Ubuntu Version:
25.04
Desktop Environment (if applicable):
GNOME 48
Problem Description:
When enabling Mozilla VPN, connectivity works, but DNS breaks:
$ dig google.com
;; communications error to 127.0.0.53#53: timed out
^C⏎
$ ping -c4 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.
--- 127.0.0.53 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3101ms
Yet, resolvectl
still works:
$ resolvectl query google.com
google.com: 142.251.30.113 -- link: moz0
2a00:1450:4009:c17::64 -- link: moz0
...
-- Information acquired via protocol DNS in 74.7ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
Relevant System Information:
Extra context from the systemd-resolved
logs if useful:
sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set DNS server list to: 100.64.0.7
sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set default route setting: yes
sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set search domain list to: ~.
Screenshots or Error Messages:
What I’ve Tried:
I tried setting DNSStubListener=no
, and I made some progress: DNS works, but it’s extremely slow:
$ nslookup google.com
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.2#53: timed out
Server: 10.64.0.1
Address: 10.64.0.1#53
Non-authoritative answer:
Name: google.com
Address: 142.250.185.14
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.2#53: timed out
Name: google.com
Address: 2a00:1450:4003:803::200e
My current theory is that Mozilla VPN blocks my ISP DNSs, but they’re still in /etc/resolv.conf
so they’re tried first.
On this blog post I read:
A Word about Ubuntu
Although Ubuntu has used systemd-resolved for four years now, it has not switched from nss-dns to nss-resolve, contrary to upstream recommendations.
[…]
If you’re using custom VPN software that doesn’t work with systemd-resolved, chances are it probably tries to write to/etc/resolv.conf
.
And it seems to still be the case:
$ cat /etc/nsswitch.conf | grep hosts
hosts: files mdns4_minimal [NOTFOUND=return] dns
However, I don’t know what to make of this.
At this point, AI assistants suggest tweaking the iptables rules, but that seems messy. I tried finding some official information on the Mozilla VPN help center but the troubleshooting information is very limited.