DNS resolution fails | UDP setup with <SERVER> for <DOMAIN> failed: permission denied

Hey all,

Lately since few days I started to have weird issue with my PC. This is affecting domain resolution e.g which impact internet connectivity. The issue is related only to this PC every other device on my network works fine.

When I try to do nslookup or DIG I am getting following error messages:

 󰛓 ❯ nslookup dpmb.cz
;; UDP setup with 10.0.99.16#53(10.0.99.16) for dpmb.cz failed: permission denied.
;; no servers could be reached
;; UDP setup with 10.0.99.16#53(10.0.99.16) for dpmb.cz failed: permission denied.
;; no servers could be reached
;; UDP setup with 10.0.99.16#53(10.0.99.16) for dpmb.cz failed: permission denied.
;; no servers could be reached

When I repeat the command it resolves properly

 󰛓 ❯ nslookup dpmb.cz
Server:         10.0.99.16
Address:        10.0.99.16#53

Non-authoritative answer:
Name:   dpmb.cz
Address: 77.240.184.217
Name:   dpmb.cz
Address: 2a02:e98:10:1410::82

I could not find any explanation of the meaning of this error message. Does somebody know wtf is this?

For some reason DNS resolution fails specifically on this PC. When nslookup or DIG is done, the error message is printed immediately, to me it looks like the PC is not even trying to resolve the domain it just errors out as well I do not see during that interval any DNS query coming to the DNS server.

