and make sure there is a route to Route to your Internal DNS servers over the VPNs Or a policy that covers the DNS servers ip range if it is an Ipsec policy based vpn
Hope this helps On Tue, 20 Jul 2021 at 13:15, Timo Myyrä <[email protected]> wrote: > > Stuart Henderson <[email protected]> [2021-07-20, 11:24 +0000]: > > > On 2021-07-20, Timo Myyrä <[email protected]> wrote: > > > >> Hi, > >> > >> Just started testing the new dhcleased,resolvd stuff and noticed that > >> DNS resolution won't work correctly once I open my VPN connection. Name > >> resolution works for external domains but not for the internal domains > >> resolved by the interal DNS servers. > >> > >> I'm using openconnect to setup VPN tunnel and it runs the > >> /etc/vpnc-script to setup networking after initing the tunnel. This > >> script adds the nameserver entries into /etc/resolv.conf. > >> But these entries in /etc/resolv.conf are done below following line: > >> nameserver 127.0.0.1 # resolvd: unwind > >> > >> This means the unwind is handling the DNS query passing and it doesn't > >> seem to notice the DNS server entries given by openconnect. > >> > >> What would be a good method to get DNS resolution working after running > >> openconnect? I'd like to prepend the DNS servers from VPN connection so > >> they are queried first, then fallback to other servers. > >> > >> Timo > >> > >> > > > > Untested but I would use unwind and try something like > > > > forwarder <address> > > preference recursor oDoT-dhcp dhcp stub > > force forwarder {vpndomain.com} > > > > For the forwarder address you might be able to statically configure > > it, if not then you could modify vpnc-script to have it update the > > address in unwind.conf and reload it. > > Thanks, this works somewhat: > > forwarder { $ip1 $ip2 } > force accept bogus forwarder { $internal_domain1 } > force accept bogus forwarder { $internal_domain2 } > ... > > A bit cubersome to list all internal domains but I there shouldn't be > that many of them in day-to-day use. > The DNS server IP's are pretty much static so manually adjusting the > unwind.conf is doable. > > Timo > -- Kindest regards, Tom Smyth.
