I can’t believe that I haven’t written anything for the past 4 months for my website! But I promise that I’ll add fresh content in the future (yes an Ubuntu 17.04 review is on the way). One reason why I was not able to add new ‘Linux’ operating system reviews was because after I switched to a new laptop few months ago, I created a ‘logical volume‘ (a especial type of partitioning method, mostly used in server environments) for testing GNU/Linux distributions, rather than creating a traditional partition (which is what I had in the old laptop). And the thing is, some distributions, don’t yet support installing into logical volumes. Therefore, I missed a number of new releases of GNU/Linux distributions that I used to write about, simply because the installers couldn’t install the operating systems to the logical volume. So, out of frustration, I took the trouble of completely changing the partition layout of the new laptop and recreated a traditional partition for testing new distributions. Therefore, I’ll be updating the site in the future with new reviews.
So anyhow, coming back to the purpose of this post… I installed the newly released Ubuntu 17.04 and have been using it for the past 2-3 days now. And after gathering the performance related data (for the upcoming review of course), one thing that I immediately noticed was that sometimes I could not visit certain websites, websites that I quite frequently use (such as Facebook, YouTube etc). This was quite irritating and every time this happened, the web browser simply complained with the “Server not found” error. Now Firefox uses this error message for reporting number of other issues, not just when its having DNS issues (for non technical people, DNS related error mostly means the web browser can’t convert the human readable addresses of a website into numbers, which is essential for properly loading any website).
But since I’ve been having this issue only with few websites that I frequently use and those websites aren’t the ones that go down easily (meaning that whatever is wrong, it was probably from my end, and it was most probably had something to do with DNS cache not being properly updated), and since other websites most of the time loaded without big issues (although, there were certain unusual delays as well), I just suspected that this was a DNS issue from the operating system’s end (yes I used command-line tools to ‘confirm’ this as well).
Now I tried few suggestions that I found on the web, but nothing worked out for me. However, with the help of couple of pointers, I realized that this issue was originating from a service called ‘systemd-resolved’. This is a DNS caching and validating service that comes pre-installed with Ubuntu 17.04. Luckily, you can use this command-line utility to figure out the causes of certain DNS related issues.
So out of curiosity, when the system was not able to load certain websites, I fired up the command-line tool and tried to resolve those websites with ‘systemd-resolved’ to see what type of errors I would get. Below screenshot includes few of those instances where I ‘systemd-resolved’ gave me the following error:
www.facebook.com: resolve call failed: DNSSEC validation failed: failed-auxiliary
So obviously it is a DNSSEC validation error. Now DNSSEC is a DNS related security check that verifies the integrity of the DNS data. ‘systemd-resolved’ does let you turn the DNSSEC checking OFF. So that’s what I did next (it’s easy. You just have to open
/etc/systemd/resolved.conf and comment out “
DNSSEC” and replace “
allow-downgrade” with “
off“) and it worked liked a charm.
However, since DNSSEC is there to protect you from outside infiltration, it’s not recommended to turn it OFF. So what is the solution then? Well, the easiest solution I saw was to totally disable the troublesome ‘systemd-resolved’ service and replace it with a similar utility, one that actually works.
Luckily there are a few, and it’s important to choose one that is also supported by the NetworkManager to avoid further conflicts and also so that you can get away with minimal manual configuration. So I chose this other one called “unbound” which also supports DNSSEC validation and fully supports ‘systemd’ as well.
So basically that’s what I did. I simply disabled the troublesome ‘systemd-resolved’ and replaced it ‘unbound’ and so far everything is working quite well. Sometimes I do feel a slight delay, but it’s certainly better than having the ‘systemd-resolved’ that refuses to load websites entirely.
Update: Here & there, even with ‘unbound’, I still get long delays when loading websites (15-20 seconds long), but unlike with ‘systemd-resolved’, after the delay the websites starts to load properly, at least.
