Linux – Fix broken DNS when using WI-FI in German ICE trains

January 2020Jonathan Gruber

Some time ago Deutsche Bahn (the German railway) introduced free WI-FI in all of its ICE trains. This is great for people like me who often travel by train. Normally it is straight-forward to use: Connect to the WI-FI and click the accept button on the hotspot login page.

With my new Dell XPS 13 running Arch Linux, however, this did not work. Connecting to the WI-FI and obtaining an IP address was successful, but I was unable to open the login page because the DNS was not working. Since I had no problems with my previous notebook, I went to investigate the error:

At first, I suspected NetworkManager, but finally, I realized that systemd-resolved is the problem. Using the following command it is easy to check the logs of a specific systemd unit:

journalctl -b -u systemd-resolved.service
systemd[1]: Started Network Name Resolution.
systemd-resolved[434]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 172.18.0.1.
systemd-resolved[434]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
systemd-resolved[434]: DNSSEC validation failed for question firefox.settings.services.mozilla.com IN A: failed-auxiliary
systemd-resolved[434]: Failed to send hostname reply: Transport endpoint is not connected
systemd-resolved[434]: DNSSEC validation failed for question detectportal.firefox.com IN A: failed-auxiliary

The error is obvious: ”DNSSEC validation failed”. I had no idea what DNSSEC even was. According to Wikipedia:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.

Apparently, DNSSEC is not supported by the network on the trains. A simple solution to fix DNS is to disable DNSSEC by editing the systemd-resolved configuration file:

# /etc/systemd/resolved.conf

[Resolve]
# DNS=
# MulticastDNS=yes
# ...
DNSSEC=off

After restarting both systemd-resolved and NetworkManager connecting to the WI-FI and DNS resolution works correctly:

sudo systemctl restart systemd-resolved NetworkManager

Please note that disabling DNSSEC makes your system vulnerable to various attack vectors such as Man-in-the-middle attacks.