 󰛓 ❯ garuda-inxi
System:
  Kernel: 6.16.3-arch1-1-znver5 arch: x86_64 bits: 64 compiler: gcc v: 15.2.1
    clocksource: tsc avail: hpet,acpi_pm
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-znver5
    root=UUID=aaf2fe4c-290b-4ef4-bfd4-1736576d2c89 rw rootflags=subvol=@
    vt.default_red=30,243,166,249,137,245,148,186,88,243,166,249,137,245,148,166
    vt.default_grn=30,139,227,226,180,194,226,194,91,139,227,226,180,194,226,173
    vt.default_blu=46,168,161,175,250,231,213,222,112,168,161,175,250,231,213,200
    quiet resume=UUID=8dd78827-8cbe-4c44-a410-a36c948cce40 loglevel=3
    split_lock_detect=off
  Desktop: KDE Plasma v: 6.4.4 tk: Qt v: N/A info: frameworks v: 6.17.0
    wm: kwin_wayland vt: 2 dm: SDDM Distro: Garuda base: Arch Linux
Machine:
  Type: Desktop Mobo: Micro-Star model: MAG X870 TOMAHAWK WIFI (MS-7E51)
    v: 1.0 serial: <superuser required> uuid: <superuser required> UEFI: American
    Megatrends LLC. v: 1.A44 date: 04/24/2025
CPU:
  Info: model: AMD Ryzen 7 9800X3D bits: 64 type: MT MCP arch: N/A level: v4
    note: check family: 0x1A (26) model-id: 0x44 (68) stepping: 0
    microcode: 0xB404032
  Topology: cpus: 1x dies: 1 clusters: 1 cores: 8 threads: 16 tpc: 2
    smt: enabled cache: L1: 640 KiB desc: d-8x48 KiB; i-8x32 KiB L2: 8 MiB
    desc: 8x1024 KiB L3: 96 MiB desc: 1x96 MiB
  Speed (MHz): avg: 5232 min/max: 603/5272 boost: enabled scaling:
    driver: amd-pstate-epp governor: performance cores: 1: 5232 2: 5232 3: 5232
    4: 5232 5: 5232 6: 5232 7: 5232 8: 5232 9: 5232 10: 5232 11: 5232 12: 5232
    13: 5232 14: 5232 15: 5232 16: 5232 bogomips: 150399
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities: <filter>
Graphics:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 48 [Radeon RX 9070/9070
    XT/9070 GRE] vendor: XFX driver: amdgpu v: kernel pcie: gen: 5
    speed: 32 GT/s lanes: 16 ports: active: DP-3 empty: DP-1, DP-2, HDMI-A-1,
    Writeback-1 bus-ID: 03:00.0 chip-ID: 1002:7550 class-ID: 0300
  Device-2: Advanced Micro Devices [AMD/ATI] Granite Ridge [Radeon Graphics]
    vendor: Micro-Star MSI driver: amdgpu v: kernel arch: RDNA-2 code: Navi-2x
    process: TSMC n7 (7nm) built: 2020-22 pcie: gen: 4 speed: 16 GT/s
    lanes: 16 ports: active: none empty: DP-4, DP-5, DP-6, HDMI-A-2,
    Writeback-2 bus-ID: 74:00.0 chip-ID: 1002:13c0 class-ID: 0300 temp: 38.0 C
  Display: wayland server: X.org v: 1.21.1.18 with: Xwayland v: 24.1.8
    compositor: kwin_wayland driver: X: loaded: amdgpu
    unloaded: modesetting,radeon alternate: fbdev,vesa dri: radeonsi
    gpu: amdgpu display-ID: 0
  Monitor-1: DP-3 model: Dell AW3423DWF serial: <filter> built: 2023 res:
    mode: 3440x1440 hz: 165 scale: 100% (1) dpi: 109 gamma: 1.2
    size: 800x337mm (31.5x13.27") diag: 868mm (34.2") modes: max: 3440x1440
    min: 720x400
  API: EGL v: 1.5 hw: drv: amd radeonsi platforms: device: 0 drv: radeonsi
    device: 1 drv: radeonsi device: 2 drv: swrast gbm: drv: radeonsi
    surfaceless: drv: radeonsi wayland: drv: radeonsi x11: drv: radeonsi
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 25.2.1-arch1.2
    glx-v: 1.4 direct-render: yes renderer: AMD Radeon RX 9070 XT (radeonsi
    gfx1201 LLVM 20.1.8 DRM 3.64 6.16.3-arch1-1-znver5) device-ID: 1002:7550
    memory: 15.62 GiB unified: no display-ID: :0.0
  API: Vulkan v: 1.4.321 layers: 12 device: 0 type: discrete-gpu name: AMD
    Radeon RX 9070 XT (RADV GFX1201) driver: mesa radv v: 25.2.1-arch1.2
    device-ID: 1002:7550 surfaces: N/A device: 1 type: integrated-gpu name: AMD
    Radeon Graphics (RADV RAPHAEL_MENDOCINO) driver: mesa radv
    v: 25.2.1-arch1.2 device-ID: 1002:13c0 surfaces: N/A device: 2 type: cpu
    name: llvmpipe (LLVM 20.1.8 256 bits) driver: mesa llvmpipe
    v: 25.2.1-arch1.2 (LLVM 20.1.8) device-ID: 10005:0000 surfaces: N/A
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor gpu: amdgpu_top, corectrl, lact
    wl: wayland-info x11: xdpyinfo, xprop, xrandr
Audio:
  Device-1: Advanced Micro Devices [AMD/ATI] Navi 48 HDMI/DP Audio
    driver: snd_hda_intel v: kernel pcie: gen: 5 speed: 32 GT/s lanes: 16
    bus-ID: 03:00.1 chip-ID: 1002:ab40 class-ID: 0403
  Device-2: Advanced Micro Devices [AMD/ATI] Radeon High Definition Audio
    [Rembrandt/Strix] vendor: Micro-Star MSI driver: snd_hda_intel v: kernel
    pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 74:00.1 chip-ID: 1002:1640
