I can’t believe that I haven’t written anything for the past 4 months for my website! But I promise that I’ll add fresh content in the future (yes an Ubuntu 17.04 review is on the way). One reason why I was not able to add new ‘Linux’ operating system reviews was because after I switched to a new laptop few months ago, I created a ‘logical volume‘ (a especial type of partitioning method, mostly used in server environments) for testing GNU/Linux distributions, rather than creating a traditional partition (which is what I had in the old laptop). And the thing is, some distributions, don’t yet support installing into logical volumes. Therefore, I missed a number of new releases of GNU/Linux distributions that I used to write about, simply because the installers couldn’t install the operating systems to the logical volume. So, out of frustration, I took the trouble of completely changing the partition layout of the new laptop and recreated a traditional partition for testing new distributions. Therefore, I’ll be updating the site in the future with new reviews.
So anyhow, coming back to the purpose of this post… I installed the newly released Ubuntu 17.04 and have been using it for the past 2-3 days now. And after gathering the performance related data (for the upcoming review of course), one thing that I immediately noticed was that sometimes I could not visit certain websites, websites that I quite frequently use (such as Facebook, YouTube etc). This was quite irritating and every time this happened, the web browser simply complained with the “Server not found” error. Now Firefox uses this error message for reporting number of other issues, not just when its having DNS issues (for non technical people, DNS related error mostly means the web browser can’t convert the human readable addresses of a website into numbers, which is essential for properly loading any website).
But since I’ve been having this issue only with few websites that I frequently use and those websites aren’t the ones that go down easily (meaning that whatever is wrong, it was probably from my end, and it was most probably had something to do with DNS cache not being properly updated), and since other websites most of the time loaded without big issues (although, there were certain unusual delays as well), I just suspected that this was a DNS issue from the operating system’s end (yes I used command-line tools to ‘confirm’ this as well).
Now I tried few suggestions that I found on the web, but nothing worked out for me. However, with the help of couple of pointers, I realized that this issue was originating from a service called ‘systemd-resolved’. This is a DNS caching and validating service that comes pre-installed with Ubuntu 17.04. Luckily, you can use this command-line utility to figure out the causes of certain DNS related issues.
So out of curiosity, when the system was not able to load certain websites, I fired up the command-line tool and tried to resolve those websites with ‘systemd-resolved’ to see what type of errors I would get. Below screenshot includes few of those instances where I ‘systemd-resolved’ gave me the following error:
www.facebook.com: resolve call failed: DNSSEC validation failed: failed-auxiliary
So obviously it is a DNSSEC validation error. Now DNSSEC is a DNS related security check that verifies the integrity of the DNS data. ‘systemd-resolved’ does let you turn the DNSSEC checking OFF. So that’s what I did next (it’s easy. You just have to open /etc/systemd/resolved.conf
and comment out “DNSSEC
” and replace “allow-downgrade
” with “off
“) and it worked liked a charm.
However, since DNSSEC is there to protect you from outside infiltration, it’s not recommended to turn it OFF. So what is the solution then? Well, the easiest solution I saw was to totally disable the troublesome ‘systemd-resolved’ service and replace it with a similar utility, one that actually works.
Luckily there are a few, and it’s important to choose one that is also supported by the NetworkManager to avoid further conflicts and also so that you can get away with minimal manual configuration. So I chose this other one called “unbound” which also supports DNSSEC validation and fully supports ‘systemd’ as well.
So basically that’s what I did. I simply disabled the troublesome ‘systemd-resolved’ and replaced it ‘unbound’ and so far everything is working quite well. Sometimes I do feel a slight delay, but it’s certainly better than having the ‘systemd-resolved’ that refuses to load websites entirely.
__________________________
Update: Here & there, even with ‘unbound’, I still get long delays when loading websites (15-20 seconds long), but unlike with ‘systemd-resolved’, after the delay the websites starts to load properly, at least.
