DNS problems after upgrade Fedora 33

After installing fedora 33, everything seemed perfect, until when I connected to my work VPN (cisco anyconnect) the sites that I consult about my work through the VPN I cannot see it, for example: git.mycompany.mx, the error I get in the chrome browser is:

DNS_PROBE_FINISHED_NXDOMAIN

I have already set 8.8.8.8 as DNS server and I turn off the firewall but I have not been successful, it only happens with the domains of my company for which I use the VPN, I rule out VPN problems because I have managed to connect to SSH servers without problems , also for all public domains I can access without problem, I hope someone can help me.

2 Likes

Please read this post here and follow the steps it recommends. I’d like to see, in particular, the output of resolvectl domain and resolvectl dns. To keep your issue separate from that issue, please reply here, NOT in that thread. Thanks.

How exactly did you set this? And why? 8.8.8.8 is obviously not going to be able to resolve your company’s internal domain names?

2 Likes

Modify your connection and re-establish it to apply changes:

sudo nmcli connection modify id VPN_CON \
    ipv4.dns COMPANY_DNS_IP ipv4.dns-search ~mycompany.mx

See also:

OK, your configuration is really strange. Let’s make sure you understand what this all means:

  • Send all DNS requests for localdomain or google.com to your global DNS servers, 10.67.76.11 or 10.67.76.12. This is very strange. Those look like your VPN’s DNS servers? Those should normally be configured for your VPN interface (cscotun0), not globally.
  • Send all other DNS requests to both the DNS servers for enp8s0 and for wlp9s0f0, which is your router OR to Google. It’s strange that you’ve configured Google only for your wi-fi interface but not for your ethernet interface – that’s probably a mistake – and it’s also strange that you’ve configured the wifi interface to use BOTH your router AND Google, since normally you would want one or the other. But this is probably harmless, and certainly not related to your bug.
  • Notably, your VPN interface cscotun0 has no DNS domain, meaning it has been configured to never receive DNS. That is, it is expected that you cannot resolve internal domain names, because your VPN interface has no DNS domains!

Finally, I notice that google.com is configured as a search domain rather than a routing domain. I think this means that you’re appending google.com to single-label queries. E.g. when you look up any single-label domain, like say mail, it should also search for mail.google.com. Try typing resolvectl query mail and see what happens. It’s not so unusual to do it for localdomain, but doing it for google.com is really weird. I don’t see why you would ever want that.

So when you try to look up git.mycompany.mx, systemd-resolved says “this is not localdomain or google.com, so I should use the catch-all domain ~., which is configured for enp8s0 and wlp9s0f0. So I should send the request to fe80::1%22034, 2001:4860:4860::8888, 192.168.100.1, or 8.8.8.8. I can pick any one of those, and if it doesn’t respond, I’ll try another. But if one does reply and say that git.mycompany.mx does not exist, then it really doesn’t exist and I should give up.” And all of those servers say it doesn’t exist, because those are public servers but the domain is internal. Guess: only 10.67.76.11 or 10.67.76.12 would be able to resolve it successfully. Please confirm that by running dig @10.67.76.11 git.mycompany.mx to see whether those are indeed the right DNS servers to use for your internal domains.

That might work, because cscotun0 has no configured DNS server, so I guess it will use the Global settings, and the Global settings appear to be the VPN’s DNS servers. So I agree that this might work.

But it’s really weird that the VPN’s DNS has been configured as global DNS. It would be better to configure it for cscotun0 instead, since that is the VPN interface. I wonder how this happened. pblmx, I wonder if you did anything special when you originally configured this VPN…?

Also, the google.com search domain, while not related to this bug, is very strange. Did you set that up intentionally? You can probably access Google Mail just by typing mail and nothing else into your address bar? Same for Google Maps if you type maps alone? That is wild…

1 Like

My guess is you configured 8.8.8.8 in System Settings, but left the Automatic DNS toggle button checked. Then you get both 8.8.8.8 and your normal DNS configured via DHCP. Usually, Automatic DNS would be disabled if adding 8.8.8.8 to ensure only Google is used, but it’s perfectly fine to leave it enabled – as you have done – if you just want it as a backup and don’t mind that your DNS could go to either place.

You probably want to add it to your wired connection too, since it uses the same DNS servers as your wifi connection, and it doesn’t make sense to have different settings for one but not the other.