Debugging DNS in Ubuntu
DNS (Domain Name System) issues can disrupt network connectivity and service access in any homelab environment. This guide provides a structured troubleshooting workflow for DNS problems on Ubuntu systems, covering common symptoms like DNS timeouts, SERVFAIL responses, and resolution inconsistencies.
Diagnosing DNS Issues
1. Check DNS Servers Provided by DHCP or Static Config
resolvectl status
cat /etc/resolv.conf
nmcli device show <interface-name> | grep DNS
sudo cat /var/lib/dhcp/dhclient.<interface-name>.leases
- Confirm which DNS servers your system uses.
- Link-specific DNS servers from DHCP take precedence over global ones.
2. Identify DNS Resolver Status
Check systemd-resolved service health:
sudo systemctl status systemd-resolved
resolvectl status
- Ensure the service is active.
- Verify that
/etc/resolv.confpoints tostub-resolv.confmanaged by systemd.
3. Test DNS Queries with dig and nslookup
- Test exact DNS resolution:
dig example.com
nslookup example.com
- To specify DNS server explicitly:
dig @8.8.8.8 example.com
nslookup example.com 1.1.1.1
- Try forcing TCP to avoid UDP fragmentation issues:
dig example.com +tcp
dig @8.8.8.8 example.com +tcp
- Use
+traceto follow recursive resolution path:
dig +trace example.com
- Use
+no-cacheto bypass local cache:
dig example.com +no-cache
4. Interpret Common DNS Response Codes
NOERROR: Successful response.SERVFAIL: Server failure, often due to misconfiguration, DNSSEC validation failure, or upstream server issues.NXDOMAIN: Domain does not exist.
5. Flush DNS Cache
Clear local DNS cache to avoid stale entries:
sudo systemd-resolve --flush-caches
sudo resolvectl flush-caches
sudo systemctl restart systemd-resolved
If using other resolvers:
sudo systemctl restart nscd
sudo systemctl restart dnsmasq
6. Check Firewall and Network
- Verify port 53 UDP/TCP traffic not blocked locally or by network firewall.
sudo ufw status
sudo iptables -L -v -n
- Ping DNS servers to verify reachability:
ping 8.8.8.8
ping 1.1.1.1
7. Verify DNSSEC Settings
- Sometimes DNSSEC causes resolution failures.
Temporarily disable DNSSEC:
sudo nano /etc/systemd/resolved.conf
# Set DNSSEC=no under [Resolve]
sudo systemctl restart systemd-resolved
Test DNSSEC validation failures:
dig +dnssec +no-sigchase example.com
8. Check for Conflicting Services
- Ensure no conflicting DNS daemons like
dnsmasq,unboundare interfering:
sudo systemctl status dnsmasq
sudo systemctl stop dnsmasq
sudo systemctl disable dnsmasq
Common Causes & Solutions
| Problem | Possible Cause | Solution |
|---|---|---|
| DNS queries time out | systemd-resolved not running | Restart/start systemd-resolved |
SERVFAIL on queries | DNSSEC or upstream problem | Disable DNSSEC temporarily, test upstream |
| Wrong DNS servers used | Router DHCP overrides DNS | Check router DHCP DNS settings |
| DNS cache stale | Cached old entries | Flush DNS cache |
| UDP query failures | Packet fragmentation issues | Use TCP for DNS queries |
| Multiple DNS services running | Conflicting daemon on port 53 | Disable non-essential DNS services |
Router DNS Override
Many routers override client DNS settings via DHCP. To verify or change:
- Access router admin:
http://<gateway-ip> - Locate DHCP/DNS settings.
- Check/set primary and secondary DNS servers.
- Save changes and restart router if needed.
- Renew client DHCP lease:
sudo dhclient -r
sudo dhclient
Advanced Tips
- Inspect detailed logs when needed:
journalctl -u systemd-resolved
journalctl -u NetworkManager