Mozilla VPN breaks local networking (was: breaks DNS resolution)

Ubuntu Version:

25.04

Desktop Environment (if applicable):

GNOME 48

Problem Description:

When enabling Mozilla VPN, connectivity works, but DNS breaks:

$ dig google.com
;; communications error to 127.0.0.53#53: timed out
^C⏎
$ ping -c4 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.

--- 127.0.0.53 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3101ms

Yet, resolvectl still works:

$ resolvectl query google.com
google.com: 142.251.30.113                     -- link: moz0
            2a00:1450:4009:c17::64             -- link: moz0
            ...


-- Information acquired via protocol DNS in 74.7ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

Relevant System Information:

Extra context from the systemd-resolved logs if useful:

sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set DNS server list to: 100.64.0.7
sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set default route setting: yes
sep 28 20:33:48 bardor systemd-resolved[1495]: moz0: Bus client set search domain list to: ~.

Screenshots or Error Messages:

What I’ve Tried:

I tried setting DNSStubListener=no, and I made some progress: DNS works, but it’s extremely slow:

$ nslookup google.com
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.2#53: timed out
Server:        10.64.0.1
Address:    10.64.0.1#53

Non-authoritative answer:
Name:    google.com
Address: 142.250.185.14
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.1#53: timed out
;; communications error to 212.230.135.2#53: timed out
Name:    google.com
Address: 2a00:1450:4003:803::200e

My current theory is that Mozilla VPN blocks my ISP DNSs, but they’re still in /etc/resolv.conf so they’re tried first.

On this blog post I read:

A Word about Ubuntu
Although Ubuntu has used systemd-resolved for four years now, it has not switched from nss-dns to nss-resolve, contrary to upstream recommendations.
[…]
If you’re using custom VPN software that doesn’t work with systemd-resolved, chances are it probably tries to write to /etc/resolv.conf.

And it seems to still be the case:

$ cat /etc/nsswitch.conf | grep hosts
hosts:          files mdns4_minimal [NOTFOUND=return] dns

However, I don’t know what to make of this.

At this point, AI assistants suggest tweaking the iptables rules, but that seems messy. I tried finding some official information on the Mozilla VPN help center but the troubleshooting information is very limited.


oooooooof

That blog post is from 5 years ago. I wouldn’t trust it as far as I could throw it.

Ubuntu uses Netplan now for everything networking, using NetworkManager for a frontend on desktop systems.

I’d double-check everything against more recent documentation or wait for someone with better knowledge than myself on this.

1 Like

Okay, after a good night’s sleep, final update:

It was not just DNS, all local networking would break:

$ ping -c2 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1046ms

Installing libnss-resolve turned the NSS config into hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns and still didn’t work, so I reverted.

And here is the thing that did work:

$ sudo snap remove lxd k8s openstackclients snapcraft
$ reboot

Turns out some of these packages and Mozilla VPN wouldn’t get along well.

$ # VPN ON, before removing problematic snaps
$ ip rule show
9:    from all fwmark 0x200/0xf00 lookup 2004
99:    not from all fwmark 0xca6c lookup 51820
100:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default
$ # VPN ON, after removing problematic snaps
$ ip rule show
0:    from all lookup local
32765:    not from all fwmark 0xca6c lookup 51820
32766:    from all lookup main
32767:    from all lookup default

Case closed from my side.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.