Dns problem, can't update


got a RPi behind a firewall that should block all internet traffic except some whitelisted domains:
ubuntu.com, launchpad.net, canonical.com ('include subdomains' option enabled).
There's a test tool on the firewall that let me check the connection (RPi - those domains). Tells me 'all fine' but Raspberry Pi won't update: failure when resolving ports.ubuntu.com and failure when resolving ppa.launchpad.net.

Our network has two dns server which I included in /etc/hosts.

What am I missing?
What can I do to fix this?


Lets do a quick little test.

Open a terminal and run this command: nslookup
You will see a ">"

From there type:

launchpad.net it should return the IP address ala ""
ppa.launchpad.net it should return the IP address ala ""

Are those resolving correctly?

Just a couple of notes:
It is preferable to configure dns-server as an ip address.
Dns-server ip has to be whitelisted as well.


Doesn't resolve the launchpad.net

Where should they be whitelisted?

They should be whitelisted at your firewall, I suppose.

Ah! Now I see what you mean.
Yes, they are whitelisted.

I also whitelisted the ip adresses but nothing changed.

As @franksmcb mentioned, the dns diagnostic tool is nslookup:

  1. What is your configured dns server?
$ nslookup
> server
Default server:
Default server:
  1. Does it resolve ip addresses to domain names and vice versa?
$nslookup	name = dns.google.

$ nslookup dns.google

3. Verify another dns server:

$ nslookup
> server
Default server:
> dns.google.com

Non-authoritative answer:
Name:	dns.google.com
Name:	dns.google.com
Address: 2a00:1450:4001:817::200e

Please note, that dns servers are referred to by their ip addresses and not by their domain names.

Next, your firewall has to be configured to allow dns traffic to your preferred dns server, namely: UDP protocol, port 53, ip address of the dns server.
This configuration definitely does not belong to 'Web filtering' section. I am unfamiliar with your firewall and its GUI, but 'Filtering options' and/or 'Network services' look much more appropriate candidates.

Hopefully this will help.

1 Like

RPi is inside a company network so the dns adresses are the adresses of our domain controller, not google.

Btw. didn't have problems with raspbian. Was able to update.

I can't explain why things just worked for you on Raspbian but not MATE, but if you do wish to try forcing use of your two specific local DNS servers, that should go into /etc/resolv.conf

resolv.conf says not to edit in it ('Do not edit').
So I changed the network setting but it's not kept. After reboot the 2 additional dns addresses are gone.

You can barely see it in the screenshot, blurred it out cause..

What does systemd-resolve --status show?

Does it show your correct DNS servers?

Actually it does show the proper dns servers and the right dns domain.

When you run this, what does it return

nslookup launchpad.net

If that is not returning correctly I would re-examine your blocking on the firewall.

Good luck.

You're right! NAT was missing. Wasn't aware because I didn't change it and it used to work with raspbian. I still wonder..
Thank you all and sorry for bothering!

I updated (>100 packages) and now I have the same problem again. This time I can ping an ip address but I can't resolve hostnames.
systemd-resolve --status show gives the same output.
/etc/hosts hasn't changed.

This time it's not the firewall because another pc (opensuse) can ping ports.ubuntu.com (e.g.).


nslookup ports.ubuntu.com's not working