Some time ago Deutsche Bahn (the German railway) introduced free WI-FI in all of its ICE trains. This is great for people like me who often travel by train. Normally it is straight-forward to use: Connect to the WI-FI and click the accept button on the hotspot login page.
With my new Dell XPS 13 running Arch Linux, however, this did not work. Connecting to the WI-FI and obtaining an IP address was successful, but I was unable to open the login page because the DNS was not working. Since I had no problems with my previous notebook, I went to investigate the error:
At first, I suspected
NetworkManager, but finally, I realized that
systemd-resolved is the problem. Using the following command it is easy to
check the logs of a specific
journalctl -b -u systemd-resolved.service
systemd: Started Network Name Resolution. systemd-resolved: Using degraded feature set (UDP+EDNS0+DO) for DNS server 172.18.0.1. systemd-resolved: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected systemd-resolved: DNSSEC validation failed for question firefox.settings.services.mozilla.com IN A: failed-auxiliary systemd-resolved: Failed to send hostname reply: Transport endpoint is not connected systemd-resolved: DNSSEC validation failed for question detectportal.firefox.com IN A: failed-auxiliary
The error is obvious: ”DNSSEC validation failed”. I had no idea what DNSSEC even was. According to Wikipedia:
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.
Apparently, DNSSEC is not supported by the network on the trains. A simple
solution to fix DNS is to disable DNSSEC by editing the
# /etc/systemd/resolved.conf [Resolve] # DNS= # MulticastDNS=yes # ... DNSSEC=off
After restarting both
NetworkManager connecting to the
WI-FI and DNS resolution works correctly:
sudo systemctl restart systemd-resolved NetworkManager
Please note that disabling DNSSEC makes your system vulnerable to various attack vectors such as Man-in-the-middle attacks.