Re: VPN + dnsmasq = split dns?

----- Original Message -----
From: "Olav Morken" <olavmrk gmail com>
To: networkmanager-list gnome org
Sent: Friday, November 7, 2014 10:53:05 PM
Subject: Re: VPN + dnsmasq = split dns?


sorry for the late response here. I finally found some time to look at
this again now.

On Wed, Oct 22, 2014 at 13:54:32 -0500, Dan Williams wrote:

Let us know what the results are!

For what it is worth, after futher testing we have determined that it
is the IPv6 configuration that "breaks" the DNS config. We have seen
three different behaviors, depending on the VPN config:

1. VPN with only IPv4 address and default route:

   The DNS servers are added as global DNS servers.

2. VPN with both IPv4 and IPV6 addresses and default routes, but only
   IPv4 DNS servers pushed through VPN configuration:

   The DNS servers are added as local DNS servers, with no "global"
   DNS servers.

3. VPN with both IPv4 and IPV6 addresses and default routes, and both
   IPv4 and IPv6 DNS servers pushed through VPN configuration:

   The IPv4 DNS servers are added as "local" DNS servers, and one of
   the IPv6 DNS servers are added as a "global" DNS server.

It was scenario 2 that was the original problem. For now, it looks
like we have a workaround in scenario 3, since in that case we are
left with a IPv6 DNS server that can be used for global queries.

A wild guess from me is that the Ubuntu devlopers noticed the broken
VPN DNS behavior with dnsmasq (since dnsmasq is the default on
Ubuntu), and fixed it for the IPv4-only VPN case, but forgot to handle
the IPv4-and-IPv6 case.

I think I'll try to raise it as a Ubuntu-bug, and live with pushing an
IPv6 DNS server as a workaround.

Odd...  I'm not quite sure why it would be happening that way.  In any
case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and*
the VPN sends a domain name to NetworkManager.  So I'd expect to see
your #1 case above also do "local" VPN DNS servers, with the DHCP
servers as fallback.

After investigating this, I think I have found the cause of the behavior:

Ubuntu carries a patch[1] which disables split DNS when it notices
that it is on a VPN connection with a default route. This makes sense,
since otherwise users of Ubuntu wouldn't be able to connect to VPNs as
long as they are running dnsmasq (which they are by default).

I don't think it makes sense. Running a local DNS cache is good for other reasons as well and I don't see a 
reason to drop dnsmasq just because you are connected to a VPN. Or did I misunderstand? What exactly is the 
problem with upstream NM and could we have a bug report for it?

I wonder how much related is our Unbound bug report in Fedora:

We also have a bug report for handling VPN DNS servers but that's about the special case of having default 
IPv4 on VPN and default IPv6 on local network.

From what I can tell, the reason for the behavior I am seeing is that
the patch only fixes the split DNS for the first VPN configuration
it finds with a default route.

Now, when you connect to a VPN with both IPv6 and IPv4, the first
configuration it finds may be the one with IPv6. In that case, it will
add the DNS servers from the IPv6 configuration (if any) without split
DNS. Any subsequent IPv4 configuration is still added using split DNS.

I have filed a bug[2] for it on Launchpad.

Good. But finally it would be good to fix this upstream.



(Regarding the missing DHCP DNS servers, that is caused by a
different part of the patch, which makes sure that it doesn't add the
local DNS servers when it is on a VPN with a default route. This makes
sense, since reaching those DNS servers is unlikely to be what you
would want. It would also be likely to fail, since the DNS packets
would still be sent over the VPN with the default route.)


Best regards,
Olav Morken
networkmanager-list mailing list
networkmanager-list gnome org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]