Systemd: resolved failure with AdGuard DNS and DNSOverTLS
systemd version the issue has been seen with
systemd 244 (244.1-1-arch)
Used distribution
Arch Linux
Expected behaviour you didn't see
AdGuard DNS works with
DNSOverTLS=yes.
Unexpected behaviour you saw
AdGuard DNS does not work with
DNSOverTLS=yes.
Steps to reproduce the problem
In /etc/systemd/resolved.conf:
[Resolve]
DNS=176.103.130.130 176.103.130.131 2a00:5a60::ad1:0ff 2a00:5a60::ad2:0ff
DNSOverTLS=yes
Domains=~.
Attempting resolvectl query example.com results in
example.com: resolve call failed: All attempts to contact name servers or networks failed
Note that the following configuration works fine:
[Resolve]
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
DNSOverTLS=yes
Domains=~.
Seems like it is probably something on the AdGuard DNS side of things, but they believe it is an issue with systemd-resolved, so I have posted here.
Also attached are packet captures for the Cloudflare and AdGuardDNS queries: pcaps.zip.
Looking at some of the previous issues with DNSOverTLS this pcap looks familiar, but I believe that the supposed issues were fixed in https://github.com/systemd/systemd/pull/13809.
carloabelli
All 3 comments
/cc @irtimmer
poettering
on 28 Jan 2020
The certificate of the AdGuard DNS server seems only valid for *.adguard.com and not for the IP addresses. As it's currently not possible to specify the host name for a DNS server in systemd, only opportunistic mode is supported in this case
irtimmer
on 28 Jan 2020
Sounds good and thanks for the help. Hopefully support will be added for specifying the hostname or one of the other verification methods specified in the RFC soon!
carloabelli
on 28 Jan 2020
Related issues
shibumi
路
3Comments
jaymzh
路
3Comments
brianjmurrell
路
3Comments
audunmg
路
3Comments
vcaputo
路
3Comments