Re: Fedora 41 firewalld blocking DNS after switching to custom resolvers
> On 5 Mar 2026, at 21:13, Stephen Morris wrote: > > >> >>> Hi, >>> >>> On a fresh Fedora 41 Workstation install, I switched from the default >>> DNS to custom resolvers using nmcli: >>> >>> nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1 9.9.9.9" >>> nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes >>> nmcli con down "Wired connection 1" && nmcli con up "Wired >>> connection 1" >>> >>> After this, DNS resolution works for about 30 seconds then stops >>> completely. Regular browsing dies but ping to IP addresses still >>> works, so it's clearly DNS only. >>> >>> Checked resolvectl status and it shows the correct servers (1.1.1.1 >>> and 9.9.9.9). But firewall-cmd --list-all shows the active zone is >>> FedoraWorkstation, and I suspect firewalld might be interfering with >>> outgoing DNS on port 53. >>> >>> If I run systemctl stop firewalld, DNS works fine immediately. >>> Restarting it breaks DNS again. >>> >>> I tested from an external tool at https://dnsrobot.net/dns-lookup to >>> confirm 1.1.1.1 itself responds fine for my domains, so the problem >>> is definitely local to my machine. >>> >>> Has anyone seen firewalld on Fedora 41 blocking outgoing DNS queries >>> to custom resolvers? Is there a specific rule I need to add? I >>> checked the FedoraWorkstation zone and dns service is listed as >>> allowed, but it seems like that only covers incoming port 53. >> I don't have an answer for you, but note that F41 is past its End-Of- >> Life and is no longer supported. Supported versions are F42 and F43. >> This may not affect your issue, but you should be aware of it. If the dns query originate on the system the firewall will track that a response is expected abs allow it in. Only if you run a dns server that other system query do you need to open a port. Barry >> >> poc > I'm not an expert in this sort of process but looking on my F43 system, by > default DNS is not a trusted service in the FedoraWorkstation Firewall zone > and specifying it as a trusted service does not add port 53 into the port > ranges for networking needed to communicate with the machine, so 53 may need > to be added into that list, even though if you look at services port 53 is > specified as a port available for all network services in and out, but I > don't know if that is significant. > > regards, > > -- > ___ > users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- ___ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
Re: Fedora 41 firewalld blocking DNS after switching to custom resolvers
Hi, On a fresh Fedora 41 Workstation install, I switched from the default DNS to custom resolvers using nmcli: nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1 9.9.9.9" nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes nmcli con down "Wired connection 1" && nmcli con up "Wired connection 1" After this, DNS resolution works for about 30 seconds then stops completely. Regular browsing dies but ping to IP addresses still works, so it's clearly DNS only. Checked resolvectl status and it shows the correct servers (1.1.1.1 and 9.9.9.9). But firewall-cmd --list-all shows the active zone is FedoraWorkstation, and I suspect firewalld might be interfering with outgoing DNS on port 53. If I run systemctl stop firewalld, DNS works fine immediately. Restarting it breaks DNS again. I tested from an external tool at https://dnsrobot.net/dns-lookup to confirm 1.1.1.1 itself responds fine for my domains, so the problem is definitely local to my machine. Has anyone seen firewalld on Fedora 41 blocking outgoing DNS queries to custom resolvers? Is there a specific rule I need to add? I checked the FedoraWorkstation zone and dns service is listed as allowed, but it seems like that only covers incoming port 53. I don't have an answer for you, but note that F41 is past its End-Of- Life and is no longer supported. Supported versions are F42 and F43. This may not affect your issue, but you should be aware of it. poc I'm not an expert in this sort of process but looking on my F43 system, by default DNS is not a trusted service in the FedoraWorkstation Firewall zone and specifying it as a trusted service does not add port 53 into the port ranges for networking needed to communicate with the machine, so 53 may need to be added into that list, even though if you look at services port 53 is specified as a port available for all network services in and out, but I don't know if that is significant. regards, BEGIN:VCARD VERSION:4.0 N:Morris;Stephen;;; FN:Stephen Morris EMAIL;PREF=1;TYPE=home:[email protected] END:VCARD -- ___ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
Re: Fedora 41 firewalld blocking DNS after switching to custom resolvers
On Thu, 2026-03-05 at 09:56 +, Vahid Shaik wrote: > Hi, > > On a fresh Fedora 41 Workstation install, I switched from the default > DNS to custom resolvers using nmcli: > > nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1 9.9.9.9" > nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes > nmcli con down "Wired connection 1" && nmcli con up "Wired > connection 1" > > After this, DNS resolution works for about 30 seconds then stops > completely. Regular browsing dies but ping to IP addresses still > works, so it's clearly DNS only. > > Checked resolvectl status and it shows the correct servers (1.1.1.1 > and 9.9.9.9). But firewall-cmd --list-all shows the active zone is > FedoraWorkstation, and I suspect firewalld might be interfering with > outgoing DNS on port 53. > > If I run systemctl stop firewalld, DNS works fine immediately. > Restarting it breaks DNS again. > > I tested from an external tool at https://dnsrobot.net/dns-lookup to > confirm 1.1.1.1 itself responds fine for my domains, so the problem > is definitely local to my machine. > > Has anyone seen firewalld on Fedora 41 blocking outgoing DNS queries > to custom resolvers? Is there a specific rule I need to add? I > checked the FedoraWorkstation zone and dns service is listed as > allowed, but it seems like that only covers incoming port 53. I don't have an answer for you, but note that F41 is past its End-Of- Life and is no longer supported. Supported versions are F42 and F43. This may not affect your issue, but you should be aware of it. poc -- ___ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
