Re: VPN + dnsmasq = split dns?
- From: Dan Williams <dcbw redhat com>
- To: Olav Morken <olavmrk gmail com>
- Cc: networkmanager-list gnome org
- Subject: Re: VPN + dnsmasq = split dns?
- Date: Mon, 20 Oct 2014 16:20:03 -0500
On Fri, 2014-10-10 at 21:17 +0200, Olav Morken wrote:
Hi,
I am trying to set up Network Manager to connect to an OpenVPN server,
and have trouble understanding how it applies the DNS settings it
receives from the server.
Sorry for the late reply...
Which version of NM do you have, and what distro?
Basically, as far as I can tell, it automatically assumes that I want
to use split dns, and limits the DNS servers it receives from the
OpenVPN servers to the domains it assumes "belongs to" this
configuration. However, it also ignores the existing DNS servers it
has configured.
By default, NM will not do split DNS, which means when the VPN is
connected, the VPN nameservers replace the existing nameservers. This
is required to ensure that if for some reason the VPN nameservers cannot
be contacted, that your queries don't fall back to the non-VPN
nameservers and return bogus (and potentially malicious) results.
But, if you add "dns=dnsmasq" to
the /etc/NetworkManager/NetworkManager.conf file and install 'dnsmasq',
then NM will run in split DNS mode. Here, NM will spawn a private copy
of dnsmasq and send it configuration to direct any queries ending in the
domain passed back from the openvpn server (or entered into the NM
configuration for that VPN connection) to the VPN nameservers, and
everything else to the non-VPN nameservers.
That leaves us with a dnsmasq configured with two nameservers it will
query for two specific subdomains, and no nameservers it will use for
other domains. The result is that dnsmasq is only willing to respond
to DNS queries for those subdomains, and respond with "REFUSED" for
every other domain.
I assume that this is not the way it is supposed to work, since that
would mean that everyone connecting to a VPN would be unable to access
most of the Internet. I therefore assume that there is something wrong
with my configuration.
That sounds like a bug; do you know if you have any custom dnsmasq
configuration on that system? Also check two thigns:
1) /etc/resolv.conf should have "127.0.0.1" as the only namesever
2) Look in /var/run/NetworkManager (or /run/NetworkManager) for the
'dnsmasq.conf' file which is what NM sends to dnsmasq
(the only caveat here is that if you run Ubuntu, this procedure may not
apply as the info is sent to dnsmasq over D-Bus)
Let us know what the results are!
Dan
I am however unable to tell what makes it choose this behavior. I
tried to look at the code, and found the location where it adds the
domains[1], but I was unable to find a way to override this behavior.
Does anyone have any suggestions for what may trigger this behavior,
and what I can do to avoid it?
(Configuration details and logs from network manager included below.)
Best regards,
Olav Morken
[1]
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=60cce4004284242f0891160e21979a3027da6e0e#n234
Configuration:
Both the client and server have IPv6 enabled.
The VPN configuration on the client side doesn't contain anything too
exiting. It uses a TCP connection to port 443, a TUN device, and
username+password authentication. Both the IPv4 and the IPv6 settings
are set to "Automatic(VPN)"
The OpenVPN server is configured with a TUN device and topology
subnet. It pushes the following (slightly anonymized) options to the
client:
push "dhcp-option DNS 198.51.100.57"
push "dhcp-option DNS 198.51.100.168"
push "dhcp-option DOMAIN example.org"
push "redirect-gateway def1 bypass-dhcp"
push "route-ipv6 2000::/3"
Software versions:
XUbuntu 14.04
network-manager 0.9.8.8-0ubuntu7
network-manager-openvpn 0.9.8.2-1ubuntu4
openvpn 2.3.2-7ubuntu3
Log from connection:
NetworkManager[924]: <info> IPv4 configuration:
NetworkManager[924]: <info> Internal Gateway: 192.0.2.1
NetworkManager[924]: <info> Internal Address: 192.0.2.2
NetworkManager[924]: <info> Internal Prefix: 25
NetworkManager[924]: <info> Internal Point-to-Point Address: 0.0.0.0
NetworkManager[924]: <info> Maximum Segment Size (MSS): 0
NetworkManager[924]: <info> Forbid Default Route: no
NetworkManager[924]: <info> Internal DNS: 198.51.100.57
NetworkManager[924]: <info> Internal DNS: 198.51.100.168
NetworkManager[924]: <info> DNS Domain: 'example.org'
NetworkManager[924]: <info> IPv6 configuration:
NetworkManager[924]: <info> Internal Address: 2001:db81:4561::1000
NetworkManager[924]: <info> Internal Prefix: 64
NetworkManager[924]: <info> Internal Point-to-Point Address: 2001:db81:4561::1
NetworkManager[924]: <info> Maximum Segment Size (MSS): 0
NetworkManager[924]: <info> Static Route: 2000::/3 Next Hop: 2000::
NetworkManager[924]: <info> Forbid Default Route: no
NetworkManager[924]: <info> DNS Domain: 'example.org'
NetworkManager[924]: <info> VPN connection 'example-openvpn-config' (IP Config Get) complete.
NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as default for IPv4 routing and DNS.
NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as default for IPv6 routing and DNS.
NetworkManager[924]: <info> Writing DNS information to /sbin/resolvconf
dnsmasq[1464]: setting upstream servers from DBus
dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain 0.192.in-addr.arpa
dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org
dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain 0.192.in-addr.arpa
dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org
_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
