Public bug reported: # Launchpad Bug Report
**Package:** systemd (Ubuntu 24.04 Noble) **Title:** systemd-resolved 100% CPU spin loop when DNS queries are rejected or time out (fix available in v255-stable) --- ## Description systemd-resolved enters a 100% CPU spin loop when DNS queries fail with ECONNREFUSED (from firewall REJECT rules) or time out over TCP. This is triggered by common VPN tools (ExpressVPN, Tailscale) that either block non-VPN DNS traffic or register DNS servers that are intermittently unreachable. The bug is in `src/resolve/resolved-dns-transaction.c` where `dns_server_packet_lost()` is called on connection reset errors, causing `dns_transaction_retry()` to compute a timer deadline already in the past. This creates an infinite tight loop: ``` epoll_wait → read(timerfd) → gettid → timerfd_settime(tv_sec=0, tv_nsec=1) → repeat ``` Confirmed via strace — approximately 50,000 iterations per second, consuming 100% of one CPU core indefinitely until the service is restarted. ## Impact - 100% CPU on one core, causing thermal throttling and fan noise - Degrades system responsiveness - Persists until systemd-resolved is manually restarted - Affects any Ubuntu 24.04 system using VPN software (ExpressVPN, Tailscale, OpenVPN, WireGuard) or any configuration where DNS queries receive ICMP port-unreachable or TCP timeouts ## Steps to Reproduce 1. Install Ubuntu 24.04 with default systemd-resolved configuration 2. Connect a VPN that blocks non-VPN DNS traffic (e.g., ExpressVPN with Network Lock, or Tailscale with MagicDNS) 3. Observe systemd-resolved consuming 100% CPU within seconds Alternatively: 1. Configure a DNS server in systemd-resolved that is unreachable 2. Trigger DNS queries that fail over TCP with ECONNREFUSED 3. Observe the CPU spin ## Upstream Fix This was reported upstream as [systemd/systemd#33719](https://github.com/systemd/systemd/issues/33719) and fixed in [PR #33903](https://github.com/systemd/systemd/pull/33903) ("resolved: don't treat conn reset as packet loss") by Ronan Pigott, merged 2024-08-02. The fix was cherry-picked to **v255-stable** as commit [`030dbbc39e54666bd0f393ef47f0b0d9b2dfe8b4`](https://github.com/systemd/systemd- stable/commit/030dbbc39e54666bd0f393ef47f0b0d9b2dfe8b4), included in **v255.11** released 2024-08-16. The fix distinguishes between ECONNRESET/ECONNREFUSED (connection errors) and actual packet loss. Connection errors now properly fail the transaction instead of triggering an immediate retry with a bogus timer deadline. ## Current State - **Ubuntu 24.04 (Noble):** Ships systemd 255.4-1ubuntu8.12. The fix is NOT included. Verified by reviewing the full Ubuntu changelog from 255.4-1ubuntu8 through 255.4-1ubuntu8.12 — no mention of this fix. - **Pop!_OS 24.04:** Ships 255.4-1ubuntu8.12pop0 (repackaged Ubuntu). Also missing the fix. - **Upstream v255-stable:** Fix has been stable since v255.11 (August 2024) — 18+ months with no regressions reported. - **Fedora 41+, Debian Trixie:** Ship systemd 256+ or 257+ which include the fix. ## Requested Action Cherry-pick commit `030dbbc39e54` from the v255-stable branch into the Ubuntu Noble systemd package. This is a minimal, self-contained fix to `src/resolve/resolved-dns-transaction.c` that has been stable in the v255 branch for over 18 months. ## System Information ``` $ systemd --version systemd 255 (255.4-1ubuntu8.12pop0~1769790828~24.04~d4491c0) $ lsb_release -a Distributor ID: Pop Description: Pop!_OS 24.04 LTS Release: 24.04 Codename: noble $ uname -r 6.18.7-76061807-generic ``` ## References - Upstream bug: https://github.com/systemd/systemd/issues/33719 - Upstream fix PR: https://github.com/systemd/systemd/pull/33903 - v255-stable cherry-pick: https://github.com/systemd/systemd-stable/commit/030dbbc39e54666bd0f393ef47f0b0d9b2dfe8b4 - Related older bug (same class): https://github.com/systemd/systemd/issues/20062 - Tailscale reports of same issue: https://github.com/tailscale/tailscale/issues/10630, https://github.com/tailscale/tailscale/issues/13802 ** Affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2145709 Title: systemd-resolved 100% CPU spin loop when DNS queries are rejected or time out (fix available in v255-stable) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2145709/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
