DNS problem after upgrade from 15.0

After offline upgrade from Leap 15.0 to 15.1 I have a strange problem with resolving addresses. Firefox can’t open any pages, ping not working, but nslookup, dig and host commands works like a charm.

$ host conncheck.opensuse.org
conncheck.opensuse.org is an alias for proxy.opensuse.org.
proxy.opensuse.org is an alias for proxy-nue.opensuse.org.
proxy-nue.opensuse.org has address 195.135.221.140
proxy-nue.opensuse.org has IPv6 address 2620:113:80c0:8::16

but

$ ping conncheck.opensuse.org
ping: conncheck.opensuse.org: Неизвестное имя или служба (bad address in Russian)
$ cat /etc/host.conf
#
# /etc/host.conf - resolver configuration file
#
# Please read the manual page host.conf(5) for more information.
#
#
# The following option is only used by binaries linked against
# libc4 or libc5. This line should be in sync with the "hosts"
# option in /etc/nsswitch.conf.
#
order hosts, bind
#
# The following options are used by the resolver library:
#
multi on
$ cat /etc/resolv.conf
### /etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
search svalx.net
nameserver 192.168.1.1
nameserver fe80::c2c1:c0ff:fedb:ec7%eth0
nameserver 2a02:2698::c2c1:c0ff:fedb:ec7
$ cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: compat
group:  compat
shadow: compat

hosts:      files mdns_minimal dns
networks:    files dns

services:    files
protocols:    files
rpc:        files
ethers:        files
netmasks:    files
netgroup:    files nis
publickey:    files

bootparams:    files
automount:    files nis
aliases:    files

I use (and used early on 15.0) NetworkManager on wired network with DHCP. Firewalld is disabled.
All things looks fine and I can’t find cause of corruption. Help me please…

And yes, I can ping any hosts by IP over v4 or v6 protocols:


$ host conncheck.opensuse.org
conncheck.opensuse.org is an alias for proxy.opensuse.org.
proxy.opensuse.org is an alias for proxy-nue.opensuse.org.
proxy-nue.opensuse.org has address 195.135.221.140
proxy-nue.opensuse.org has IPv6 address 2620:113:80c0:8::16

$ ping 195.135.221.140
PING 195.135.221.140 (195.135.221.140) 56(84) bytes of data.
64 bytes from 195.135.221.140: icmp_seq=1 ttl=52 time=67.9 ms
64 bytes from 195.135.221.140: icmp_seq=2 ttl=52 time=67.7 ms
^C
--- 195.135.221.140 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 67.758/67.847/67.937/0.275 ms

$ ping 2620:113:80c0:8::16
PING 2620:113:80c0:8::16(2620:113:80c0:8::16) 56 data bytes
64 bytes from 2620:113:80c0:8::16: icmp_seq=1 ttl=54 time=64.3 ms
64 bytes from 2620:113:80c0:8::16: icmp_seq=2 ttl=54 time=64.2 ms
64 bytes from 2620:113:80c0:8::16: icmp_seq=3 ttl=54 time=64.5 ms
^C
--- 2620:113:80c0:8::16 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 64.223/64.358/64.514/0.316 ms

Did you try this:

Call “netconfig update -f” to force adjusting of /etc/resolv.conf.

Yes, I done this. resolv.conf is not changed, and DNS issue remains. I tried use other DNS server eg Google public DNS 8.8.8.8, I switched to Wicked but no changes.

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 94:de:80:a8:2a:b9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/24 brd 192.168.1.255 scope global noprefixroute dynamic eth0
       valid_lft 76475sec preferred_lft 76475sec
    inet6 2a02:2698::1cc9:872/128 scope global noprefixroute dynamic 
       valid_lft 33280sec preferred_lft 33280sec
    inet6 fe80::fee6:a785:87d0:dc0e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:46:e0:5d brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global virbr0
       valid_lft forever preferred_lft forever
    inet6 2a02:2698::3195:2::1/96 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe46:e05d/64 scope link 
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:46:e0:5d brd ff:ff:ff:ff:ff:ff

Rename /etc/resolv.conf and run :

netconfig update -f

Does this generate a new /etc/resolf.conf?

Otherwise:

search svalx.net
nameserver 192.168.1.1
nameserver fe80::c2c1:c0ff:fedb:ec7**%eth0**
nameserver 2a02:2698::c2c1:c0ff:fedb:ec7

This is not the right format for an IP-Address…
I would also commend the 2 IPV6 Adresses out.

/etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf. I deleted both and netconfig regenerated both with same content.

Commented out IPv6 strings. No success. And after reboot resolv.conf content regenerated again.

What about staic IP?

I found out a solution. AppArmor was a cause of dns issue. It blocked access nscd to /run/netconfig/resolv.conf. I was needed refresh AppArmor cache for fixing that. Thank you for your concern!

Sounds like topic for bug report.

Also it will certainly benefit others (it is not the first report of mysterious DNS problems) if you explained how you refreshed AppArmor cache.

Rather, it’s my local flaw. rpmconfigcheck showed me unresolved /etc/apparmor.d/abstractions/nameservice.rpmnew. I has move it to /etc/apparmor.d/abstractions/nameservice, restarted apparmor.service, but no changes has been applied yet, until I was deleted all files in /var/lib/apparmor/cache and rebooted.