[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Brian Murray]

Ubuntu 17.10 (Artful Aardvark) has reached end of life, so this bug will
not be fixed for that specific release.

** Changed in: systemd (Ubuntu Artful)
   Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Launchpad Bug Tracker]

This bug was fixed in the package systemd - 237-3ubuntu8

---
systemd (237-3ubuntu8) bionic; urgency=medium

  * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001).
(LP: #1727237)
  * resolved: Listen on both TCP and UDP by default. (LP: #1731522)
  * Recommend networkd-dispatcher (LP: #1762386)
  * Refresh patches

 -- Dimitri John Ledkov   Thu, 12 Apr 2018 12:12:24
+0100

** Changed in: systemd (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Dimitri John Ledkov]

** Description changed:

+ [Impact]
+ 
+  * Ubuntu hosts unable to perform queries against certain domains that 
respond with too big reponses that do not fit over UDP protocol.
+  * Solution is to enable local cachine DNS server to listen on both UDP and 
TCP by default
+ 
+ [Test Case]
+ 
+  * nslookup -q= pod51041.outlook.com 127.0.0.53
+ 
+ Should work and return a bunch of ipv6 answers.
+ 
+ Note, this expects that the upstream DNS server used by resolved is "a
+ sensitble" one, e.g. my default ISP/router did not work, whilst forcing
+ 8.8.8.8 via network manager for this connection made it work.
+ 
+ [Regression Potential]
+ 
+  * Given that resolved will now bind to a TCP port 53, this may result
+ in a conflict with deployed DNS servers which do not correctly take over
+ port 53 or bind to everything.
+ 
+  * In those cases the software should be fixed to not bind to all
+ interfaces and/or to not bind on 127.0.0.53, or change resolved to have
+ DNSStubListener set to 'udp'.
+ 
+ [Other Info]
+  
+  * Original bug report
+ 
+ ===
+ 
  Trying to resolve pod51041.outlook.com's domain name seems to fail for
  applications:
  
  $ ping pod51041.outlook.com
  ping: pod51041.outlook.com: Temporary failure in name resolution
  
  (Also can't access via thunderbird).
  
  However, it seems to work directly via systemd-resolve:
  
  $ systemd-resolve pod51041.outlook.com
  pod51041.outlook.com: 40.97.160.2
    40.97.126.50
    132.245.38.194
    40.97.147.194
    132.245.41.34
    40.97.176.2
    40.97.150.242
    40.97.85.114
    40.97.120.50
    40.97.85.2
    40.97.176.34
    40.97.138.242
    40.97.166.18
    40.97.120.162
    40.97.119.82
    40.97.176.18
    40.97.85.98
    40.97.134.34
    40.97.84.18
  
  -- Information acquired via protocol DNS in 2.5ms.
  -- Data is authenticated: no
  
  It also works with dig and nslookup.
  
  Not quite sure why this is the case, I've spotted this issue upstream
  that looks similar: https://github.com/systemd/systemd/issues/6520.
  However, I'm not familiar enough with DNS to tell if it is the same
  issue.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: systemd 234-2ubuntu12
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu3
  Architecture: amd64
  CurrentDesktop: MATE
  Date: Fri Nov 10 13:10:02 2017
  InstallationDate: Installed on 2017-11-10 (0 days ago)
  InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 
(20171018)
  MachineType: LENOVO 2324BB9
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.13.0-16-generic.efi.signed 
root=UUID=8ab6bf88-72bd-4308-941e-3b36d4d7811b ro rootflags=subvol=@ quiet 
splash vt.handoff=7
  SourcePackage: systemd
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 03/03/2016
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ETA6WW (2.66 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2324BB9
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Defined
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvrG2ETA6WW(2.66):bd03/03/2016:svnLENOVO:pn2324BB9:pvrThinkPadX230:rvnLENOVO:rn2324BB9:rvrNotDefined:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.family: ThinkPad X230
  dmi.product.name: 2324BB9
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO

