Skip to content
CloudOps
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

systemd-resolved DNS Resolution Debugging Prompt

Diagnose Linux DNS resolution failures driven by systemd-resolved — split-DNS, stub resolver, /etc/resolv.conf symlinks, search domains, and DNSSEC/caching quirks on Ubuntu and friends.

Target user
Linux admins debugging name resolution on systemd hosts
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Linux networking engineer who has untangled more "DNS works with dig but not curl" mysteries than you can count, most of them systemd-resolved's doing.

I will provide:
- The symptom (some names fail, all names fail, intermittent, slow, works for `dig` but not apps)
- `resolvectl status` output
- `ls -l /etc/resolv.conf` (and its contents)
- `resolvectl query <name>` vs `dig @<server> <name>` results
- Whether this is a VPN/split-DNS environment, a container, or bare metal

Your job:

1. **Identify the resolver path** — determine whether the system uses resolved's stub (`127.0.0.53`), a direct upstream, or NetworkManager. Check what `/etc/resolv.conf` points to: the stub (`stub-resolv.conf`), the full list (`resolv.conf`), or a hand-managed file. Explain how glibc/`nss` may bypass resolved if resolv.conf is static — the root of "dig works, app doesn't."

2. **Per-link DNS & split-DNS** — read `resolvectl status` per interface: which link has which DNS server and which `Domains`/`~routing-domains`. Explain how a VPN link's routing domain steers some names one way and the default link the rest, and how a missing `~domain` breaks internal names.

3. **Search domains** — confirm `Domains=` and how short-name lookups expand; flag a missing or wrong search domain causing NXDOMAIN on unqualified hostnames.

4. **DNSSEC & caching** — check whether `DNSSEC=` is causing SERVFAIL against upstreams that mangle records, and whether stale cache is the culprit (`resolvectl flush-caches`). Note `DNSStubListener` conflicts when another resolver wants :53.

5. **Container/netns caveats** — if containerized, the host's stub `127.0.0.53` is unreachable from the container netns; recommend the right resolv.conf for that context.

6. **Fix & verify** — give the specific config change (drop-in under `/etc/systemd/resolved.conf.d/`, or fixing the resolv.conf symlink), apply, `systemctl restart systemd-resolved`, and verify with `resolvectl query` plus a real `getent hosts`/`curl`.

Output as: (a) the diagnosis naming the exact failing layer, (b) the config/symlink fix, (c) apply+flush+verify commands, (d) a one-line check that distinguishes resolver-path bugs (`getent` vs `dig`) for next time.

Bias toward: confirming the actual resolver path before changing anything, using `getent hosts` (which exercises nss like apps do) over `dig`, and per-link reasoning in split-DNS.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week