DNS not reinstated at exit with network lock using systemd-resolved in stub mode

[zebulon 2]

Hi,

I have an issue after I switched from manual mode to stub mode using systemd-resolved. My /etc/resolv.conf file is a symlink to /run/systemd/resolve/stub-resolv.conf as described in https://wiki.archlinux.org/title/Systemd-resolved#DNS.
Before I run eddie-ui v2.24.6, my resolvectl status shows:

$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1 2a02:8070:d483:bf20:2e00:abff:fe88:c64
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
     Default Route: no

192.168.0.1 is the address of my router, which uses my ISP DNS (I know, I should fix this...)

If I activate Network Lock, I get:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1 2a02:8070:d483:bf20:2e00:abff:fe88:c64
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Note it changes the DNS for Link 4 (wlan0), wlthough Wifi is deactivated on that machine (I use wired Ethernet, plugged to the router).
I can deactivate Network lock and connect to the Internet again.

However, if I join a VPN server (connect to a recommended server):

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: fd7d:76ee:e68f:a993::1
         DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.128.0.1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Link 6 (Eddie)
    Current Scopes: DNS
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.128.0.1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

I can access Internet, my DNS is then 10.128.0.1.

The problem occurs when I exit Eddie-ui, or if I disconnect to network and unlock Network lock.

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: fd7d:76ee:e68f:a993::1
         DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.128.0.1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Here Link2 still has 10.128.0.1 as DNS server, but I am blocked because I am disconnected from the VPN server.
Only a restart of systemd-resolved allows me to return to correct DNS:

$ sudo systemctl restart systemd-resolved
$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
       DNS Servers: 192.168.0.1 2a02:8070:d483:bf20:2e00:abff:fe88:c64
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Interestingly, if before I restart systemd-resolved I run Eddie-ui again, if I try to activate the network lock then it is stuck with "Activate Network lock via nftables". I am unsure if this is related.

It seems there is an issue on my system where Edie cannot reinstate DNS properly. Any idea? Am I doing something wrong?

[zebulon 2]

Note I am happy to provide logs, but while performing tests it seems to be stuck until I restart systemd-resolved. So I am afraid the log itself is tainted. that said, here you can find it attached:
 

eddie-log-20260123.txt

[Staff 10430]

@zebulon

Hello!

Please note that Network Lock has nothing to do with DNS settings.

Now, the problem seems here:

Quote

. 2026.01.23 13:42:11 - DNS of the system restored - via /etc/resolv.conf) <-- something goes wrong here
. 2026.01.23 13:38:26 - DNS of the interface 'enp12s0' restored to '192.168.0.1 2a02:8070:d483:bf20:2e00:abff:fe88:c64' - via systemd-resolved <-- correct
. 2026.01.23 13:38:26 - Default Route of the interface 'enp12s0' restored to 'yes' - via systemd-resolved <-- correct as wlan0 is down
. 2026.01.23 13:38:26 - DNS of the interface 'wlan0' restored to '10.128.0.1 fd7d:76ee:e68f:a993::1' - via systemd-resolved <-- another problem

In other words, the previous DNS setting for wlan0 were 10.128.0.1 and fd7d:76ee:e68f:a993::1 according to Eddie. So it's possible that Eddie restores the system DNS settings as expected, but with the same VPN DNS, even for /etc/resolv.conf. Somehow in a previous session the proper DNS settings were not restored and Eddie takes (now correctly, the error must have occurred in a previous session) those settings as the original system settings in subsequent sessions.

Please try this: set all the correct DNS (globally and for each interface) while Eddie is not running, delete Eddie configuration file ~/.config/eddie/default.profile, make sure that only WiFi or only Ethernet is connected, re-start Eddie and try again.

Kind regards
 

[zebulon 2]

Hi, thanks for your support. Unfortunately it does not work: I set up 9.9.9.9 for all interfaces using NetworkManager. I also deleted  .config/eddie/default.profile

$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 9.9.9.9#dns.quad9.net
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 192.168.0.1 2606:4700:4700::1111 2a02:8070:d483:bf20:2e00:abff:fe88:c64
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
     Default Route: no

Then I used Eddie to connect (as you mention, regardless of Network Lock, so I did not lock this time):

$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.128.0.1
         DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.128.0.1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Link 5 (Eddie)
    Current Scopes: DNS
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.128.0.1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Then I exit Eddie:

$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.128.0.1
         DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fd7d:76ee:e68f:a993::1
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

Here I do not have resolving. Eddie did not reinstate 9.9.9.9 to my interfaces. If I restart systemd-resolved:

$ sudo systemctl restart systemd-resolved
$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
Fallback DNS Servers: 9.9.9.9#dns.quad9.net 2620:fe::9#dns.quad9.net 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 8.8.8.8#dns.google
                      2001:4860:4860::8888#dns.google

Link 2 (enp12s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 192.168.0.1 2606:4700:4700::1111 2a02:8070:d483:bf20:2e00:abff:fe88:c64
     Default Route: yes

Link 4 (wlan0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 10.128.0.1 fd7d:76ee:e68f:a993::1
     Default Route: no

this works again. 
This suggests a bug when Eddie handles stub based systemd-resolved configuration, no? Could Eddie simply restart systemd-resolved at exit? It has root permission. Would it be a possible solution?

[zebulon 2]

Note I also try to define a file:
 

/etc/systemd/resolved.conf.d/dns_servers.conf

[Resolve]
DNS=9.9.9.9

Although this works without VPN, then when I try to connect to a server with Eddie, then it fails at "Checking DNS" step and tries to reconnect indefinitely.