Hey,
just curious how flushing of DNS is done on Fedora these days. Would be useful.
Would anyone please be able to provide me with a method on how to do that?
Thanks!
3 Likes
It depends on your resolver:
cat /etc/resolv.conf
In general case, you need to restart the resolver service or invoke the resolver-specific command, e.g. in case of systemd-resolved:
sudo resolvectl flush-caches
In other cases you need to do nothing as it is not cached on your PC, however it may be cached on your router.
5 Likes
Hey, thanks for the reply!
It appears that systemd-resolved isn’t enabled by default.
Do you know what Fedora uses by default?
Thanks!
1 Like
I don’t think it uses anything so there should be no dns cache.
2 Likes
Fedora has no DNS cache system by default at all, so there’s nothing to flush. If you’re running into issues, it may be that your browser has its own DNS cache; e.g., Chrome lets you clear its own cache via chrome://net-internals/#dns.
4 Likes
If you use a custom DNS nameserver, that could also interfere. For example, a VPN program I use modifies my /etc/resolv.conf automatically to change the nameserver to protect DNS traffic. In my case, a site I wanted to visit had bad DNS records cached in the nameserver.
1 Like
We’ve got rogue DNS servers in Belarus hijacking requests coming to alternative voting platform - https://vote.belarus2020.org - made for cross-checking governmental officials. The rogue DNS response for this URL is 185.117.119.68, but the right IP is at least 54.192.230.93.
I changed DNS servers to secure alternatives, and ping now shows correct IP address, but nslookup returns the old IP even reporting new DNS server. Is there really no DNS cache system in Fedora 32?
1 Like
Not exactly, that domain uses load balancing, so they are resolved into multiple IPs owned by Amazon.
There is no DNS cache by default on Fedora 32.
But it may be enabled on your router or the ISP equipment.
Also, you cannot trust unencrypted DNS traffic when the government or ISP use DNS hijacking.
The only way to prevent DNS hijacking is to utilize DNS encryption in the mandatory mode.
You have the following options:
- DNS over HTTPS
- DNS over TLS
- DNSCrypt
- DNS over Tor
- DNS over VPN
See also:
1 Like
Right. that’s why I said “at least”. But 185.117.119.68 doesn’t belong to Amazon pool. It leads to FirstByte hosting provider in Russia.
How to check that all Fedora 32 DNS requests are encrypted?
And if there is no caching, why nslookup returns old IP after fixing DNS while ping connects to a new?
2 Likes
Something like this:
# Monitor
clear; sudo tcpdump -l -n -i any port domain or domain-s \
| GREP_COLOR="1;31" grep --color=always --line-buffered \
-e "$" -e "\s\S*\.domain:*\s" \
| GREP_COLOR="1;32" grep --color=always --line-buffered \
-e "$" -e "\.domain-s:*\s" -e "\s127\.0\.0\.[0-9]*\.domain:*\s"
# Test plain DNS
nslookup example.org 8.8.8.8 &> /dev/null
# Test encrypted DNS
nslookup fedoraproject.org &> /dev/null
Using systemd-resolved enables DNS caching.
2 Likes
It may have no offical cache, but it still caches. And IT does seem to be enabled by default… Installed a Live Fedora 35 USB
This cleared the DNS entry! Thanks
1 Like