VPN + dnsmasq = split dns?

From: Olav Morken <olavmrk gmail com>
To: networkmanager-list gnome org
Subject: VPN + dnsmasq = split dns?
Date: Fri, 10 Oct 2014 21:17:14 +0200
Hi,

I am trying to set up Network Manager to connect to an OpenVPN server, 
and have trouble understanding how it applies the DNS settings it 
receives from the server.

Basically, as far as I can tell, it automatically assumes that I want 
to use split dns, and limits the DNS servers it receives from the 
OpenVPN servers to the domains it assumes "belongs to" this 
configuration. However, it also ignores the existing DNS servers it 
has configured.

That leaves us with a dnsmasq configured with two nameservers it will 
query for two specific subdomains, and no nameservers it will use for 
other domains. The result is that dnsmasq is only willing to respond 
to DNS queries for those subdomains, and respond with "REFUSED" for 
every other domain.

I assume that this is not the way it is supposed to work, since that 
would mean that everyone connecting to a VPN would be unable to access 
most of the Internet. I therefore assume that there is something wrong 
with my configuration.

I am however unable to tell what makes it choose this behavior. I 
tried to look at the code, and found the location where it adds the 
domains[1], but I was unable to find a way to override this behavior.

Does anyone have any suggestions for what may trigger this behavior, 
and what I can do to avoid it?

(Configuration details and logs from network manager included below.)

Best regards,
Olav Morken


[1] 
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=60cce4004284242f0891160e21979a3027da6e0e#n234


Configuration:

 Both the client and server have IPv6 enabled.

 The VPN configuration on the client side doesn't contain anything too 
 exiting. It uses a TCP connection to port 443, a TUN device, and 
 username+password authentication. Both the IPv4 and the IPv6 settings 
 are set to "Automatic(VPN)"

 The OpenVPN server is configured with a TUN device and topology 
 subnet. It pushes the following (slightly anonymized) options to the 
 client:

  push "dhcp-option DNS 198.51.100.57"
  push "dhcp-option DNS 198.51.100.168"
  push "dhcp-option DOMAIN example.org"
  push "redirect-gateway def1 bypass-dhcp"
  push "route-ipv6 2000::/3"


Software versions:
 XUbuntu 14.04
 network-manager 0.9.8.8-0ubuntu7
 network-manager-openvpn 0.9.8.2-1ubuntu4
 openvpn 2.3.2-7ubuntu3

Log from connection:
 NetworkManager[924]: <info> IPv4 configuration:
 NetworkManager[924]: <info>   Internal Gateway: 192.0.2.1
 NetworkManager[924]: <info>   Internal Address: 192.0.2.2
 NetworkManager[924]: <info>   Internal Prefix: 25
 NetworkManager[924]: <info>   Internal Point-to-Point Address: 0.0.0.0
 NetworkManager[924]: <info>   Maximum Segment Size (MSS): 0
 NetworkManager[924]: <info>   Forbid Default Route: no
 NetworkManager[924]: <info>   Internal DNS: 198.51.100.57
 NetworkManager[924]: <info>   Internal DNS: 198.51.100.168
 NetworkManager[924]: <info>   DNS Domain: 'example.org'
 NetworkManager[924]: <info> IPv6 configuration:
 NetworkManager[924]: <info>   Internal Address: 2001:db81:4561::1000
 NetworkManager[924]: <info>   Internal Prefix: 64
 NetworkManager[924]: <info>   Internal Point-to-Point Address: 2001:db81:4561::1
 NetworkManager[924]: <info>   Maximum Segment Size (MSS): 0
 NetworkManager[924]: <info>   Static Route: 2000::/3   Next Hop: 2000::
 NetworkManager[924]: <info>   Forbid Default Route: no
 NetworkManager[924]: <info>   DNS Domain: 'example.org'
 NetworkManager[924]: <info> VPN connection 'example-openvpn-config' (IP Config Get) complete.
 NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as default for IPv4 routing and DNS.
 NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as default for IPv6 routing and DNS.
 NetworkManager[924]: <info> Writing DNS information to /sbin/resolvconf
 dnsmasq[1464]: setting upstream servers from DBus
 dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain 0.192.in-addr.arpa
 dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org
 dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain 0.192.in-addr.arpa
 dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org
Follow-Ups:
- Re: VPN + dnsmasq = split dns?
  - From: Dan Williams
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]