Problem
- Sudden DNS failure
- resolvectl query works
$ resolvectl query xxx.net
xxx.net: xxx.xxx.xxx.xxx -- link: eno1- dig does not work
$ dig xxx.net
; <<>> DiG 9.16.1-Ubuntu <<>> xxx.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17132
;; flags: qr rd ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Mar 02 10:31:00 UTC 2023
;; MSG SIZE rcvd: 12Debug
- resolved outputs “unexpected IP range” error, each time you access DNS (e.g., dig)
$ sudo journalctl -u systemd-resolved -f
-- Logs begin at Mon 2023-02-20 10:04:34 UTC. --
Mar 02 10:44:30 login systemd-resolved[1505]: Got packet on unexpected IP range, refusing.
Mar 02 10:44:30 login systemd-resolved[1505]: Got packet on unexpected IP range, refusing.
Mar 02 10:44:30 login systemd-resolved[1505]: Got packet on unexpected IP range, refusing.- Our server has SNAT setting, so this might be the reason.
- https://unix.stackexchange.com/questions/466105/iptables-masquerade-breaks-dns-lookups
- https://www.reddit.com/r/linuxadmin/comments/g935ki/systemdresolved_and_iptables_masquerading/
$ sudo iptables -t nat -L
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:XXX.XXX.XXX.XXX
MASQUERADE all -- anywhere anywhere
Solution
- I deleted all rules and re-added SNAT rule, and it suddenly works… Maybe MASQUERDAE was a problem?
$ sudo iptables -t nat -D POSTROUTING -s 192.168.0.0/24 -o eno1 -j SNAT --to-source PUBLIC_IP
$ sudo iptables -t nat -D POSTROUTING -j MASQUERADE
$ sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eno1 -j SNAT --to-source PUBLIC_IP