NetworkManager OpenVPN DNS returns REFUSED



Hi all.  I'm having a problem with DNS servers over openvpn.  I use
NetworkManager to configure (via openvpn config file import) and
start/stop the VPN.  I'm using Ubuntu GNOME 16.10, with:

  network-manager               1.2.6-0ubuntu1
  network-manager-openvpn       1.2.6-2ubuntu1
  network-manager-openvpn-gnome 1.2.6-2ubuntu1
  openvpn                       2.3.11-1ubuntu2

I'm using the default Ubuntu configuration:

  $ cat /etc/NetworkManager/NetworkManager.conf 
  [main]
  plugins=ifupdown,keyfile,ofono
  dns=dnsmasq

  [ifupdown]
  managed=false

FWIW, this is a wired connection.  Ubuntu builds NetworkManager with rc-
update set to resolvconf and indeed I can see that this is what I have:

  $ cat /etc/resolv.conf 
  # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
  #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
  nameserver 127.0.1.1

I have a VPN configuration I've been using for years at my company,
that's worked just fine.  The config is pretty straightforward:

  client
  remote <vpnhost>
  comp-lzo yes
  dev tap
  proto udp
  nobind

and a few other things.  Now we're moving and our VPN is also changing,
so I have a new openvpn configuration which is also straightforward:

  client
  dev tun
  proto udp
  remote <newvpnhost>

and a few other things related to the key.  This also connects fine, BUT
my DNS doesn't work.  Whenever I try to look up a hostname inside my VPN
network, I get a REFUSED response:

  $ host git
  Host git.my.domain.com not found: 5(REFUSED)

  $ host git.my.domain.com
  Host git.my.domain.com not found: 5(REFUSED)

One thing that will fix it is if I send a SIGHUP to NetworkManager after
I connect the VPN:

  $ sudo killall -HUP NetworkManager

  $ host git
  git.my.domain.com is an alias for server.my.domain.com.
  server.my.domain.com has address 192.168.1.7

So, I don't think it's a problem with the remote DNS server since just
resetting my local NetworkManager fixes it.  However, I have to do this
every time I connect which of course is bogus.

Also this happens for all lookups of all hosts including A records, not
just CNAME records as I show in this example.

I've used "nmcli -f all device show <dev>" in both the working and non-
working setups and compared the two configurations and they look fine to
me: I can see the DNS server IP address (they are different VPN servers,
different DHCP servers, different DNS servers, etc. of course).  In fact
if I find the DNS server IP address and use it directly on the host
command that lookup works:

  $ host git 198.168.1.2
  git.my.domain.com is an alias for server.my.domain.com.
  server.my.domain.com has address 192.168.1.7

I've also enabled "nmcli general logging level TRACE" and looked at the
journalctl logging when starting / stopping both VPN configurations and
it all looks fine to me: for both I can see the IP address for the DNS
server added as "50 vpn v4 tun0 : <newIP>" where my default DNS servers
are 100.  I see dnsmasq messages saying it's adding the new DNS address
as the nameserver for all the domains.

What does it mean that the local DNS service is returning REFUSED?  How
can I debug this further?  Or, does anyone know how to fix it?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]