New alert keeps showing up: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001
This warning is logged by systemd-resolved, whenever a name can not be resolved by the DNS system (e.g. nslookup www.kjfoiqaefah34876asdf.com). This can be tolerated and is no reason to be alarmed. This is no error and nothing needs to be fixed.
Redirecting /etc/resolv.conf to /run/systemd/resolve/resolv.conf is wrong, because this way systemd-resolved is skipped and the application with the faulty DNS request talks directly to the name server and not to the systemd-resolved stub anymore. This way systemd-resolved does not notice the NXDOMAIN events any more and therefore cannot log it any more.
The NXDOMAIN events are caused by packages, which try to access non-existing servers during system startup.
IMPORTANT: The solution posted here hides the problematic message by bypassing an important part of your system (the DNS resolver daemon). It may cause DNS malfunction in the future (example). For a proper way to handle the error message please refer to this answer.
Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-
0001, retrying transaction with reduced feature level UDP.
The same error happened to my desktop machine, I don't know if it applies to server too.
It seems that my system had the old config in the place, resulting in a conflict between two services: resolvconf and systemd-resolved.
The symlink /etc/resolv.conf pointed to ../run/resolvconf/resolv.conf
Changing it to point to /run/systemd/resolve/resolv.conf which is managed by systemd, fixed it for me.
Read more here on Ubuntu Forums
Hope that helped.
I asked on the OSSEC GitHub about this error and they recommended writing a rule to ignore NXDOMAIN errors. Add to /var/ossec/rules/local_rules.xml
<rule id="234567" level="0">
<program_name>systemd-resolved</program_name>
<match>Server returned error NXDOMAIN</match>
<description>Usless systemd-resolvd log message</description>
</rule>