2

I've recently setup a CoreDNS server on my "local" tailscale VPN network. Chrome, dig, nslookup, and everything else works with the correct DNS server being queried (I've double checked using wireshark), but for some reason Firefox queries 127.0.0.1 instead of the IP of the DNS server (let's call it 1.2.3.4).

I'm using Ubuntu 22.04 with Gnome and I've installed resolvconf.service with the following /etc/resolvconf/resolv.conf.d/resolv.conf contents:

nameserver 1.2.3.4
nameserver 1.1.1.1

What I've tried so far:

  1. Disabling DoH
  2. Clearing Firefox's DNS cache
  3. Updating and reinstalling Firefox

I'm not entirely sure why:

  1. Firefox queries 127.0.0.1 while other tools query 1.2.3.4
  2. Even if it queries 127.0.0.1, why systemd-resolved doesn't redirect/point the query to 1.2.3.4
parsley72
  • 1,106
gmelodie
  • 121

2 Answers2

1

Assuming your local DNS (bind9) is on 127.0.0.1 (tcp 53, udp 53)

Firefox and other browsers now look for DNS resolve on 127.0.0.53 port 53

So in IP tables it's simple to redirect this:

(advanced policy firewall, change $IPT to iptables for other configs)

$IPT -t nat -A OUTPUT -d 127.0.0.53 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53

$IPT -t nat -A OUTPUT -d 127.0.0.53 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53

For my system (Ubuntu 24.0 something) I had to move /etc/resolv.conf to /etc/resolv.backup and then run the command

ln -s

to link /etc/resolv.conf to /usr/lib/systemd/resolv.conf

#man ln

I then changed /usr/lib/systemd/resolv.conf to

nameserver 127.0.0.1 (because I run bind9 as my local system resolver)

Gabriel V
  • 11
0

TL;DR

You have to have these lines on your /etc/systemd/resolved.conf (where 1.2.3.4 is your own DNS server and 1.1.1.1 is a fallback)

[Resolve]
DNS=1.2.3.4 1.1.1.1
DNSStubListener=yes
DNSStubListenerExtra=udp:127.0.0.1:53

Explanation

Firefox (at least right now) queries 127.0.0.1:53 whereas systemd-resolved listens on 127.0.0.53:53. The DNSStubListenerExtra line on the config file above will make systemd-resolved also listen on 127.0.0.1:53.

You can also use iptables to redirect 127.0.0.1:53 to 127.0.0.53:53:

sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.53:53
gmelodie
  • 121