    class-ID: 0403
  Device-3: Advanced Micro Devices [AMD] Family 17h/19h/1ah HD Audio
    vendor: Micro-Star MSI driver: snd_hda_intel v: kernel pcie: gen: 4
    speed: 16 GT/s lanes: 16 bus-ID: 74:00.6 chip-ID: 1022:15e3 class-ID: 0403
  Device-4: Micro Star USB Audio driver: hid-generic,snd-usb-audio,usbhid
    type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-5:5
    chip-ID: 0db0:cd0e class-ID: 0300
  Device-5: VIA USB Audio Device driver: hid-generic,snd-usb-audio,usbhid
    type: USB rev: 2.0 speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 5-2.2:4
    chip-ID: 040d:340a class-ID: 0300
  API: ALSA v: k6.16.3-arch1-1-znver5 status: kernel-api with: aoss
    type: oss-emulator tools: N/A
  Server-1: PipeWire v: 1.4.7 status: active with: 1: pipewire-pulse
    status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
    4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Qualcomm WCN785x Wi-Fi 7 320MHz 2x2 [FastConnect 7800]
    vendor: Foxconn Band Simultaneous Wireless driver: ath12k_pci v: N/A
    modules: ath12k pcie: gen: 3 speed: 8 GT/s lanes: 1 link-max: lanes: 2
    bus-ID: 09:00.0 chip-ID: 17cb:1107 class-ID: 0280
  IF: wlp9s0 state: down mac: <filter>
  Device-2: Realtek RTL8126 5GbE vendor: Micro-Star MSI driver: r8169
    v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 1 port: e000 bus-ID: 0a:00.0
    chip-ID: 10ec:8126 class-ID: 0200
  IF: enp10s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Info: services: NetworkManager,systemd-timesyncd
Bluetooth:
  Device-1: Foxconn / Hon Hai driver: btusb v: 0.8 type: USB rev: 1.1
    speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-12:11 chip-ID: 0489:e10a
    class-ID: e001
  Report: btmgmt ID: hci0 rfk-id: 0 state: up address: N/A
Drives:
  Local Storage: total: 3.18 TiB used: 1.37 TiB (42.9%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 990 PRO 2TB
    size: 1.82 TiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 4B2QJXD7 temp: 42.9 C
    scheme: GPT
  ID-2: /dev/nvme1n1 maj-min: 259:2 vendor: Samsung model: SSD 970 EVO 1TB
    size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 2B2QEXE7 temp: 37.9 C
    scheme: GPT
  ID-3: /dev/nvme2n1 maj-min: 259:4 vendor: Samsung model: SSD 970 EVO 500GB
    size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 2B2QEXE7 temp: 38.9 C
    scheme: GPT
Partition:
  ID-1: / raw-size: 432.02 GiB size: 432.02 GiB (100.00%)
    used: 50.11 GiB (11.6%) fs: btrfs dev: /dev/nvme2n1p2 maj-min: 259:6
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 616 KiB (0.2%) fs: vfat dev: /dev/nvme2n1p1 maj-min: 259:5
  ID-3: /home raw-size: 432.02 GiB size: 432.02 GiB (100.00%)
    used: 50.11 GiB (11.6%) fs: btrfs dev: /dev/nvme2n1p2 maj-min: 259:6
  ID-4: /var/log raw-size: 432.02 GiB size: 432.02 GiB (100.00%)
    used: 50.11 GiB (11.6%) fs: btrfs dev: /dev/nvme2n1p2 maj-min: 259:6
  ID-5: /var/tmp raw-size: 432.02 GiB size: 432.02 GiB (100.00%)
    used: 50.11 GiB (11.6%) fs: btrfs dev: /dev/nvme2n1p2 maj-min: 259:6
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: zram size: 30.4 GiB used: 0 KiB (0.0%) priority: 100
    comp: zstd avail: lzo-rle,lzo,lz4,lz4hc,deflate,842 dev: /dev/zram0
  ID-2: swap-2 type: partition size: 33.45 GiB used: 0 KiB (0.0%)
    priority: -2 dev: /dev/nvme2n1p3 maj-min: 259:7
Sensors:
  System Temperatures: cpu: 44.5 C mobo: N/A
  Fan Speeds (rpm): N/A
  GPU: device: amdgpu temp: 48.0 C mem: 66.0 C fan: 2 watts: 53.00
    device: amdgpu temp: 38.0 C
Info:
  Memory: total: 32 GiB note: est. available: 30.4 GiB used: 4.97 GiB (16.3%)
  Processes: 473 Power: uptime: 2m states: freeze,mem,disk suspend: deep
    avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
    suspend, test_resume image: 12.13 GiB services: org_kde_powerdevil,
    power-profiles-daemon, upowerd Init: systemd v: 257 default: graphical
    tool: systemctl
  Packages: pm: pacman pkgs: 1532 libs: 449 tools: octopi,paru Compilers:
    gcc: 15.2.1 Shell: Bash v: 5.3.3 default: fish v: 4.0.2 running-in: konsole
    inxi: 3.3.38
Garuda (2.8.1-2):
  System install date:     2025-03-16
  Last full system update: 2025-08-24
  Is partially upgraded:   No
  Relevant software:       snapper NetworkManager dracut
  Windows dual boot:       No/Undetected
  Failed units:
--- System Health Check Report ---
22/23 checks run in 0.32 seconds ⌛
Powered by garuda-health 🦅

