8

I'm running mint Mate 17.2.

When I use dig, for a certain specific domain name, the resolved IP "answer" is wrong, and the answer server is 127.0.0.1.

Trying to access this domain from my local computer via ssh, a web browser, etc also resolves to the wrong IP.

DNS lookup using online tools or other computers works correctly.

Something on the local machine is intercepting the request and returning a wrong cached result. I have looked at various caching programs, but I don't think I have any installed or configured any.

The IP address being returned is the old IP and the master DNS records were changed over a year ago.

How do I determine what program is intercepting DNS locally and disable it so I can have this domain resolve correctly on my computer?

/etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Nick
  • 1,101
  • Add the contents of /etc/resolv.conf. Also, are you certain that you're not running a local DNS server such as bind? – DopeGhoti May 29 '16 at 05:28
  • I added resolv.conf above. bind or bind9 is not in /etc/init.d so I assume it's not installed. – Nick May 29 '16 at 07:00
  • @DopeGhoti must be resolvconf or dnsmasq. – Rui F Ribeiro May 29 '16 at 07:01
  • resolvconf is in init.d. dnsmasq is not installed. Still not sure where resolvconf is getting it's info from though, since there's nothing set in resolv.conf or /etc/hosts. – Nick May 29 '16 at 07:12
  • 1
    what is the output of sudo netstat -anlp | grep :53? – Rui F Ribeiro May 29 '16 at 07:13
  • Please add what kind of domains are giving you trouble. .local by change? Also check for avahi* packages, please. – Rui F Ribeiro May 29 '16 at 07:21
  • There are avahi-daemon entries in netstat -anlp | grep :53. The domain is a publicly registered .com domain with public dns records. The domain resolve properly on other computers. – Nick May 29 '16 at 07:24

1 Answers1

7

Resolvconf is pointing it out to a local software running in port 53 in the local machine.

To find it out which one:

sudo netstat -anlp | grep :53

As we have found out, it is the avahi daemon.

To trace DNS resolution, also following command is useful:

dig +trace www.cnn.com

If you want to control your DNS setting yourself, specially in server cases (I have notice you said Mint), I would recommend doing away with resolvconf

You can uninstall it with:

dpkg --purge resolvconf

Then, if you got the IP via DHCP leave it as it is, otherwise fill in your DNS servers in /etc/resolv.conf.

If you are not also interested in mDNS resolution or in a corporate network, I recommend uninstalling avahi.

In desktop settings, it maybe advisable either to reboot or restart all services. I would at least restart networking with service networking restart.

The Avahi mDNS/DNS-SD daemon implements Apple's Zeroconf architecture (also known as "Rendezvous" or "Bonjour"). The daemon registers local IP addresses and static services using mDNS/DNS-SD and provides two IPC APIs for local programs to make use of the mDNS record cache the avahi-daemon maintains.

In a work setting, it maybe also be interesting following up at the network level servers/workstations which are announcing mDNS records, and if they are strictly necessary. I would bet some lost host file or some old server setting is propagating your old IP address via mDNS.

You may also listen in the local network mDNS packets with:

sudo tcpdump -n udp port 5353

From mDNS

The multicast Domain Name System (mDNS) resolves host names to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System (DNS). Although Stuart Cheshire designed mDNS to be stand-alone capable, it can work in concert with unicast DNS servers.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • 2
    Thanks for your help. The erroneous entry was coming from the router which has it's own DNS server built in. Once I disabled resolvconf on my computer, dig showed the router's IP, not the loopback IP as the source of the bad records. It's a shame resolvconf hides the true source of the records from dig. – Nick May 29 '16 at 08:04
  • I do not allow neither resolvconf nor avahi services in my servers at work and my Linux router at home. Usually soho router DNS services are slow...better have a dedicated Linux DNS server/cache. – Rui F Ribeiro May 29 '16 at 08:12
  • As for the router, the old entry was put there by hand, right? – Rui F Ribeiro May 29 '16 at 13:03
  • 1
    Yes, it was manually added a long time ago. – Nick May 29 '16 at 14:34
  • But with Ubuntu/Mint, dpkg --purge resolvconf tells you ubuntu-minimal depends on resolvconf. – einpoklum Mar 09 '17 at 21:13
  • Ubuntu or Mint? Apparently it solved the OP problem. At least in Debian I have been able to do it for years (in Debian 9 now). Would it be worth filing a bug with Ubuntu? – Rui F Ribeiro Mar 09 '17 at 21:33