I recently upgraded my Ubuntu box to 17.04.
Much to my surprise DNS starting behaving strangely, so I checked my DNS server … worked fine if I queried it directly, so I checked if DHCP was giving out the wrong DNS IP … nope, that was fine too. I checked /etc/nsswitch.conf , and that looked fine too so I checked what was ending up in /etc/resolv.conf and was surprised that it contains nameserver 127.0.0.53 instead of the “real” DNS server.
After a bit of research I found out that Ubuntu switched over to using systemd-resolved, which shoves itself between user land and the DNS servers and (at least in Ubuntu 17.04) has problems with servers that support DNSSEC. Very frustrating when you know everything is OK and worked in the past, just systemd messing with stuff and breaking it.
My workaround was to turn of DNSSEC validation. Not pretty but better than no DNS at all, until Ubuntu get’s their problems sorted out.
| mkdir /etc/systemd/resolved.conf.d printf "[Resolve]\nDNSSEC=no\n" >> /etc/systemd/resolved.conf.d/no-dnssec.conf dpkg-reconfigure resolvconf # Say 'yes' to 'prepare /etc/resolve.conf for dynamic updates' |