✅ System health check passed. No issues found.

Please post:

cat etc/resolv.conf

Perhaps try Dnsmasq.

Here is the output

󰛓  cat /etc/resolv.conf
File: /etc/resolv.conf
# Generated by NetworkManager
search vlan10
nameserver 10.0.99.16

Yea I can try dnsmasq (thats my next step), but I am still interested why it started to fail, as it was working fine until recently.

What is this above?

You could add different servers.

Make a backup of /etc/resolv.conf and remove any file write protection (if enabled):

sudo cp /etc/resolv.conf /etc/resolv.conf.bak && sudo chattr -i /etc/resolv.conf

Then, run the following command to auto-generate an /etc/resolv.conf file with Cloudflare as the DNS server:

echo -e "nameserver 1.1.1.1\nsearch 1.0.0.1" | sudo tee /etc/resolv.conf

If desired, once you have completed the edits you can write protect the new resolv.conf (optional).

To write protect /etc/resolv.conf issue the following command::

sudo chattr +i /etc/resolv.conf

To restore /etc/resolv.conf to its original state issue the following command:

sudo chattr -i /etc/resolv.conf; sudo cp /etc/resolv.conf.bak /etc/resolv.conf 

Reboot.

This is the FQDN, my DHCP server provides domains per DHCP pool the device belongs to depending on the VLAN. These domains are only locally significant.

I don’t think adding more DNS servers will solve the problem. As mentioned when the error happens, the PC is not even sending queries to the DNS server.

Are you using a VPN?

Test with your VPN disabled if one is in use.

I am not using any VPN.

The DNS server the PC as well other devices on the network reach is on the LAN (but different VLAN).

The PC e.g HOST devices reach the DNS InterVlan.

E.g PC is VLAN10 DNS is in VLAN 99, FW doesn’t block the traffic.

Since I am currently experiencing similar issues, I would like to know if you were able to resolve the problem and what software you use as your DNS server.
Thank you in advance.

Yes I was.

The problem with this is a bid more serious than it looks like cause even updates fail partially if not at all. To me it looks like per the log message I posted that there is some fackery with permission but where I could not find.

I fixed it by deploying dnsmasq, I already run DNS servers based on dnsmasq, so on the PC I just created dnsmasq as a caching stub resolver as I am well aware in dnsmasq config.

