Just upgraded to 17.04 from 16.04 and found DNS resolution stopped
randomly working.

As it turns out systemd-resolved decided for some obscure reason to
switch to google DNS which it can't reach compared to the locally
provided recursive resolver which continues to work just fine.

In summary in my case it isn't just a privacy concern but actually
breaks DNS resolution.

Aug 05 11:29:07 dtank0 systemd-resolved[8051]: Switching to system DNS server
Aug 05 11:29:07 dtank0 systemd[1]: Started Network Name Resolution.
Aug 05 11:33:58 dtank0 systemd-resolved[8051]: Switching to fallback DNS server

After the switch to DNS resolution on the host stopped working
because is not reachable from the host.

Interestingly stopping and disabling systemd-resolved followed by an 
"resolvconf -u" did not revert the config back to a working configuration.
It required removing /run/resolvconf/interface/systemd-resolved by hand 
(starting systemd-resolved will add that file but not remove on stop).

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.

  systemd-resolved: please do not use Google public DNS by default

Status in systemd:
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Zesty:
Status in systemd source package in Artful:
  Fix Released
Status in systemd package in Debian:
  Fix Released

Bug description:
  systemd-resolved will fall back to Google public DNS (, etc.)
  in the absence of other configured DNS servers.

  systemd-resolved is not enabled by default in Ubuntu 15.04, but it is
  installed by default and will behave in this way if enabled by the

  $ cat /etc/systemd/resolved.conf 
  # Entries in this file show the compile time defaults.
  #FallbackDNS= 2001:4860:4860::8888 2001:4860:4860::8844

  This raises privacy concerns since in the event of accidental
  misconfiguration DNS queries will be sent unencrypted across the
  internet, and potentially also security concerns given systemd-
  resolved does not perform DNSSEC validation and is not particularly
  well hardened against malicious responses e.g. from a MITM

  I believe that it would be better to fail safe if no DNS server is
  configured -- i.e. have DNS lookups fail; it's better that the user is
  aware of their misconfiguration, rather than silently sending their
  queries to Google.  The user can intentionally opt to use Google
  public DNS if they wish.

  Steps to reproduce:
  1. Remove existing DNS configuration (from /etc/network/interfaces, 
/etc/resolv.conf, /etc/resolvconf/resolv.conf.d/*)
  2. Reboot, or otherwise clear relevant state
  3. sudo service systemd-resolved start
  4. Note that Google's servers are listed in /run/systemd/resolve/resolv.conf
  5. If systemd-resolved is enabled in /etc/nsswitch.conf (it isn't by 
default), observe that DNS lookups probably still work, and queries are being 
sent to one of Google's servers

  Possible workaround/bugfix: ship a resolved.conf which clears the FallbackDNS 

  This issue has been discussed in the Debian BTS 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658).  My interpretation 
of the Debian package maintainer's position is that a user concerned with the 
privacy implications shouldn't let systemd get into a state where it uses the 
fallback DNS servers (quoting Marco d'Itri: "Short summary: have a resolv.conf 
file or use DHCP").  I would argue that it's safest not to have fallback DNS 
servers configured at all by default.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to