Ubuntu 17.04 systemd-resolved DNS lookups randomly fail

Ubuntu 17.04 can not resolve DNS servers with DNSSEC support as of 2017-04-18. Disable DNSSEC with this daemon:

sudo mkdir -p /etc/systemd/resolved.conf.d
printf "[Resolve]\nDNSSEC=no\n" | sudo tee /etc/systemd/resolved.conf.d/no-dnssec.conf

Optionally reconfigure resolvconf if you messed with it (say yes to "prepare /etc/resolve.conf for dynamic updates?"):

sudo dpkg-reconfigure resolvconf

Restart systemd-resolved:

sudo systemctl restart systemd-resolved

Your DNS should start working. You can check by trying systemd-resolve www.google.com and seeing a response.

I've been switching back and forth between systemd-resolved and manual /etc/resolv.conf management and have not found the systemd DNS resolver mechanism to be stable yet.

There is apparently at least one libnss bug in Ubuntu 16.10 and apparently still in 17.04. There are many people with DNS issues since Ubuntu 16.10 turned on systemd-resolved, here is one analysis and here is another person's workaround. None of them worked for me until I manually overwrote /etc/resolv.conf with google's DNS servers.

nameserver 8.8.8.8   << or another if you don't trust google
nameserver 8.8.4.4

This is a perfectly valid solution, if you don't need dynamic DNS configuration. Just make sure you stop and disable systemd-resolved:

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop

Ubuntu 17.04 and other distros are embracing systemd, which includes systemd-resolved, which subjects users to a rather heavy-handed DNS resolution.

• As mentioned in SjB answer, DNSSEC support can cause issues.
• systemd-resolved pings all DNS resolvers so it can use the fastest. This can cause problems with VPNs etc in more complex environments.
• DNS server certificates are verified, I've had errors if my clock is skewed.

I don't think it's necessarily a BAD change, it's just a LOT of change. I'll try to update and expand this answer as I learn more.