Fedora and fallback DNS servers

Posted Feb 28, 2021 23:51 UTC (Sun) by gnu_lorien (subscriber, #44036)
In reply to: Fedora and fallback DNS servers by pmb00cs
Parent article: Fedora and fallback DNS servers

I tried to figure out exactly how many times I've had to manually set up fallback DNS because of some DNS problem in the servers that were provided for me by my network operator. I think it's at least once a year. It doesn't seem like a very high rate, but it is high enough that I've memorized the Google public DNS addresses so that I can quickly switch to them without needing another connected device. In each of these situations I was a very technical user who had no control over the remote machines. The only machine I had control over was mine.

I've been on corporate networks where this happened. I contacted the IT people who could fix the DNS and waited until I got a response to my ticket before I switched back to the internal DNS.

At least two times that I remember this happened on hotel networks. I never told them about it and certainly wasn't going to wait and hope that a hotel network was going to get fixed in any timely manner.

In each of these cases there were at least one of the following things that saved me:
- I had another device to use
- I had the alternative DNS addresses memorized
- I knew how to change the DNS that had been given to me by the network

If I hadn't had one of these three things then it wouldn't have been an inconvenience, it would have been completely broken. The fallback of using a custom DNS setting has worked for me over and over again. Enough that I have memorized these addresses.

I'm a living counter-example to the idea that the fallbacks are useless or that the problem of bad DNS is both rare and only an inconvenience. Even if the occurrence rate I mentioned here is considered rare I would have remained completely broken if not either for applying the same fallback that systemd-resolved seems to apply or switching to a different device.

I'm curious if you've ever been in the situation where you needed to try a DNS fallback. I'm curious why it didn't work or help you resolve the situation.

Fedora and fallback DNS servers

Posted Mar 1, 2021 2:55 UTC (Mon) by pabs (subscriber, #43278) [Link]

I remember using 4.2.2.2 in similar situations back in 2007.

Since then I switched to doing recursive DNS resolution on my laptop with a local unbound daemon, but that just introduced more issues. Networks where recursive resolving is too slow to work, ISPs that block outgoing DNS queries except to their own resolver, ISPs that strip DNSSEC results and so on.

Perhaps the right thing to do is to move the fallback DNS servers into the network configuration settings. Then when you have issues on a particular network you just reconfigure the corresponding network connection to choose one of the available public DNS servers. You could probably do better though; if systemd-resolved detects DNS server issues (an ISP known to sell your data, a country without privacy regulation, DNS servers that don't support DoT/DoH, broken resolution, stripping DNSSEC, etc) it can prompt the user in the GUI and give them the option to switch the configuration for the current network to one of the several different public resolvers, with information about their country of origin, countries of deployment, privacy policies etc.

Fedora and fallback DNS servers

Posted Mar 1, 2021 8:15 UTC (Mon) by pmb00cs (subscriber, #135480) [Link] (2 responses)

I can't remember the last time I have had to manually set DNS on an end device (server or client). It's not that I haven't had network issues, but network issues get fixed at the network level. Sometimes that has been by me, on my network, sometimes that has been by others on their network.

When I have had to set DNS settings manually on end devices I've had mixed results. Sometimes it would have worked, and I carried on. Sometimes it would not, and I'd need to find another solution, or live without a network connection until the responsible party could fix it. This included in at least one case a public network with a captive portal that was so broken that I resolved the DNS issue but couldn't then connect to anything. (I know tunnelling over DNS is possible, but I have never actually tried it)

As to your hotel networks, if you didn't tell them about it, how do you expect them to fix it at all? They may not have fixed it in a timely manner, but it may have helped the next person with the same issue?

Fedora and fallback DNS servers

Posted Mar 1, 2021 11:25 UTC (Mon) by pizza (subscriber, #46) [Link]

> As to your hotel networks, if you didn't tell them about it, how do you expect them to fix it at all?

Oh, that's easy; Linux isn't listed under "supported systems"

Fedora and fallback DNS servers

Posted Mar 1, 2021 19:14 UTC (Mon) by gnu_lorien (subscriber, #44036) [Link]

"When I have had to set DNS settings manually on end devices I've had mixed results. Sometimes it would have worked, and I carried on"

This is the case that sytemd-resolved is implementing automatically for people that don't know how to set these manually or don't know which values to try.

"As to your hotel networks, if you didn't tell them about it, how do you expect them to fix it at all?"

That's not my problem. It's not my network. I'm not responsible for it.

"They may not have fixed it in a timely manner, but it may have helped the next person with the same issue?"

That's not my problem either. In this case I might suggest those other users use a GNU/Linux system with the default configured systemd-resolved fallbacks so that they're not at the whims of the broken DNS of a captive portal.

In the captive portal situation especially the economic incentive is the other way around. Any time I have to spend debugging their network and reporting this is time that I spent on their behalf where I'm paying them to fix their network. I happily give my labor free of charge to free systems. Proprietary ones do not get this privilege.