[GH-ISSUE #114] DNS resolution fails on systems where NSS routes hostname lookups through systemd-resolved (e.g. Arch Linux) #320

New Issue

Open

opened 2026-04-23 01:55:08 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-23 01:55:08 -05:00

Owner

Copy Link

Originally created by @andusystems-dev-0 on GitHub (Apr 21, 2026).
Original GitHub issue: https://github.com/fosrl/olm/issues/114

Symptom

After olm brings up the tunnel, hostname resolution for tunnel-only hostnames silently fails. Direct lookups against the in-tunnel DNS work:

• dig @100.96.128.1 foo.example.internal → correct answer
• getent hosts foo.example.internal → empty
• curl foo.example.internal / browsers → NXDOMAIN / NS_ERROR_UNKNOWN_HOST

Olm logs indicate it thinks everything is fine:

Detected DNS manager: NetworkManager
Using NetworkManager DNS configurator
Set DNS servers: [100.96.128.1]

/etc/resolv.conf is updated as expected:

# Generated by NetworkManager
nameserver 100.96.128.1

Environment

• Arch Linux (and any distro with a similar NSS hosts line)
• systemd-resolved running, but not listed in /etc/resolv.conf
• NetworkManager managing /etc/resolv.conf
• /etc/nsswitch.conf hosts line:

  hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
  

Root cause

On this NSS configuration, the classic dns service that reads /etc/resolv.conf is never consulted:

1. NSS asks resolve (systemd-resolved) first.
2. systemd-resolved has no DNS configured for the pangolin tunnel interface and returns NOTFOUND.
3. [!UNAVAIL=return] halts fallthrough — dns is never tried.

So /etc/resolv.conf is functionally irrelevant on these systems. The actual resolver is systemd-resolved, which must be configured per-interface via D-Bus (org.freedesktop.resolve1.Link.SetDNS + SetDomains + SetDefaultRoute).

Olm's existing SystemdResolvedDNSConfigurator already does exactly that — the bug is in DetectDNSManager (dns/platform/detect_unix.go), which currently returns NetworkManagerManager without checking whether NSS even consults the dns service.

Workaround (confirmed)

sudo resolvectl dns pangolin 100.96.128.1
sudo resolvectl domain pangolin '~<your-internal-domain>'

This is equivalent to what SystemdResolvedDNSConfigurator does via D-Bus.

Proposed fix

In DetectDNSManager, when the file hint is NetworkManagerManager or ResolvconfManager, also inspect /etc/nsswitch.conf. If resolve precedes dns (or dns is absent) and systemd-resolved is running, return SystemdResolvedManager so the D-Bus configurator takes over.

PR incoming.

Originally created by @andusystems-dev-0 on GitHub (Apr 21, 2026). Original GitHub issue: https://github.com/fosrl/olm/issues/114 ### Symptom After `olm` brings up the tunnel, hostname resolution for tunnel-only hostnames silently fails. Direct lookups against the in-tunnel DNS work: - `dig @100.96.128.1 foo.example.internal` → correct answer - `getent hosts foo.example.internal` → empty - `curl foo.example.internal` / browsers → NXDOMAIN / `NS_ERROR_UNKNOWN_HOST` Olm logs indicate it thinks everything is fine: ``` Detected DNS manager: NetworkManager Using NetworkManager DNS configurator Set DNS servers: [100.96.128.1] ``` `/etc/resolv.conf` is updated as expected: ``` # Generated by NetworkManager nameserver 100.96.128.1 ``` ### Environment - Arch Linux (and any distro with a similar NSS hosts line) - systemd-resolved running, but **not** listed in `/etc/resolv.conf` - NetworkManager managing `/etc/resolv.conf` - `/etc/nsswitch.conf` hosts line: ``` hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns ``` ### Root cause On this NSS configuration, the classic `dns` service that reads `/etc/resolv.conf` is never consulted: 1. NSS asks `resolve` (systemd-resolved) first. 2. systemd-resolved has no DNS configured for the `pangolin` tunnel interface and returns NOTFOUND. 3. `[!UNAVAIL=return]` halts fallthrough — `dns` is never tried. So `/etc/resolv.conf` is functionally irrelevant on these systems. The actual resolver is systemd-resolved, which must be configured **per-interface** via D-Bus (`org.freedesktop.resolve1.Link.SetDNS` + `SetDomains` + `SetDefaultRoute`). Olm's existing `SystemdResolvedDNSConfigurator` already does exactly that — the bug is in `DetectDNSManager` (`dns/platform/detect_unix.go`), which currently returns `NetworkManagerManager` without checking whether NSS even consults the `dns` service. ### Workaround (confirmed) ``` sudo resolvectl dns pangolin 100.96.128.1 sudo resolvectl domain pangolin '~<your-internal-domain>' ``` This is equivalent to what `SystemdResolvedDNSConfigurator` does via D-Bus. ### Proposed fix In `DetectDNSManager`, when the file hint is `NetworkManagerManager` or `ResolvconfManager`, also inspect `/etc/nsswitch.conf`. If `resolve` precedes `dns` (or `dns` is absent) and systemd-resolved is running, return `SystemdResolvedManager` so the D-Bus configurator takes over. PR incoming.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/docker/minor-updates-1134f52710

dependabot/go_modules/patch-updates-2590a23007

dependabot/github_actions/actions/cache-5.0.3

dependabot/github_actions/actions/checkout-6.0.2

dependabot/github_actions/docker/login-action-3.7.0

dependabot/github_actions/actions/attest-build-provenance-3.2.0

dependabot/github_actions/actions/setup-go-6.2.0

1.5.0

v1.5.0

1.4.4

v1.4.4

1.4.3

v1.4.3

1.4.2

v1.4.2

1.4.1

v1.4.1

1.4.0

v1.4.0

v1.3.0

1.3.0

1.3.0-rc.0

1.2.0

1.2.0-rc.0

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

dependencies

documentation

enhancement

good first issue

help wanted

needs investigating

pull-request

Mirrored from GitHub Pull Request

stale

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/olm#320