systemd-resolve resolves incorrectly inside a network namespace

mosquetero

8/13/23, 8:21 AM

I have an Ubuntu machine with a network namespace (ns1) connected to the host network namespace via veth. I created a MASQUERADE rule in iptables to access the internet and I can ping 8.8.8.8 from the network namespace.

When I do dig google.com from the host, it works and I see in the main interface:

08:03:02.376478 IP 10.0.10.40.51566 > 10.0.10.2.53: 48449+ [1au] A? google.com. (39)
08:03:02.378335 IP 10.0.10.2.53 > 10.0.10.40.51566: 48449 1/0/1 A 216.58.204.110 (55)

However, when I execute dig in the network namespace: sudo ip netns ns1 dig google.com, it does not work and this is what I see in the main interface of the host:

08:03:09.033958 IP 10.0.10.40.50888 > 10.0.10.2.53: 32798+ [1au] A? ip-10-0-10-40.eu-west-3.compute.internal. (69)
08:03:09.034152 IP 10.0.10.40.36297 > 10.0.10.2.53: 43961+ [1au] AAAA? ip-10-0-10-40.eu-west-3.compute.internal. (69)
08:03:09.034460 IP 10.0.10.2.53 > 10.0.10.40.50888: 32798 NXDomain 0/1/1 (144)
08:03:09.034460 IP 10.0.10.2.53 > 10.0.10.40.36297: 43961 NXDomain 0/1/1 (144)
08:03:09.034559 IP 10.0.10.40.50888 > 10.0.10.2.53: 32798+ A? ip-10-0-10-40.eu-west-3.compute.internal. (58)
08:03:09.034639 IP 10.0.10.40.36297 > 10.0.10.2.53: 43961+ AAAA? ip-10-0-10-40.eu-west-3.compute.internal. (58)
08:03:09.034837 IP 10.0.10.2.53 > 10.0.10.40.50888: 32798 NXDomain 0/1/0 (133)
08:03:09.034906 IP 10.0.10.2.53 > 10.0.10.40.36297: 43961 NXDomain 0/1/0 (133)

Why the request coming from the network namespace is not trying to resolve hostname google.com but hostname ip-10-0-10-40.eu-west-3.compute.internal? The latter is apparently the hostname of my Ubuntu machine

EDIT

If I stop systemd-resolve and add the upstream nameserver, it works. Therefore, it must be an issue with systemd-resolve

0 + 0

linux

ubuntu

linux-networking

network-namespace

systemd-resolve

paladin

8/13/23, 12:13 PM

Use the FQDN `google.com.`. A FQDN always ends with a `.`! Not using a FQDN means you are using a relative domain name, which might be in your case `google.com.yourlocaldomain.`

mosquetero

8/13/23, 3:04 PM

Note that it does not look for `google.com.yourlocaldomain`. there is no google at all. I tried with the dot and same result

paladin

8/13/23, 6:27 PM

Then your DNS server is not resolving recursive. *bind9* DNS server has to be enabled to resolve recursive in its newer versions.

Score:0

Server

Ginnungagap

8/13/23, 6:29 PM

systemd-resolve will rewrite your DNS to point to it on 127.0.0.53 by default. It isn't reachable in the namespace you created so DNS lookups fail.

Try using dig google.com. @1.1.1.1 and it should work, whether systemd-resolve is running or not.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: systemd-resolve resolves incorrectly inside a network namespace

TH: systemd-resolve แก้ไขอย่างไม่ถูกต้องภายในเนมสเปซเครือข่าย

RO: systemd-resolve se rezolvă incorect în interiorul unui spațiu de nume de rețea

RU: systemd-resolve неправильно разрешается внутри сетевого пространства имен

VI: systemd-resolve giải quyết không chính xác bên trong một không gian tên mạng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.