However, if you’re okay with not having DNSSEC enabled at the moment (because again, with it disabled, everything seem to work just fine) then you can forget about following the rest of the guide to enable ‘unbound’ and simply disable DNSSEC in ‘systemd-resolved’ until Ubuntu comes up with a solution (Update_2: Apparently the previous version of Ubuntu came with DNSSEC set to
off according to Ubuntu developers , yes I too was aware of that. And they simply had decided to enable it in 17.04 which is what causing this issue. Therefore, they advice to turn
off DNSSEC for ‘systemd-resolved’. You actually don’t have to do anything, including manually editing the configuration file as shown below, just update your software and reboot, because they’ve simply updated ‘systemd-resolved’ to use DNSSEC turned
off by default).
For that, first use the below command which’ll open up a configuration file:
sudo nano /etc/systemd/resolved.conf
Then as shown in the below screenshot, comment out
#DNSSEC=allow-downgrade and replace
Once done press
Ctrl + x keys to save the changes, and when asked to confirm, press
y and then hit
Enter. Then simply restart ‘systemd-resolved’ service so the changes are applied. For that, enter the below command:
sudo systemctl restart systemd-resolved
That’s it. But remember, now you’re running DNS queries without DNSSEC which could create security risks. If you don’t feel comfortable with this, then roll back the changes you made to the configuration file and simply follow the below steps to replace ‘systemd-resolved’ with ‘unbound’.
End of Update
Now I actually completely re-wrote this entire article, because the previous answer (content) that I put here was not the most optimal one (plus, I also had slightly misconfigured one of NetworkManager’s settings which was embarrassing) because with that answer, things were not fully automated (for instance, if you travel a lot with your laptop and connect to lots of private networks that use internal DNSs, then you would’ve had to manually enter the IP of those internal DNS every time you connect, which was quite irritating. But with ‘unbound’ there is no need for such undertaking, everything is fully automated). So without any further delays, here’s how you can fix this ‘systemd-resolved’ DNS issue in Ubuntu 17.04.
Step 1: Let’s install ‘unbound’ first. However, under some conditions with our troublesome ‘systemd-resolved’ you can’t even install software application on Ubuntu 17.04 either (if you can install software from the Ubuntu servers, then skip this Step and go to Step 2).
So the easiest solution to temporarily fix the issue is to manually enter a reliable, global and trustworthy DNS server(I’ll be using Google’s free DNS service) into the system-wide configuration file that applications rely on for retrieving the DNS IPs. It’s located in
/etc/resolv.conf. So let’s do that first.
For that, enter the below command. This will open up that file in a command-line editor called ‘nano’:
sudo nano /etc/resolv.conf
Once opened, delete the IP address that is put there after the ‘nameserver’ argument, by the troublesome ‘systemd-resolved’ service, and simply enter Google’s DNS IP. For IP version 4 users, use the below one:
For IP version 6 use the below one instead:
Now simply press
Ctrl + x keys to save the changes. When asked whether you want to save the changes or not, simply press
y and the hit the
Enter key. That’s it, now you should have a working internet connection, temporarily.
Step 2: Now enter the below command to install ‘unbound’ into Ubuntu 17.04:
sudo apt-get install unbound
Step 3: Now let’s disable the troublesome ‘systemd-resolved’ first and then we’ll stop its already running instance. For that, use the below commands:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
Step 4: Now let’s configure NetworkManager to use ‘unbound’ instead of ‘systemd-resolved’. For that we need to edit one of its main configuration files (it’s quite easy) and manually enter a single configuration setting. So let’s open up the configurtion file first by using the below command:
sudo nano /etc/NetworkManager/NetworkManager.conf
Once opened, copy the below code and simply enter it in a new field, just below the ‘plugins=…’ option (as illustrated in the below screenshot as well):
Again to save our changes, press the
Ctrl + x keys and then press
y and hit
Enter to confirm.
Step 5: Now let’s enable the newly installed ‘unbound’ in systemd (it’s actually automatically enabled when you install it, but we’ll re-enable it just in case) using below two commands:
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
Step 6: Now we’re almost done. Just reboot the computer for the changes to take effect.
From next time on, those DNS issues that you were having with ‘systemd-resolved’ on Ubuntu 17.04 should be gone and websites should load without big issues with DNSSEC turned ON. Good luck.