It happens from time to time, that you wonder why DNS is not working, where things are breaking and, especially in case of proprietary software, what DNS requests applications are making.

As described in the previous article, my system runs systemd-resolved with DoT. This means DNS requests are locally cached and they are done fully encrypted. Making it somewhat harder to debug this traffic with classic network analysis tools like Wireshark.

Enable debug logging

The easiest way to debug the DNS requests is enabling debug logging in systemd-resolved. This provides very detailed logs about:

• lookup requests arriving
• way the lookup was requested
• cache status of the response
• DNSSEC validation status
• response value
• requested records
• and more…

To this detailed logging can be enabled using sudo resolvectl log-level debug. Afterwards you can read the logs using journalctl -f -u systemd-resolved.service.

Back to normal

Once done debugging, all you need to do is running sudo resolvectl log-level info and your setup is back to normal.