Correctly write resolv.conf when using OpenVPN plugin



I decided to use OpenVPN plugin of NetworkManager instead of of openvn CLI binary and I begin to expect name resolving problems.

Original bug was posted in�https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/651007

People there suggested to write to this mailing list, so...

Problem is �in very slow name resolution when connecting to OpenVPN peer and obtaining DNS servers from there by directive

push "dhcp-option DNS x.x.x.x"

While investigating this issue I found that NM append obtained DNS servers to existing resolv.conf. So libc uses not only DNS servers from OpenVPN peer, but original DNS servers too.�

It should be noticed that original DNS servers WILL LIKELY be unreacable after establishing VPN connection.

In my case resolv.conf BEFORE openvpn connection is:

---------
nameserver 212.48.193.37
nameserver 192.168.100.1
---------

And after is:
---------
# Generated by NetworkManager
nameserver 88.85.66.222
nameserver 78.140.128.205
nameserver 213.158.7.2
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 212.48.193.37
nameserver 192.168.100.1
--------

In this case last three servers are invalid as they are not reachable after VPN connection, so name resolve becomes totally slow after openvpn connection because libc tries to get DNS answer from all servers:

--------------

root pentarh-netbook:/var/log# tcpdump -i tun0 -n port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
22:33:46.803557 IP 10.20.10.6.55426 > 213.158.7.2.53: 32890+ A? mail.google.com. (33)
22:33:51.807076 IP 10.20.10.6.58861 > 212.48.193.37.53: 32890+ A? mail.google.com. (33)
22:33:55.521957 IP 10.20.10.6.60601 > 213.158.7.2.53: 49670+ A? www.google.com. (32)
22:34:00.527135 IP 10.20.10.6.57982 > 212.48.193.37.53: 49670+ A? www.google.com. (32)
22:34:09.760264 IP 10.20.10.6.39286 > 88.85.66.222.53: 27804+ A? pagead2.googleadservices.com. (46)
22:34:09.946468 IP 88.85.66.222.53 > 10.20.10.6.39286: 27804 5/4/4 CNAME pagead.l.google.com., A 209.85.149.167, A 209.85.149.164, A 209.85.149.165, A 209.85.149.166 (276)
22:34:11.505444 IP 10.20.10.6.45653 > 213.158.7.2.53: 41142+ A? chatenabled.mail.google.com. (45)
--------------

As you can see, libc tries to resolve mail.google.com from old unreachable servers and gets the answer from correct DNS after 20 seconds (!!!) of first query.

This should be fixed, it makes OpenVPN plugin for NM unusable.

The workaround of this issue may be providing static routes to original DNS IP, but i cant do that in NM openvpn plugin configuration, this option is inactive.

--
Regards, Pentarh Udi


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]