Ubuntu 17.04 systemd-resolved DNS lookups randomly fail



I upgraded to Ubuntu 17.04 and it appears to now have a new DNS resolver mechanism first introduced in Ubuntu 16.10.

I am now getting DNS lookup failures 50% of the time. Every other call to nslookup is failing, with half the calls resolving fine and half giving this:

watch -n 1 nslookup google.com


** server can't find google.com: SERVFAIL

From what I understand, that DNS server IP address is now used to represent systemd-resolved, which does some kind of meta lookup to avoid slower DNS queries (or something...). I am seeing the exact same behavior on two machines I have upgraded to 17.04 in the past week.

Any idea what the problem is here, and the correct way to address it?

Things were working fine before the upgrade (from 16.04 or 16.10, I don't remember which, sorry). I THOUGHT 17.04 was a LTS release but now I see that I jumped the gun and it won't be considered stable until April. So... here I am.

Also of note... browsers don't seem to exhibit problems, but nslookup, ping, git, etc. do.


In my particular case, my /etc/hosts file was a symlink (as I am a fanatic stow user). Systemd HATES this for some reason, and considers it a "permissions failure". Once I replaced the symlink with the actual file, systemd stopped malfunctioning.


Posted 2016-12-05T17:13:26.687

Reputation: 709

2Tip for the future: Ubuntu versions are the year it will come out . the month it will be released. (So in your case it will be in 04/17) – timotree – 2016-12-05T17:18:49.097

Sounds like systemd-resolved getting crowbarred into distributions is causing other folks trouble too.

– moodboom – 2016-12-08T13:53:43.167



Ubuntu 17.04 can not resolve DNS servers with DNSSEC support as of 2017-04-18. Disable DNSSEC with this daemon:

sudo mkdir -p /etc/systemd/resolved.conf.d
printf "[Resolve]\nDNSSEC=no\n" | sudo tee /etc/systemd/resolved.conf.d/no-dnssec.conf

Optionally reconfigure resolvconf if you messed with it (say yes to "prepare /etc/resolve.conf for dynamic updates?"):

sudo dpkg-reconfigure resolvconf

Restart systemd-resolved:

sudo systemctl restart systemd-resolved

Your DNS should start working. You can check by trying systemd-resolve www.google.com and seeing a response.

Sajad Bahmani

Posted 2016-12-05T17:13:26.687

Reputation: 989

Thank you for the answer- can you explain what it does? – bertieb – 2017-04-18T10:52:30.520

Ubuntu 17.04 can not(till here) resolve DNS server with DNSSEC support. I disable DNSSEC with this daemon. – Sajad Bahmani – 2017-04-18T11:08:03.483

Thanks, can you edit that explanation into your answer? :) – bertieb – 2017-04-18T11:25:56.387

This solution did not work for me - after setting this, still anytime I do a lookup the first time, I get a SERVFAIL error, after a couple of tries it succeeds and then the result is cached. – Guss – 2017-05-11T12:38:26.767

Thank you so much! I recently uploaded Ubuntu 17.04 onto my Dell Inspiron N5110, and after I finished downloading it, the network simply refused to connect. I have looked everywhere, but thanks to you, I won't have to struggle anymore! – Samuel L. – 2017-06-21T03:39:49.367

I know bertieb already asked you to explain, but I'm a beginner, so I'm a bit confused about what you did with the tee command(not quite sure what it is/how to use it; tried man tee, but I didn't really get it), and what exactly does the resolvconf package do? – Samuel L. – 2017-06-21T03:53:47.533

This doesn't solve my problem, starbucks still gave me 'domain name not resolved' error.' – tribbloid – 2017-07-09T13:13:32.993

1@SamuelL. regarding tee, it's just a fancy way to print something and send it to a file at the same time. Typically you can redirect output to a file with > [the greater-than character], but then you won't see the output. Tee lets it go to both places. Resolvconf "configures resolve". – moodboom – 2017-09-05T17:23:45.130


I've been switching back and forth between systemd-resolved and manual /etc/resolv.conf management and have not found the systemd DNS resolver mechanism to be stable yet.

There is apparently at least one libnss bug in Ubuntu 16.10 and apparently still in 17.04. There are many people with DNS issues since Ubuntu 16.10 turned on systemd-resolved, here is one analysis and here is another person's workaround. None of them worked for me until I manually overwrote /etc/resolv.conf with google's DNS servers.

nameserver   << or another if you don't trust google

This is a perfectly valid solution, if you don't need dynamic DNS configuration. Just make sure you stop and disable systemd-resolved:

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop


Posted 2016-12-05T17:13:26.687

Reputation: 709

Changing to resolveconf did not help my issue, how do I go back to using systemd-resolved? (Thanks) – Edward Moffett – 2017-07-17T14:49:58.370

1Try: systemctl enable systemd-resolved.service && systemctl start systemd-resolved.service – moodboom – 2017-07-17T15:20:43.110

1Dude, you just saved ma system !! BRAVO – revolutionary – 2018-01-24T23:54:41.547

Worked fine in 18.04 – André M. Faria – 2019-01-31T12:49:31.920


Ubuntu 17.04 and other distros are embracing systemd, which includes systemd-resolved, which subjects users to a rather heavy-handed DNS resolution.

  • As mentioned in SjB answer, DNSSEC support can cause issues.
  • systemd-resolved pings all DNS resolvers so it can use the fastest. This can cause problems with VPNs etc in more complex environments.
  • DNS server certificates are verified, I've had errors if my clock is skewed.

I don't think it's necessarily a BAD change, it's just a LOT of change. I'll try to update and expand this answer as I learn more.


Posted 2016-12-05T17:13:26.687

Reputation: 709


Put simply you just need to have the line "DNSSEC=no" in the [Resolve] section of /etc/systemd/resolved.conf.


John Ball

Posted 2016-12-05T17:13:26.687

Reputation: 171

Thanks for the bugfix link. The default will be changed back to DNSSEC=no in upcoming update releases, which will make that particular issue go away. – moodboom – 2017-09-06T14:31:51.960


just add name server /etc/systemd/resolved.conf DNS=194.109.xxx.xxx (on your router, external nameserver)

systemctl restart systemd-resolved

no need to change rand from 3 to 2, no need to change dnssec setting to off


Posted 2016-12-05T17:13:26.687

Reputation: 11

Unfortunately this alone doesn't solve the "every-other-request-fails" problem for me. – moodboom – 2017-12-18T15:49:58.413

Agree with @moodboom, this doesn't solve to me also. – André M. Faria – 2019-01-31T12:33:44.177


I finally determined the source of my specific problem with systemd-resolved. /etc/hosts was a symlink, as I use stow for my dot files. Well... systemd refuses to look at it, giving a "permissions error" (sic). Once I replaced my symlink with a full copy of my /etc/hosts file, systemd was happy again.

Yet another reason to distrust the huge mess that is systemd, IMHO. But we can't go backwards. Full steam ahead.


Posted 2016-12-05T17:13:26.687

Reputation: 709