> On 5 Mar 2026, at 21:13, Stephen Morris <[email protected]> wrote: > > >> >>> Hi, >>> >>> On a fresh Fedora 41 Workstation install, I switched from the default >>> DNS to custom resolvers using nmcli: >>> >>> nmcli con mod "Wired connection 1" ipv4.dns "1.1.1.1 9.9.9.9" >>> nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes >>> nmcli con down "Wired connection 1" && nmcli con up "Wired >>> connection 1" >>> >>> After this, DNS resolution works for about 30 seconds then stops >>> completely. Regular browsing dies but ping to IP addresses still >>> works, so it's clearly DNS only. >>> >>> Checked resolvectl status and it shows the correct servers (1.1.1.1 >>> and 9.9.9.9). But firewall-cmd --list-all shows the active zone is >>> FedoraWorkstation, and I suspect firewalld might be interfering with >>> outgoing DNS on port 53. >>> >>> If I run systemctl stop firewalld, DNS works fine immediately. >>> Restarting it breaks DNS again. >>> >>> I tested from an external tool at https://dnsrobot.net/dns-lookup to >>> confirm 1.1.1.1 itself responds fine for my domains, so the problem >>> is definitely local to my machine. >>> >>> Has anyone seen firewalld on Fedora 41 blocking outgoing DNS queries >>> to custom resolvers? Is there a specific rule I need to add? I >>> checked the FedoraWorkstation zone and dns service is listed as >>> allowed, but it seems like that only covers incoming port 53. >> I don't have an answer for you, but note that F41 is past its End-Of- >> Life and is no longer supported. Supported versions are F42 and F43. >> This may not affect your issue, but you should be aware of it.
If the dns query originate on the system the firewall will track that a response is expected abs allow it in. Only if you run a dns server that other system query do you need to open a port. Barry >> >> poc > I'm not an expert in this sort of process but looking on my F43 system, by > default DNS is not a trusted service in the FedoraWorkstation Firewall zone > and specifying it as a trusted service does not add port 53 into the port > ranges for networking needed to communicate with the machine, so 53 may need > to be added into that list, even though if you look at services port 53 is > specified as a port available for all network services in and out, but I > don't know if that is significant. > > regards, > <steve_morris_au.vcf> > -- > _______________________________________________ > users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
