systemd-resolved prefers secondary DNS server to Adguard #7759

Wuerger · 2025-04-10T20:08:50Z

Wuerger
Apr 10, 2025

System: Ubuntu 24.10
Adguard in Docker v0.107.59

I am experiencing a weird issue with systemd-resolved. My pfSense router is my DHCP server and provides two DNS servers to clients. DNS 1 is Adguard (172.16.1.15) and DNS 2 (172.16.1.1) is the router itself.

When the system starts up it is using DNS 1 (Adguard) but after a few minutes always switch over to DNS 2 (router).

This is the initial state of resolved after a restart:

sudo resolvectl show-server-state 
Server: 172.16.1.15                                
                              Type: link
                         Interface: enx00e04d6e38ed
                   Interface Index: 2
            Verified feature level: n/a
            Possible feature level: TLS+EDNS0+DO
                       DNSSEC Mode: no
                  DNSSEC Supported: yes
Maximum UDP fragment size received: 512
               Failed UDP attempts: 0
               Failed TCP attempts: 0
             Seen truncated packet: no
          Seen OPT RR getting lost: no
             Seen RRSIG RR missing: no
               Seen invalid packet: no
            Server dropped DO flag: no
                                                   
Server: 172.16.1.1                                 
                              Type: link
                         Interface: enx00e04d6e38ed
                   Interface Index: 2
            Verified feature level: UDP+EDNS0
            Possible feature level: UDP+EDNS0
                       DNSSEC Mode: no
                  DNSSEC Supported: yes
Maximum UDP fragment size received: 512
               Failed UDP attempts: 0
               Failed TCP attempts: 0
             Seen truncated packet: no
          Seen OPT RR getting lost: no
             Seen RRSIG RR missing: no
               Seen invalid packet: no
            Server dropped DO flag: no

The only thing i can find in the log regarding systemd-resolved is:

april 10 20:21:26 host systemd-resolved[142474]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 172.16.1.15.
april 10 20:32:49 host systemd-resolved[142474]: Closing all remaining TCP connections.
april 10 20:32:49 host systemd-resolved[142474]: Resetting learnt feature levels on all servers.

When the switch has happened this is the server state for resolved:

Server: 172.16.1.15                                
                              Type: link
                         Interface: enx00e04d6e38ed
                   Interface Index: 2
            Verified feature level: UDP
            Possible feature level: UDP
                       DNSSEC Mode: no
                  DNSSEC Supported: no
Maximum UDP fragment size received: 512
               Failed UDP attempts: 1
               Failed TCP attempts: 0
             Seen truncated packet: no
          Seen OPT RR getting lost: yes
             Seen RRSIG RR missing: no
               Seen invalid packet: no
            Server dropped DO flag: no
                                                   
Server: 172.16.1.1                                 
                              Type: link
                         Interface: enx00e04d6e38ed
                   Interface Index: 2
            Verified feature level: UDP+EDNS0
            Possible feature level: UDP+EDNS0
                       DNSSEC Mode: no
                  DNSSEC Supported: yes
Maximum UDP fragment size received: 512
               Failed UDP attempts: 0
               Failed TCP attempts: 0
             Seen truncated packet: no
          Seen OPT RR getting lost: no
             Seen RRSIG RR missing: no
               Seen invalid packet: no
            Server dropped DO flag: no

Somehow systemd-resolved has learned that the Adguard server only supports basic UDP and degraded it. It reports Seen OPT RR getting lost: yes.

When I test with dig it seems both Adguard and pfSense correctly report back with the OPT flag informing what EDNS0 features they support.

Anyone have any idea what is going on?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

systemd-resolved prefers secondary DNS server to Adguard #7759

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

systemd-resolved prefers secondary DNS server to Adguard #7759

Uh oh!

Uh oh!

Wuerger Apr 10, 2025

Replies: 0 comments

Wuerger
Apr 10, 2025