Some (but not all) DNS lookups fail on vanilla Ubuntu 18.10

Question

Proxy fun

I create an Ubuntu 18.10 virtual machine on my Windows 10 host using Vagrant with VMware Workstation 15.
The VM appears to work fine, including most network access.
But for one important host I have no luck:

$ ping -c 4 production.cloudflare.docker.com
ping: production.cloudflare.docker.com: Temporary failure in name resolution

(When I do the very same thing in Cygwin on the Windows host, it works just fine.)

What should be the reason? DNS nameservers!

However, the one that systemd-resolve --status tells me it is using ("Current DNS Server: 8.8.4.4" on eth0, the only interface with considerable RX and TX amounts) works alright when I try it explicitly:

$ dig @8.8.4.4 production.cloudflare.docker.com

; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> @8.8.4.4 production.cloudflare.docker.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45235
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
[...]
production.cloudflare.docker.com. 117 IN A      104.18.122.25
production.cloudflare.docker.com. 117 IN A      104.18.121.25
production.cloudflare.docker.com. 117 IN A      104.18.125.25
production.cloudflare.docker.com. 117 IN A      104.18.124.25
production.cloudflare.docker.com. 117 IN A      104.18.123.25

but when I go through Ubuntu's local proxy, the query fails:

$ dig production.cloudflare.docker.com

; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> production.cloudflare.docker.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60815
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
[...]
;; SERVER: 127.0.0.53#53(127.0.0.53)

Apparently, 127.0.0.53 is not doing what I think it should. (Note I'm a networking newbie.)
What am I missing?

I am not even sure whether this is more an Ubuntu question or a VMware question. Or a Vagrant question maybe?
Shudder.

score 2 · Answer 1 · answered Mar 22 '19 at 11:34

It is a three-byte change!

There are many reports of Ubuntu DNS failures on the web. Like HackSlash's answer, most answers suggest to hardwire the intended nameservers into /etc/resolv.conf. But if I understand correctly, this will disable local caching, which seems silly and a tad antisocial, so I did not want to do this.

What is the problem?

I finally found the explanation in https://superuser.com/a/1200745/372846: Ubuntu's systemd-resolved apparently is unable to properly handle nameservers using DNSSEC. One has to turn off DNSSEC support and all will be fine.

Solution

In file /etc/systemd/resolved.conf, replace the line DNSSEC=yes by DNSSEC=no; then restart the resolver service by sudo systemctl restart systemd-resolved.

My remaining confusion

The above post talked about Ubuntu 17.04, when apparently systemd-resolved was fairly new to Ubuntu. A comment under this answer to the same question states the default will be changed to DNSSEC=no in later versions of Ubuntu. I am on 18.10 and this still has not happened -- nor has the full DNSSEC capability appeared. WTF?

score 0 · Answer 2 · answered Mar 20 '19 at 21:12

This was answered over on askubuntu. There are many solutions that recommend you install a different resolver.

This answer says you don't need to do that:

if you are looking for a quick and dirty solution, you can just configure systemd-resolved to use your DNS servers globally:

$ cat /etc/systemd/resolved.conf
<...>
[Resolve]
DNS=8.8.8.8 8.8.4.4
<...>

Then restart systemd-resolved.service or reboot.

FULL Q&A: https://askubuntu.com/questions/1012641/dns-set-to-systemds-127-0-0-53-how-to-change-permanently