Fedora 33, DNS, Firefox and Chrome

Dear All,

I have been meeting strange DNS problems in Fedora 33 that I did not meet in Fedora 32. I spent some time trying to debug them and then thought of asking for help. This is the behavor I see:

  • Out of the box, WiFi gets assigned a DNS server automatically, but on my laptop no browser can resolve any DNS query
  • If I manually switch on Fedora the WiFi connection to use 1.1.1.1 as a DNS server instead of the automatically assigned one, Firefox can solve DNS calls and works fine, while any Chrome-based browser (Chrome, Chromium, Vivaldi) hangs like it cannot solve the DNS query
  • Setting the router to use 1.1.1.1 as a DNS does not solve the problem

All this is without VPN. Other users have reported here problems when connected to VPN, but for me it happens with a normal connection. I tried to switch to use the hotspot functionality from my phone (bypassing the router, to check if the problem could be with the router) but the problem persists.

Some people think that DNS problems could be caused by the move to systemd-resolved and advise to disable it, but I’d rather keep it on and try to debug the problem: I can use Firefox just fine.

Could we please try to debug the problem together? Let me know if you need more information about the system!

Val

1 Like

To isolate the issue, try to disable automatic DNS:

sudo nmcli connection modify id CON_NAME \
    ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes

And re-establish the connection to apply changes.
This should make systemd-resolved to use failover DNS.

I have a similar problem too. I have 2 fedora systems and i only use firefox. Laptop when connected with wifi has no problem even with VPN enabled but when i switch to ethernet, problem appears. Desktop connected with cable has the same issue. I tried some suggestions such as disabling local dns, disabling VPN, using 1.1.1.1 dns, but problem remains. This issue happened lately after applying updates ( i think).

i tried this command but problem remains

Post the output:

resolvectl dns; resolvectl domain; \
grep -e ^hosts: /etc/nsswitch.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf

Try to enable DNS encryption:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved.service

Thank you for your help. Multiple reboots have not solved the problem. Then, today, after an accidental reboot, the system started working. So now it works, but I don’t know why. The output:

❯ resolvectl dns; resolvectl domain;
grep -e ^hosts: /etc/nsswitch.conf;
grep -v -e ^# -e ^$ /etc/resolv.conf

Global:
Link 2 (wlp58s0): 1.1.1.1
Link 3 (virbr0):
Link 4 (virbr0-nic):
Global:
Link 2 (wlp58s0): ~.
Link 3 (virbr0):
Link 4 (virbr0-nic):
hosts:      files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] myhostname dns
nameserver 127.0.0.53
options edns0 trust-ad

Do you see anything strange? Regarding turning on the DNS encryption, the directory
/etc/systemd/resolved.conf.d/ does not exist in my Fedora 33 installation.

1 Like

I updated the post above.
Also remove the custom DNS server and check again.

Thank you @vgaetera, do you mean I should set WiFi to get automatically the DNS server from the router?

Disable automatic DNS and remove custom DNS.

Thank you done. Here is the result:

❯ resolvectl dns; resolvectl domain;
grep -e ^hosts: /etc/nsswitch.conf;
grep -v -e ^# -e ^$ /etc/resolv.conf
Global:
Link 2 (wlp58s0):
Link 3 (virbr0):
Link 4 (virbr0-nic):
Global:
Link 2 (wlp58s0):
Link 3 (virbr0):
Link 4 (virbr0-nic):
hosts:      files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] myhostname dns
nameserver 127.0.0.53
options edns0 trust-ad

Now every time I reboot, the status of Chrome-based browser changes. Sometimes they work until the next reboot, sometimes they don’t until I reboot

1 Like

Check this way:

resolvectl --no-pager status; resolvectl query fedoraproject.org

Here it is:

❯ resolvectl --no-pager status; resolvectl query fedoraproject.org
Global
       LLMNR setting: resolve             
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
  Current DNS Server: 8.8.8.8             
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844

Link 2 (wlp58s0)
      Current Scopes: LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: no                   
       LLMNR setting: yes                  
MulticastDNS setting: no                   
  DNSOverTLS setting: no                   
      DNSSEC setting: no                   
    DNSSEC supported: no                   

