Fedora 31 can't resolve dns names anymore

Hello forum,

since yesterday evening the dns resolution on my notebook running Fedora 31 is not working anymore.
My dns server is running on my OPNSense Firewall at 192.168.2.1
My dns zone is called home

If I put

nameserver 192.168.2.1
search home

in /etc/resolv.conf I can’t resolve any name.

If I try another dns server like 8.8.8.8 or 1.1.1.1 it works.
On my other machines it works without any problem.

Any help would be appreciated.

Thanks.

Hello @pascal3366 and welcome to the community. Please read #start-here category if you haven’t already done that.

Regarding your issue, let’s try to identify the problem.
What is the result of this command?

dig @192.168.2.1 fedoraproject.org

; <<>> DiG 9.11.20-RedHat-9.11.20-1.fc31 <<>> @192.168.2.1 fedoraproject.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

yes I already tried that
my pc can’t reach the dns server

Well. If using another DNS works, there are at lease two cases: or your Fedora box’s firewall blocks outgoing queries to 192.168.2.1 or your OPNSense firewall blocks incoming DNS queries from your Fedora box.

1 Like

i already thought that so i tried flushing all iptables rules

on the opnsense firewall i have no firewall rules regarding my fedora machine

Are you able to sniff traffic on opnsense? (Using tcpdump?)

From the Fedora box, what is the result of
sudo nmap -sU 192.168.2.1 -p 53

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-02 14:04 CEST
sendto in send_ip_packet_sd: sendto(7, packet, 40, 0, 192.168.2.1, 16) => Operation not permitted
Offending packet: UDP 192.168.2.247:48398 > 192.168.2.1:53 ttl=55 id=1224 iplen=40
sendto in send_ip_packet_sd: sendto(7, packet, 40, 0, 192.168.2.1, 16) => Operation not permitted
Offending packet: UDP 192.168.2.247:48399 > 192.168.2.1:53 ttl=57 id=36928 iplen=40
Nmap scan report for 192.168.2.1
Host is up (0.0010s latency).

PORT STATE SERVICE
53/udp open|filtered domain
MAC Address: 00:0D:B9:55:AE:29 (PC Engines GmbH)

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

I suppose you checked this. But just to be sure, what is the result of these commands?

sudo firewall-cmd --state

sudo firewall-cmd --list-all

Sorry, but all these questions could be useful to draw a picture of the situation.

No I just checked the iptables rules so far

the state is: running

and the rules are:

public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client http https ipp ipp-client mdns ssh unifi
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Just a test, in order to definitely exclude the Fedora firewall.
sudo systemctl stop firewalld
Then retry with dig

1 Like

Oh interesting, it seems like it got resolved

i can’t post the output here because “new users can only post 2 links”
mhhh here is the output: Paste.ee

1 Like

I just set 192.168.2.1 in /etc/resolv.conf again and it works :slight_smile:

so it seems that it is actually the firewall although i already tried to flush all iptables rules

So, with the Fedora firewall disbaled it works.

Please pay attention. At least in F32, firewalld switched from iptables to nftables.
I don’t know the situation on F31. I think that it was still using iptables, but I’m unsure.

Please restart the firewall. Name resolution doesn’t work again?

1 Like

uhm name resolution still works
thats strange

Maybe a transient (runtime) rule was added to the firewall?
For instance, if the firewall-cmd is used without the --permanent option, a change will only be part of the runtime configuration. When the firewall will be restarted, the rule will be lost.

Ok so the update to fedora 32 is now finished and the firewall problem still persists

however nftables is not installed
i’m still using iptables

I just checked the iptables rules there is neither in nat, filter, mangle any rule

still iptables blocks dns somehow

Ok i just did

sudo firewall-cmd --permanent --zone=home --add-port=53/tcp

and then

sudo firewall-cmd --reload

now it is working :slight_smile:

Why home zone? Wasn’t it public the active one?
And what about zone home? There isn’t any home zone by default AFAIK.
:thinking: :thinking:

1 Like

This is confusing, as the rules for incoming DNS traffic are in no way related to the role of the DNS client.
And firewalld should not affect outgoing traffic that DNS queries fall into.

1 Like