Re: VPN + dnsmasq = split dns?

From: Pavel Simerda <psimerda redhat com>
To: Mathieu Trudel-Lapierre <mathieu tl gmail com>
Cc: Olav Morken <olavmrk gmail com>, ML NetworkManager <networkmanager-list gnome org>
Subject: Re: VPN + dnsmasq = split dns?
Date: Tue, 2 Dec 2014 17:43:09 -0500 (EST)

----- Original Message -----

From: "Mathieu Trudel-Lapierre" <mathieu tl gmail com>
To: "Olav Morken" <olavmrk gmail com>
Cc: "Pavel Simerda" <psimerda redhat com>, "ML NetworkManager" <networkmanager-list gnome org>, "Tomas 
Hozza"
<thozza redhat com>
Sent: Tuesday, December 2, 2014 9:30:09 PM
Subject: Re: VPN + dnsmasq = split dns?

On Tue, Dec 2, 2014 at 1:24 PM, Olav Morken <olavmrk gmail com> wrote:
[...]

I don't think it makes sense. Running a local DNS cache is good for
other reasons as well and I don't see a reason to drop dnsmasq just
because you are connected to a VPN. Or did I misunderstand? What
exactly is the problem with upstream NM and could we have a bug
report for it?


Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network
Manager assumes that if you are running dnsmasq you want split DNS
with your VPN. That includes if you have a default route over your
VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a
fix for it, which involves disabling split DNS in that case. My
problem was that the fix wasn't complete.


Actually, I wrote at least some of the patches. The intent was that it
should work just as well if the default gateway goes through the VPN
(ie. no split-tunnel).

If it doesn't work, that's a bug you can file on Launchpad against the
network-manager package (but I'm going to take a good look now since I
want to upstream these patches).

I certainly think that the "split DNS with default route"-problem
would be something that should probably be fixed in Network Manager as
well, unless dnsmasq is only supposed to be used with split DNS. If I
understand correctly dnsmasq is the only DNS backend that implements
split DNS with Network Manager at the moment, but if any others
implemented it, they would probably need the same fix.


Indeed.


For now. With new versions of NetworkManager, unbound and dnssec-trigger,
there will also be the unbound DNS backend with extended DNSSEC capabilities.

Cheers,

Pavel



Mathieu Trudel-Lapierre <mathieu tl gmail com>
Freenode: cyphermox, Jabber: mathieu tl gmail com
4096R/EE018C93 1967 8F7D 03A1 8F38 732E  FF82 C126 33E1 EE01 8C93

References:
- Re: VPN + dnsmasq = split dns?
  - From: Olav Morken
- Re: VPN + dnsmasq = split dns?
  - From: Mathieu Trudel-Lapierre

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]