Link 3 (virbr0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 4 (virbr0-nic)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  
fedoraproject.org: 2620:52:3:1:dead:beef:cafe:fed6 -- link: wlp58s0
                   2610:28:3090:3001:dead:beef:cafe:fed3 -- link: wlp58s0
                   2605:bc80:3010:600:dead:beef:cafe:fed9 -- link: wlp58s0
                   2620:52:3:1:dead:beef:cafe:fed7 -- link: wlp58s0
                   2604:1580:fe00:0:dead:beef:cafe:fed1 -- link: wlp58s0
                   2605:bc80:3010:600:dead:beef:cafe:feda -- link: wlp58s0
                   140.211.169.206             -- link: wlp58s0
                   67.219.144.68               -- link: wlp58s0
                   140.211.169.196             -- link: wlp58s0
                   8.43.85.73                  -- link: wlp58s0
                   8.43.85.67                  -- link: wlp58s0
                   152.19.134.142              -- link: wlp58s0
                   152.19.134.198              -- link: wlp58s0
                   38.145.60.20                -- link: wlp58s0
                   209.132.190.2               -- link: wlp58s0
                   38.145.60.21                -- link: wlp58s0
1 Like

Looks fine, perhaps this is not related to DNS.
I guess you should perform general network diagnostics:

mtr -4 -wbc 50 fedoraproject.org; \
mtr -6 -wbc 50 fedoraproject.org; \
ip -s link show

Here is the results, with the first lines obscured to hide my location for privacy. Currently every time I suspend or reboot, Chrome’s working status can change. It’s weird. Maybe you are right and it’s not a DNS problem at all, and it’s a generic network problem. But I did not have it with Fedora 32. Anyway, here is the result:

mtr -6 -wbc 50 fedoraproject.org; \
ip -s link show
Start: 2020-11-24T08:46:15-0800
HOST: vlmlaptop                                                    Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- _gateway (192.168.1.1)                                        0.0%    50    2.0   3.7   1.9  26.2   4.9
  2.|-- XX.XX.XX.XX                                                 0.0%    50   14.5  12.7  10.3  33.2   3.6
  3.|-- XX.XX.XX.XX                                                 0.0%    50   13.8  12.8  10.1  21.0   2.7
  4.|-- blah.blah.comcast.net (69.139.199.197)  0.0%    50   11.0  14.5  11.0  40.5   5.1
  5.|-- blah.blah.comcast.net (68.86.143.93)     0.0%    50   13.8  19.5  11.7 168.0  25.6
  6.|-- blah.blah.Level3.net (4.68.72.105)                 0.0%    50   15.4  17.2  10.7  47.7   7.1
  7.|-- ae-2-5.bar1.Raleigh1.Level3.net (4.69.217.46)                 0.0%    50   77.3  81.6  76.6 105.4   4.9
  8.|-- RED-HAT-INC.bar1.Raleigh1.Level3.net (4.7.134.2)              0.0%    50   79.0  82.5  77.6 130.9   9.3
  9.|-- ip-197-190-132-209.redhat.com (209.132.190.197)               0.0%    50   84.2  90.5  79.3 205.7  20.1
 10.|-- proxy13-rdu02.fedoraproject.org (209.132.190.2)               0.0%    50   80.3  80.4  77.5 105.4   4.8
mtr: udp socket connect failed: Network is unreachable
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    1353660    758      0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    1353660    758      0       0       0       0       
2: wlp58s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 9c:b6:d0:e2:29:31 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    192464792  148193   0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    5372167    38985    0       0       0       0       
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:e3:96:f5 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0       
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:e3:96:f5 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0
1 Like

If you are using Google Chrome, check whether DoH is enabled or not in the browser:

Dear @vgaetera, the flag is not present for me and the settings say that chrome is managed by an organization. If you google online, you will find that Chrome figured out that the DNS server is not compatile with DNS over https, and turned it off. Thank you again for helping me with this

1 Like

If possible, check whether the problem persists in Chromium installed from the main Fedora repository or Chromium Freeworld from RPM Fusion.
Try to reproduce the issue under a new user with default profile.

Problem fixed for me. I tried some suggestions but i reverted all to initial settings (local dns, auto dns) and now everything works as expected. I tried chrome and epiphany and everything worked ok but firefox remained sluggish. I changed firefox setting to no proxy (was system-proxy) and from now firefox works like other browsers. Even VPN is ok. Still don’t know what was the problem.

If you have proxy configured that you are not aware of, this may be a serious security issue.

@charnik I tried the same, no luck. @vgaetera Yes, it happens also with Chromium installed from the Fedora repos:

Installed Packages
Name         : <font color="#2AA1B3">chromium</font>
Version      : 87.0.4280.66
Release      : 1.fc33
Architecture : x86_64
Size         : 317 M
Source       : chromium-87.0.4280.66-1.fc33.src.rpm
Repository   : @System
From repo    : updates
Summary      : A WebKit (Blink) powered web browser
URL          : http://www.chromium.org/Home
License      : BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2)
1 Like