TL;DR
My DNS queries are slow because systemd-resolved queries the DNS server on IPv4 successfully but repeatedly queries on IPv6 after the DNS server responds with a REFUSED. Is this a resolved config issued? A dnsmasq issue? or a bug?
I have a stock ubuntu 20.04 install connected to dnsmasq running on an air gapped appliance (ubiquity edgerouter) with top level domain 'bar' (air gapped remember but it doesn't seem, to matter what this is--ie .com etc). DNS requests resolve quickly via Mac and Windows clients. For ubuntu, DNS queries take about 5 seconds to resolve. Searching around, Ubuntu DNS issues are discussed in plenty of places but the underlying behavior I'm seeing has not been to my knowledge.
Top level issue: if I ping a machine using ubuntu, it takes about 5 seconds for the responses to come back:
$ ping foo
PING foo.bar (10.2.1.132) 56(84) bytes of data.
64 bytes from foo.bar (10.2.1.132): icmp_seq=1 ttl=63 time=1.10 ms
64 bytes from foo.bar (10.2.1.132): icmp_seq=2 ttl=63 time=1.02 ms
...
Which seems like an obvious timeout issue. Interestingly it does resolve though. Running resolvectl status
gives me the standard result including that DNS is being provided by the dnsmasq-issued DHCP lease.
$ resolvectl status
...
lots of stuff
...
Link 3 (enp0s25)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.1.1.1
DNS Domain: ~.
bar
Stopping resolved and running in debug mode appears to show the issue. The ubuntu machine queries the DNS server via IPv4 and it receives an answer immediately. It then repeatedly queries via IPv6 which the DNS server responds with REFUSED until it times out.
$ sudo systemctl stop systemd-resolved
$ sudo SYSTEMD_LOG_LEVEL=debug /lib/systemd/systemd-resolved
...
lots of startup logging
...
Got DNS stub UDP query packet for id 40457
Looking up RR for foo.bar IN A.
Switching to DNS server 10.1.1.1 for interface enp0s25.
Cache miss for foo.bar IN A
Transaction 42924 for <foo.bar IN A> scope dns on enp0s25
Also suggesting that this is the issue:
$ nslookup foo
Server: 127.0.0.53
Address: 127.0.0.53
Non-authoritative answer:
Name: foo.bar
Address: 10.2.1.132
...
about 5 seconds go by
...
;; connection timed out; no servers could be reached
$ nslookup -query=A foo
Server: 127.0.0.53
Address: 127.0.0.53
Non-authoritative answer:
Name: foo.bar
Address: 10.2.1.132
$ nslookup -query=AAAA foo
;; connection timed out; no servers could be reached
Questions:
If the DNS server was providing a good IPv4 answer, why would the ubuntu machine wait while repeatedly trying unsuccessfully to obtain a IPv6 answer?
Is this an ubuntu configuration issue or a dnsmasq issue?
Thanks in advance.