Hi, I've been having problems with DNSMASQ when using VPN. The general problem is I only want DNS entries for work resolved across my VPN server. However, I have run across several challenges I'm hoping there are simple solutions. Right now the main problems I am trying to address are: - If I lookup a domain prior to connecting to vpn, dnsmasq cache's that answer for when I'm connected to vpn. - I can not figure out a way to tell DNSMASQ to use either of my local name servers for domains not at work. So if I have to shutdown one of the servers, I have to edit my dnsmasq configuration. - I have figured out a way to override all non-work domains to be looked up locally. For example, I do not work to have a DNS query log from whenever I connect to facebook.
Here is what I have so far: 1. My work uses dynamic addresses for the DNS servers. When I connect via openvpn, netmanager updates my resolv.conf. I have not found a good way to specify to put 127.0.0.1 into the list for DNSMASQ when using the dynamic DNS server address. However, I have found I can specify a manual list of addresses. This means occassionally I have to edit the addresses, but for the most part it works. When I'm connected via VPN I have the following /etc/resolv.conf: # Generated by NetworkManager search redhat.com engsupport.redhat.com local nameserver 127.0.0.1 nameserver 172.16.52.28 nameserver 10.11.255.47 # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver 172.31.253.11 nameserver 172.31.253.12 When not connected to VPN I have the following: search local nameserver 127.0.0.1 nameserver 172.31.253.11 nameserver 172.31.253.12 I find DNSMASQ picks up the change in resolv.conf correctly. However, it does not flush it's cache. So if for example, I mistakenly try to login to my work e-mail prior to connecting to VPN, or after a VPN drop then the address will resolve to opendns. After I connect to VPN, it will still resolv to opendns, until I restart dnsmasq, or the DNS entry expires. 2. To avoid having non-work addresses resolving though the work dns, I have a huge list of server lines. e.g. server=/aero/172.31.253.11 server=/asia/172.31.253.11 server=/biz/172.31.253.11 server=/cat/172.31.253.11 server=/facebook.com/172.31.253.11 server=/google.com/172.31.253.11 server=/coop/172.31.253.11 server=/edu/172.31.253.11 ... The course what I really wanted to do is specify a /etc/resolv.conf.novpn file and then take care of vpn lookups with a line like: server=/redhat.com/10.11.255.47 if connected via VPN but I have no way of telling DNSMASQ to only use that line when I am connected via VPN. By listing the reverse list I have two problems. 1. My list will probably never be completely comprehensive. 2. I can only specify one server on the server line. So if I shutdown 172.31.253.11, DNSMASQ will not use 172.31.253.12 as a backup. This whole problem could be resolved if there is some way to specify multiple IP addresses. Then I could do something like: server=/redhat.com/10.32.255.47,172.31.253.11,172.31.253.12 Meaning of course, try 10.32.255.47. If it is unreachable (because I'm not connected to VPN) then try the next one. Even better if something like: server=/redhat.com/{/etc/resolv.conf} Meaning to use the specified file for redhat.com. Then the remaining problems would be how to tell DNSMASQ to flush it's cache whenever /etc/resolv.conf is updated, and how to use the dynamic ip address for DNS supplied via openvpn instead of hard coding a static address. Bill