However, if you’re okay with not having DNSSEC enabled at the moment (because again, with it disabled, everything seem to work just fine) then you can forget about following the rest of the guide to enable ‘unbound’ and simply disable DNSSEC in ‘systemd-resolved’ until Ubuntu comes up with a solution (Update_2: Apparently the previous version of Ubuntu came with DNSSEC set to off
according to Ubuntu developers , yes I too was aware of that. And they simply had decided to enable it in 17.04 which is what causing this issue. Therefore, they advice to turn off
DNSSEC for ‘systemd-resolved’. You actually don’t have to do anything, including manually editing the configuration file as shown below, just update your software and reboot, because they’ve simply updated ‘systemd-resolved’ to use DNSSEC turned off
by default).
For that, first use the below command which’ll open up a configuration file:
sudo nano /etc/systemd/resolved.conf
Then as shown in the below screenshot, comment out #DNSSEC=allow-downgrade
and replace allow-downgrade
with off
.
Once done press Ctrl + x
keys to save the changes, and when asked to confirm, press y
and then hit Enter
. Then simply restart ‘systemd-resolved’ service so the changes are applied. For that, enter the below command:
sudo systemctl restart systemd-resolved
That’s it. But remember, now you’re running DNS queries without DNSSEC which could create security risks. If you don’t feel comfortable with this, then roll back the changes you made to the configuration file and simply follow the below steps to replace ‘systemd-resolved’ with ‘unbound’.
End of Update
___________________________
Now I actually completely re-wrote this entire article, because the previous answer (content) that I put here was not the most optimal one (plus, I also had slightly misconfigured one of NetworkManager’s settings which was embarrassing) because with that answer, things were not fully automated (for instance, if you travel a lot with your laptop and connect to lots of private networks that use internal DNSs, then you would’ve had to manually enter the IP of those internal DNS every time you connect, which was quite irritating. But with ‘unbound’ there is no need for such undertaking, everything is fully automated). So without any further delays, here’s how you can fix this ‘systemd-resolved’ DNS issue in Ubuntu 17.04.
Step 1: Let’s install ‘unbound’ first. However, under some conditions with our troublesome ‘systemd-resolved’ you can’t even install software application on Ubuntu 17.04 either (if you can install software from the Ubuntu servers, then skip this Step and go to Step 2).
So the easiest solution to temporarily fix the issue is to manually enter a reliable, global and trustworthy DNS server(I’ll be using Google’s free DNS service) into the system-wide configuration file that applications rely on for retrieving the DNS IPs. It’s located in /etc/resolv.conf
. So let’s do that first.
For that, enter the below command. This will open up that file in a command-line editor called ‘nano’:
sudo nano /etc/resolv.conf
Once opened, delete the IP address that is put there after the ‘nameserver’ argument, by the troublesome ‘systemd-resolved’ service, and simply enter Google’s DNS IP. For IP version 4 users, use the below one:
8.8.8.8
For IP version 6 use the below one instead:
2001:4860:4860::8888
Now simply press Ctrl + x
keys to save the changes. When asked whether you want to save the changes or not, simply press y
and the hit the Enter
key. That’s it, now you should have a working internet connection, temporarily.
Step 2: Now enter the below command to install ‘unbound’ into Ubuntu 17.04:
sudo apt-get install unbound
Step 3: Now let’s disable the troublesome ‘systemd-resolved’ first and then we’ll stop its already running instance. For that, use the below commands:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
Step 4: Now let’s configure NetworkManager to use ‘unbound’ instead of ‘systemd-resolved’. For that we need to edit one of its main configuration files (it’s quite easy) and manually enter a single configuration setting. So let’s open up the configurtion file first by using the below command:
sudo nano /etc/NetworkManager/NetworkManager.conf
Once opened, copy the below code and simply enter it in a new field, just below the ‘plugins=…’ option (as illustrated in the below screenshot as well):
dns=unbound
Again to save our changes, press the Ctrl + x
keys and then press y
and hit Enter
to confirm.
