Re: VPN + dnsmasq = split dns?

From: Olav Morken <olavmrk gmail com>
To: Pavel Simerda <psimerda redhat com>
Cc: networkmanager-list gnome org
Subject: Re: VPN + dnsmasq = split dns?
Date: Tue, 2 Dec 2014 19:24:38 +0100

On Thu, Nov 27, 2014 at 07:24:13 -0500, Pavel Simerda wrote:

Odd...  I'm not quite sure why it would be happening that way.  In any
case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and*
the VPN sends a domain name to NetworkManager.  So I'd expect to see
your #1 case above also do "local" VPN DNS servers, with the DHCP
servers as fallback.


After investigating this, I think I have found the cause of the behavior:

Ubuntu carries a patch[1] which disables split DNS when it notices
that it is on a VPN connection with a default route. This makes sense,
since otherwise users of Ubuntu wouldn't be able to connect to VPNs as
long as they are running dnsmasq (which they are by default).


I don't think it makes sense. Running a local DNS cache is good for
other reasons as well and I don't see a reason to drop dnsmasq just
because you are connected to a VPN. Or did I misunderstand? What
exactly is the problem with upstream NM and could we have a bug
report for it?


Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network
Manager assumes that if you are running dnsmasq you want split DNS
with your VPN. That includes if you have a default route over your
VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a
fix for it, which involves disabling split DNS in that case. My
problem was that the fix wasn't complete.

I certainly think that the "split DNS with default route"-problem
would be something that should probably be fixed in Network Manager as
well, unless dnsmasq is only supposed to be used with split DNS. If I
understand correctly dnsmasq is the only DNS backend that implements
split DNS with Network Manager at the moment, but if any others
implemented it, they would probably need the same fix.

However, since I don't run a "pure" Network Manager, I do not have the
ability to test its behavior, so I don't think I can open a bug for
this.

Best regards,
Olav Morken

Follow-Ups:
- Re: VPN + dnsmasq = split dns?
  - From: Mathieu Trudel-Lapierre

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]