$ nslookup cka01.penguinpages.local
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find cka01.penguinpages.local: NXDOMAIN

I realize it is caching things.. so resolution to "ados.penguinpages.local" still resolved but any new DNS entries.. added dynamically or real time then start failing.

I just need it to pin to the primary DNS server and STOP moving to secondary.

I was watching /var/log/syslog for any notes of timeout on DNS or some reason why it would flip.. but nothing in that log.

I also tried to manually effect this behavior via

sudo vi /etc/systemd/resolved.conf

#DNS=
DNS=172.16.100.22
#FallbackDNS=
FallbackDNS=8.8.8.8
#Domains=
Domains=penguinpages.local
#DNSSEC=no
#DNSOverTLS=no

But this did not fix things

Question

  1. How to get Ubuntu DNS to NOT flip DNS server lookup to secondary if primary working
  2. How can I keep using DHCP, but overide DNS and so just drop to single local DNS server as work around

PS: This also effects all shells where characters no longer echo back as you type (this is first symptom you get that things have "flipped". The "fix" is "reset" command which not sure.. but my guess is helps wayland fix that DNS flipped and is now fubar.

muru
  • 197,895
  • 55
  • 485
  • 740
penguinpages
  • 81
  • For systems with recent versions of NetworkManager, the options ipv4.ignore-auto-dns and ipv6.ignore-auto-dns set to yes using nmcli con $CON mod work perfectly, in conjunction with setting a value for additional DNS server in the setting using ipv4.dns and ipv6.dns . – Samveen Jan 03 '23 at 10:34

2 Answers2

1

You probably don't want to hear this answer. There is no such thing (in any standard) as "Secondary DNS". Any OS is free to implement such a thing (and thus not support load-balancing), but it just isn't a thing.

There is an equivalent discussion here:

If you’re saying that only 172.16.53.8 should be used and never 8.8.8.8, then you should remove 8.8.8.8 from the configuration. If your system is being given that address via DHCP, then you’d need to configure the DHCP client to suppress that address so it isn’t handed to systemd-resolved.

You definitely don’t want to rely on any ordering behavior when there are multiple addresses, that will be unreliable.

Which can be summarised as - don't lie in your DHCP advertisements - any DNS server is available on that link and presumed equivalent. That link goes deeper into discussing relevant standards.

There is however the concept of per-domain nameservers - ie nameservers that should only be used to look up specific (eg private) domains.

Now I found this question by essentially searching for the same type of fix myself (only the "DHCP" is my work VPN) and I haven't gotten to the bottom of how this is configured. In your case it looks like you want to set your local server to respond to your .local (sub)domain.

The suggestions I am following involve using the ~ prefix to domains in order to modify how they are handled (see man resolved.conf), but I haven't followed this path to a solution I am happy with yet. I'll update if I get a definitive answer.

Greg
  • 1,413
0

In the past, I resorted to setting the immutable flag via chattr +i /etc/resolv.conf. It works, but resolvconf creates the replacement file in /etc every time it attempts to replace /etc/resolv.conf. The junk files quickly pile up and they need to be removed to avoid eventual overload. The situation is disappointing.

But, I discovered /etc/resolvconf.conf which was installed with my last SID distribution upgrade which I have never seen before:

Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf


If you run a local name server, you should uncomment the below line and


configure your subscribers configuration files below.


name_servers=1.1.1.1


Mirror the Debian package defaults for the below resolvers


so that resolvconf integrates seemlessly. dnsmasq_resolv=/var/run/dnsmasq/resolv.conf pdnsd_conf=/etc/pdnsd.conf unbound_conf=/etc/unbound/unbound.conf^C/resolvconf_resolvers.conf

From this, you can see that I prefer 1.1.1.1. I no longer have the problem.

Paul
  • 340