Its very simple just do the following

1. Configure the dnsmasq
   no-resolv here is just for dnsmasq to not read the resolv.conf as we manually tell it the upstream servers

sudo nano /etc/dnsmasq.conf
no-resolv
listen-address=127.0.0.1
cache-size=10000
server=<IPofYourDNSserver>

2. Configure the /etc/resolv.conf
   remove all lines and entries and put in

sudo nano /etc/resolv.conf
nameserver 127.0.0.1

3. Prevent /etc/resolv.conf from beying overwritten

sudo chattr +i /etc/resolv.conf

4. Enable and start dnsmasq

sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq

TO TEST

󰛓 ❯ nslookup garudalinux.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   garudalinux.org
Address: 157.180.57.100

󰛓 ❯ dig garudalinux.org

; <<>> DiG 9.20.12 <<>> garudalinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40641
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;garudalinux.org.               IN      A

;; ANSWER SECTION:
garudalinux.org.        280     IN      A       157.180.57.100

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Aug 26 18:07:44 CEST 2025
;; MSG SIZE  rcvd: 60

I will flag the above deployment as a solution, after a while, want to see if it fixed the problems. In theory reoccurring domains should work due to caching but I am worried about new ones.

Alright so bad news,

Caching helped however the issues is still persistent. Basically domains which are not cached e.g still tent to fail till they are not resolved and cached.

When using dig I see an EDE 3 message

󰛓 ❯ dig github.com

; <<>> DiG 9.20.12 <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24449
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 3 (Stale Answer)
;; QUESTION SECTION:
;github.com.                    IN      A

;; ANSWER SECTION:
github.com.             0       IN      A       140.82.121.4

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Aug 26 19:01:11 CEST 2025
;; MSG SIZE  rcvd: 61

4.4. Extended DNS Error Code 3 - Stale Answer
The resolver was unable to resolve the answer within its time limits and decided to answer with previously cached data instead of answering with an error.

There is something seriously wrong here. Something its preventing the system properly sent UDP packets.

I have no selinux or firewall on the PC enabled.

If somebody has any idea what could be the cause or what to check I am all ear.

Just throwing it out there as it sometimes helps, disable IPv6. In rare instances doing the reverse is a solution.

IPv6 is already disabled on the system for a long long time, reason is Helldivers2 has problem if a OS has enabled both IPv6 or PV4

Its disabled via networkmanager not via kernel parameter.

Totally unrelated, but just out of curiosity, does your Atheros WiFi 7 network adapter function properly with Garuda?

Also, have you tested the r8126-dkms driver package?

Have you tested a Garuda live disk to see if the problem is there as well?

Both of my nics, wireless as well wired work. Funny you ask about the WiFi, sometimes KDE networkmanager could not find it had to do a CMOS reset but after KDE 6.4 and the kernel upgrade that was around that release date WiFI is working perfectly fine.

I am as well connected over cable.

Nope, but I am starting to thinking to try it out. Thanks for the suggestion. But prior that I will change the kernel to LTS

Alright so LTS kernel didn’t helped

Check your pacman logs for updates to any package that could possibly affect connectivity around the date your problems began.

Thank you for sharing your approach in such detail.

I use a RasPi with Pihole as a DNS server. That is also based on dnsmasq. Tomorrow I will test your approach and see if anything changes.

Alright so,

After some more checking looks like this issue is not only impacting DNS e.g UDP traffic. Sometimes I have problem even to load HTTP pages just using IPs directly.

I did install the driver, the latest one. This didn’t helped.

I went thru the pacman logs, but didn’t find anything suspicious around the date when I 1st seen the problem.

5000 packets transmitted, 5000 received, 0% packet loss, time 10190ms
rtt min/avg/max/mdev = 0.057/0.213/43.219/1.022 ms, pipe 5, ipg/ewma 2.038/0.181 ms

I went as well thru Interface statistic on the PC, Switch and FW (GW). There are no signs of errors of any-kind anywhere on any point of the network or the PC itself.

I tried as well to switch to the WiFi, exactly the same problem seen over WiFi too. And the issues is present only for this one PC.

You never mentioned if you tested your connectivity via a live disk?

Please provide this information, as it’s quite an important troubleshooting step.