Step 5: Now let’s enable the newly installed ‘unbound’ in systemd (it’s actually automatically enabled when you install it, but we’ll re-enable it just in case) using below two commands:
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
Step 6: Now we’re almost done. Just reboot the computer for the changes to take effect.
From next time on, those DNS issues that you were having with ‘systemd-resolved’ on Ubuntu 17.04 should be gone and websites should load without big issues with DNSSEC turned ON. Good luck.
60 Comments
Thanks for the tip! Ubuntu amateur developer force strike again.
You’re welcome Mark.
Today, after updaring my packs (‘sudo apt-get update and upgrade’)….the internet has gone))). And it’s stupid 127.0.0.1:53 in resolv.conf…. Shortly speaking, THANKS man. You’ve helped a lot. Great job!!!!!
You’re welcome.
thanck a lot it fixes the bug… how can they let out such a things?
Thanks for the clear solution Gayan!.
But i understand it is only temporarily.. and not the ideal solution. And that it should be fixed with recent updates; however in my case it isn’t, since i did apt-get update & upgrade today, after which the problems arose.
How is such a bug possible?? it affects so much people, why are they letting this happening?
I will bookmark this page and comeback after a while to see if anything changed int he situation.
grts
You’re welcome Tom. I’ve actually been using Manjaro KDE for the past few months, and I must confess, I’m beginning to love KDE!
Hi Mark,
This works perfectly.
What about resolvconf, is that now unnecessary?
thanks a lot , your first solution worked for me
You’re welcome.
Hello ( i’m french so excuse my bad english please)
I think i have the same problem in the Ubuntu Budgie who is based on Ubuntu 17.04 so i want to do this solution but in my resolv.conf, i have 3 lines and not just 127.0.0.1.
I have :
nameserver 89.2.0.1
nameserver 89.2.0.2
search numericable.fr
What is the solution for me ?
Hi,
Just replace 89.2.0.1 with 8.8.8.8 and then follow the steps.
I’ve had this issue for a while, and your solution of installing the different package finally got rid of it.
Thank you so much!
You’re welcome 🙂 .
Hi Gayan, followed your rewritten steps. Works like a charm now!
Many Thanks.
HF
You’re welcome Hans.
I am trying to run the Ubuntu 17.10 from live DVD, and was having the same DNS issues.
However, It seems that unbound is not there in Ubuntu 17.10
I did a “sudo apt-get update” and still have not been able to install unbound. I could install from source but dont think that would put the systemd components in. Any ideas on how to do this in 17.10?
That’s weird… just for the sake of it, just make sure all the default software sources (https://help.ubuntu.com/community/Repositories/Ubuntu) are enabled. If not, manually enable them, run ‘sudo apt-get update’ and then try installing ‘unbound’.
I was having problems with the DNS in ubuntu *18.04* (specifically, a failure to bring up the wifi dialogue at a local hotspot), and eventually stumbled on your blog. Switching the service to ‘unbound’, as you describe, fixed the problem. I wonder why/how this known bug from 17.04 found its way into 18.04.
Thank you so much for taking the time to figure this out, and to publicize your findings!
You’re welcome Paul.
Hey Gayan, This is DA-SH*T!!!
After following your well documented tips / advice that led to: (sudo systemctl enable unbound), my system now works like a charm! My browsing speeds have never EVER been this fast!
THANK YOU VERY MUCH – #KUDOSGAYAN
#HouDoe
You’re welcome 🙂 .
Well, it’s 2019, and systemd-resolved is still a sh*t product. However, your article made Ubuntu 18.04 work perfectly, and NetworkManager DNS settings actually work now! Poettering should stick to init.
You’re welcome.
It’s Jan 2020 and your article just cured my weeks-long headache. Gracias.
You’re welcome.