0

I have an Ubuntu machine with a network namespace (ns1) connected to the host network namespace via veth. I created a MASQUERADE rule in iptables to access the internet and I can ping 8.8.8.8 from the network namespace.

When I do dig google.com from the host, it works and I see in the main interface:

08:03:02.376478 IP 10.0.10.40.51566 > 10.0.10.2.53: 48449+ [1au] A? google.com. (39)
08:03:02.378335 IP 10.0.10.2.53 > 10.0.10.40.51566: 48449 1/0/1 A 216.58.204.110 (55)

However, when I execute dig in the network namespace: sudo ip netns ns1 dig google.com, it does not work and this is what I see in the main interface of the host:

08:03:09.033958 IP 10.0.10.40.50888 > 10.0.10.2.53: 32798+ [1au] A? ip-10-0-10-40.eu-west-3.compute.internal. (69)
08:03:09.034152 IP 10.0.10.40.36297 > 10.0.10.2.53: 43961+ [1au] AAAA? ip-10-0-10-40.eu-west-3.compute.internal. (69)
08:03:09.034460 IP 10.0.10.2.53 > 10.0.10.40.50888: 32798 NXDomain 0/1/1 (144)
08:03:09.034460 IP 10.0.10.2.53 > 10.0.10.40.36297: 43961 NXDomain 0/1/1 (144)
08:03:09.034559 IP 10.0.10.40.50888 > 10.0.10.2.53: 32798+ A? ip-10-0-10-40.eu-west-3.compute.internal. (58)
08:03:09.034639 IP 10.0.10.40.36297 > 10.0.10.2.53: 43961+ AAAA? ip-10-0-10-40.eu-west-3.compute.internal. (58)
08:03:09.034837 IP 10.0.10.2.53 > 10.0.10.40.50888: 32798 NXDomain 0/1/0 (133)
08:03:09.034906 IP 10.0.10.2.53 > 10.0.10.40.36297: 43961 NXDomain 0/1/0 (133)

Why the request coming from the network namespace is not trying to resolve hostname google.com but hostname ip-10-0-10-40.eu-west-3.compute.internal? The latter is apparently the hostname of my Ubuntu machine

EDIT

If I stop systemd-resolve and add the upstream nameserver, it works. Therefore, it must be an issue with systemd-resolve

mosquetero
  • 239
  • 2
  • 9
  • Use the FQDN `google.com.`. A FQDN always ends with a `.`! Not using a FQDN means you are using a relative domain name, which might be in your case `google.com.yourlocaldomain.` – paladin Apr 13 '22 at 12:13
  • Note that it does not look for `google.com.yourlocaldomain`. there is no google at all. I tried with the dot and same result – mosquetero Apr 13 '22 at 15:04
  • Then your DNS server is not resolving recursive. *bind9* DNS server has to be enabled to resolve recursive in its newer versions. – paladin Apr 13 '22 at 18:27

1 Answers1

0

systemd-resolve will rewrite your DNS to point to it on 127.0.0.53 by default. It isn't reachable in the namespace you created so DNS lookups fail.

Try using dig google.com. @1.1.1.1 and it should work, whether systemd-resolve is running or not.

Ginnungagap
  • 1,998
  • 8
  • 9