** Description changed:

  [Impact]
  
-  * Ubuntu hosts unable to perform queries against certain domains that 
respond with too big reponses that do not fit over UDP protocol.
-  * Solution is to enable local cachine DNS server to listen on both UDP and 
TCP by default
+  * Ubuntu hosts unable to perform queries against certain domains that 
respond with too big responses that do not fit over UDP protocol.
+  * Solution is to enable local cachine DNS server to listen on both UDP and 
TCP by default
  
  [Test Case]
  
-  * nslookup -q= pod51041.outlook.com 127.0.0.53
+  * nslookup -q= pod51041.outlook.com 127.0.0.53
  
  Should work and return a bunch of ipv6 answers.
  
  Note, this expects that the upstream DNS server used by resolved is "a
  sensitble" one, e.g. my default ISP/router did not work, whilst forcing
  8.8.8.8 via network manager for this connection made it work.
  
  [Regression Potential]
  
-  * Given that resolved will now bind to a TCP port 53, this may result
+  * Given that resolved will now bind to a TCP port 53, this may result
  in a conflict with deployed DNS servers whi

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Daniel Richard G.]

Thanks Dimitri, greatly appreciated. I haven't found many problems in my
testing of Bionic, but this is the juiciest one so far.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Dimitri John Ledkov]

This has totally slipped my radar, I'm sorry.

I will ensure this lands into bionic 18.04.0.


** Changed in: systemd (Ubuntu)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: systemd (Ubuntu)
Milestone: None => ubuntu-18.04

** Also affects: systemd (Ubuntu Bionic)
   Importance: High
 Assignee: Dimitri John Ledkov (xnox)
   Status: Triaged

** Also affects: systemd (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: systemd (Ubuntu Artful)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: systemd (Ubuntu Artful)
Milestone: None => artful-updates

** Changed in: systemd (Ubuntu Artful)
   Status: New => Triaged

** Changed in: systemd (Ubuntu Artful)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Daniel Richard G.]

Steve, Bionic still has the default (commented-out)

#DNSStubListener=udp

in /etc/systemd/resolved.conf .

I've noticed that this breaks Kerberos KDC lookup at a large site,
because the reply is quite large:

# host -t SRV _kerberos._udp.xxx.example.com
;; Connection to 127.0.0.53#53(127.0.0.53) for 
_kerberos._udp.xxx.example.com failed: connection refused.

# kinit u...@xxx.example.com
kinit: Cannot find KDC for realm "XXX.EXAMPLE.COM" while getting initial 
credentials

After setting DNSStubListener=yes:

# host -t srv _kerberos._udp.xxx.example.com
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx01.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx02.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx03.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx04.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx05.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx06.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx07.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx08.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx09.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx10.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx11.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx12.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx13.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx14.xxx.example.com.
_kerberos._udp.xxx.example.com has SRV record 0 100 88 
xxx15.xxx.example.com.

# kinit u...@xxx.example.com
Password for u...@xxx.example.com:

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Bug Watch Updater]

** Changed in: systemd
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731522] Re: systemd-resolved does not listen on TCP port, cannot serve large records (Cannot ping pod51041.outlook.com but can dig.)

[Steve Langasek]

According to https://github.com/systemd/systemd/issues/6520 this can be
worked around by setting DNSStubListener=yes in
/etc/systemd/resolved.conf.  This is disabled by default due to
.

It is not ideal to have systemd-resolved conflict with other nameservers
listening on 0.0.0.0:53, but as a default behavior of systemd-resolved
in Ubuntu, barring any other upstream fix for
, this should be our
fallback position for bionic.

** Bug watch added: github.com/systemd/systemd/issues #6520
   https://github.com/systemd/systemd/issues/6520

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/6520
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731522

Title:
  systemd-resolved does not listen on TCP port, cannot serve large
  records (Cannot ping pod51041.outlook.com but can dig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1731522/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs