Join Log in
Score:0
Torsten Römer avatar Ubuntu

DNS servers "ignored" with NetworkManager, systemd-resolved and VPN tunnel

cn flag
Torsten Römer

With Ubuntu 20.04, I connect to the internet via WLan using NetworkManager. Then I establish a VPN with OpenConnect. I am using the "stub resolv.conf": /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf and I have hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns in /etc/nsswitch.conf.

All works fine besides that the DNS 10.233.63.202 of the VPN is not being used:

Link 37 (tun0)
      Current Scopes: DNS          
DefaultRoute setting: yes          
       LLMNR setting: yes          
MulticastDNS setting: no           
  DNSOverTLS setting: no           
      DNSSEC setting: no           
    DNSSEC supported: no           
  Current DNS Server: 10.233.63.202
         DNS Servers: 10.233.63.202
                      10.233.63.203

Looking at journalctl -u systemd-resolved -f, only the "Current DNS Server" 192.168.3.1 of the WLan link is used:

Link 3 (wlo1)
      Current Scopes: DNS               
DefaultRoute setting: yes               
       LLMNR setting: yes               
MulticastDNS setting: no                
  DNSOverTLS setting: no                
      DNSSEC setting: no                
    DNSSEC supported: no                
  Current DNS Server: 192.168.3.1       
         DNS Servers: 192.168.3.1       
                      10.233.63.202     
                      10.231.76.11      
          DNS Domain: ~.

From what I understand so far is that systemd-resolved may not use a DNS of tun0 because NetworkManager adds the ~. "DNS Domain" to wlo1. Even if I add it to tun0 with sudo resolvectl domain tun0 ~. and remove it from wlo1 with sudo resolvectl domain wlo1 some.search.tld, no DNS of tun0 is used.

I've even added one of the DNS of tun0 to wlo1 and would expect that it would be used since 192.168.3.1 doesn't have the answer, but it is not the case.

Only when I change the order of the DNS of wlo1 so that i.e. 10.233.63.202 is the "Current DNS Server", hostnames in the VPN are resolved. It appears as if only the "Current DNS Server" of wlo1 is ever consulted.

If the DNS of the VPN link are not used because OpenConnect, NetworkManager and systemd-resolved don't play well together for some reason I can live with that.

But why aren't the other DNS of wlo1 being used? In fact, this worked fine for years up until now.

Also, I am not aware how much I have to be concerned about DNS leakage which probably happens if I add the VPN DNS as "Current DNS Server" of the WLan link?

139
0 + 0
vpn
chili555 avatar
cn flag
chili555
Possibly helpful:https://help.ubuntu.com/community/Dnsmasq
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.