3

DNS lookups on my Ubuntu 16.04 LTS workstation has recently gone crazy, and I don't know why. Every now and then it will start returning 10.0.0.1 for just about anything. For example, a few minutes ago, dig www.google.com said:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15032
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     0   IN  A   10.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Jun 28 15:53:35 PDT 2017
;; MSG SIZE  rcvd: 48

A few minutes later it started behaving normally again:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     122 IN  A   216.58.195.228

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Jun 28 15:55:11 PDT 2017
;; MSG SIZE  rcvd: 59

It's flip-flopped a few times in the last several hours. I can't think of any changes I made that could have triggered this behavior.

Note that there is no 10.0.0.1 on my LAN. (it's all 192.168.0.x.)

I have tried rebooting my Ubuntu box and all of my network equipment and also changing the Network Connections >> IPv4 Settings >> Method to "Automatic (DHCP) addresses only", and manually setting DNS to 8.8.8.8, but It still sporadically switches to returning 10.0.0.1.

How do I debug (and fix) this issue?

Other info:

$ ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Oct 24  2016 /etc/resolv.conf -> ../run/resolvconf/resolv.conf

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

Update:

I just discovered that when this happens, my router's admin page is complaining that "Your ISP's DHCP does not function properly". I found a forum posting that mentioned that some ISPs apparently refuse to respond to new DHCPs requests, resulting in this error. I'd had some power outages recently (and also had to unplug some equipment when a UPS died), so I'm guessing these were related to this issue. It also seems that any time my router reboots (which is happens after practically any config change) there's about a 50% chance I'll get this error.

I'm still not sure where the 10.0.0.1 address is coming from. It turns out that even if I tell dig which DNS server to use when my router is borked it'll return 10.0.0.1:

# dig @8.8.8.8 www.yahoo.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 www.yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com.         IN  A

;; ANSWER SECTION:
www.yahoo.com.      0   IN  A   10.0.0.1

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 29 11:10:14 PDT 2017
;; MSG SIZE  rcvd: 47

I suspect that either my router or my ISP is intercepting outgoing DNS queries requests and returning these bogus responses, but I don't know how to confirm this.

Laurence Gonsalves
  • 889
  • I had a DNS issue recently that turned out to be a new device on my network that was taking the same IP address as I was using. What DNS resolver are you using? Post output of ls -al /etc/resolv.conf and if that's not conclusive cat /etc/resolv.conf. Is your wifi router locked down? Is the period between switches roughly constant? – pbhj Jun 28 '17 at 23:30
  • @pbhj How do I find out what resolver I'm using? I've added the output of those commands to the question. I believe my router is locked down -- it has a non-default admin pasword and a strong wifi password. That's a good question about the period between switches, but I haven't actually timed it. – Laurence Gonsalves Jun 29 '17 at 01:20
  • The output tells me you're using resolvconf. It creates the resolv.conf file on the fly by making that file just a link to it's own version. Now you need to know where resolvconf is getting its nameservers from - eg your router, so look at man resolvconf and check the settings; also if it switches to the 10.0.0.1 setting try cat /etc/resolv.conf again to catch more info. Also run sudo systemctl status dnsmasq.service systemd-resolved.service resolvconf.service to see if you're running other resolvers that might be interfering (they're the main ones, there are probably others). – pbhj Jun 29 '17 at 01:31
  • Can you ping 10.0.0.1 you might want to use wireshark to watch your wifi/ethernet traffic to see what's happening. Curiously this win 7 post describes the same issue. – pbhj Jun 29 '17 at 01:35
  • On my machines somewhy the default dns was set to the local dnsmasq service. Look up your /etc/NetworkManager/NetworkManager.conf and see if your dns is also set to it, if yes removing it should fix your problem and assign your usual DNS from your network. – Ziazis Jun 29 '17 at 11:00
  • @pbhj ping says 10.0.0.1 is unreachable. Perhaps I'm misunderstanding, but my reading of resolvconf's manpage indicates that it is told where to get nameservers from, rather than being confugured to know where they are. I don't know how to figure out what's telling it where the nameservers are. systemctl only shows resolvconf.service as active. – Laurence Gonsalves Jun 29 '17 at 17:21
  • 1
    @Ziazis Are you saying I should remove the dns=dnsmasq line from /etc/NetworkManager/NetworkManager.conf? – Laurence Gonsalves Jun 29 '17 at 17:23
  • @Ziazis Commenting out that line and service NetworkManager restart seemed to fix the problem. Now the DNS is my actual DNS rather than the blackbox 127.0.1.1, which certainly helps with debugging. – Laurence Gonsalves Jun 29 '17 at 18:36
  • Glad it helped you out. – Ziazis Jun 29 '17 at 19:16
  • @Ziazis Whoops. I was wrong. So that does help with the debugging somewhat, but it didn't actually fix the problem. I've added an update with more info about what I've discovered. – Laurence Gonsalves Jun 29 '17 at 20:57
  • It's easy to test if it is actually your network/isp or your computer. Do you have the possibility to connect to a hotspot/your phone with that computer? If you still get those bogus information it is your computer configuration. If it is working then it is probably your router/isp that is doing some nasty stuff. If it is your router you could try clearing it's dns cache. ISP you gotta call them and ask if there is someone else with that problem and they have to take a look at it. Is that also the only computer having this problem, could also tell you what's wrong. – Ziazis Jun 30 '17 at 06:38
  • @Ziazis It acted up again today, and I tested with my son's Mac. It's also getting the weird 10.0.0.1, so it apparently isn't my computer. The next time it flakes out I'll see if I can connect a machine directly to the modem without the router. I don't know if my router even has a DNS cache, but assuming it does why would that affect lookups where I specify the nameserver to use? I feel like either my router or ISP is doing MITM attacks on my DNS requests. – Laurence Gonsalves Jun 30 '17 at 19:08

1 Answers1

2

Do you happen to use an Asus router? It seems some models have an issue with the 'Wan browser down redirect notice', which trigger this exact behaviour. See https://www.snbforums.com/threads/weird-dns-issue-always-resolved-to-10-0-0-1.39962/

Jacco
  • 36