----- Original Message ----- > From: "Olav Morken" <[email protected]> > To: [email protected] > Sent: Friday, November 7, 2014 10:53:05 PM > Subject: Re: VPN + dnsmasq = split dns? > > Hi, > > sorry for the late response here. I finally found some time to look at > this again now. > > On Wed, Oct 22, 2014 at 13:54:32 -0500, Dan Williams wrote: > > > > > Let us know what the results are! > > > > > > For what it is worth, after futher testing we have determined that it > > > is the IPv6 configuration that "breaks" the DNS config. We have seen > > > three different behaviors, depending on the VPN config: > > > > > > 1. VPN with only IPv4 address and default route: > > > > > > The DNS servers are added as global DNS servers. > > > > > > 2. VPN with both IPv4 and IPV6 addresses and default routes, but only > > > IPv4 DNS servers pushed through VPN configuration: > > > > > > The DNS servers are added as local DNS servers, with no "global" > > > DNS servers. > > > > > > 3. VPN with both IPv4 and IPV6 addresses and default routes, and both > > > IPv4 and IPv6 DNS servers pushed through VPN configuration: > > > > > > The IPv4 DNS servers are added as "local" DNS servers, and one of > > > the IPv6 DNS servers are added as a "global" DNS server. > > > > > > It was scenario 2 that was the original problem. For now, it looks > > > like we have a workaround in scenario 3, since in that case we are > > > left with a IPv6 DNS server that can be used for global queries. > > > > > > A wild guess from me is that the Ubuntu devlopers noticed the broken > > > VPN DNS behavior with dnsmasq (since dnsmasq is the default on > > > Ubuntu), and fixed it for the IPv4-only VPN case, but forgot to handle > > > the IPv4-and-IPv6 case. > > > > > > I think I'll try to raise it as a Ubuntu-bug, and live with pushing an > > > IPv6 DNS server as a workaround. > > > > Odd... I'm not quite sure why it would be happening that way. In any > > case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and* > > the VPN sends a domain name to NetworkManager. So I'd expect to see > > your #1 case above also do "local" VPN DNS servers, with the DHCP > > servers as fallback. > > After investigating this, I think I have found the cause of the behavior: > > Ubuntu carries a patch[1] which disables split DNS when it notices > that it is on a VPN connection with a default route. This makes sense, > since otherwise users of Ubuntu wouldn't be able to connect to VPNs as > long as they are running dnsmasq (which they are by default).
I don't think it makes sense. Running a local DNS cache is good for other reasons as well and I don't see a reason to drop dnsmasq just because you are connected to a VPN. Or did I misunderstand? What exactly is the problem with upstream NM and could we have a bug report for it? I wonder how much related is our Unbound bug report in Fedora: We also have a bug report for handling VPN DNS servers but that's about the special case of having default IPv4 on VPN and default IPv6 on local network. https://bugzilla.redhat.com/show_bug.cgi?id=1091356 > From what I can tell, the reason for the behavior I am seeing is that > the patch only fixes the split DNS for the first VPN configuration > it finds with a default route. > > Now, when you connect to a VPN with both IPv6 and IPv4, the first > configuration it finds may be the one with IPv6. In that case, it will > add the DNS servers from the IPv6 configuration (if any) without split > DNS. Any subsequent IPv4 configuration is still added using split DNS. > > I have filed a bug[2] for it on Launchpad. Good. But finally it would be good to fix this upstream. Cheers, Pavel > (Regarding the missing DHCP DNS servers, that is caused by a > different part of the patch, which makes sure that it doesn't add the > local DNS servers when it is on a VPN with a default route. This makes > sense, since reaching those DNS servers is unlikely to be what you > would want. It would also be likely to fail, since the DNS packets > would still be sent over the VPN with the default route.) > > [1] > http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/dnsmasq-vpn-dns-filtering.patch > [2] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1390623 > > Best regards, > Olav Morken > _______________________________________________ > networkmanager-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/networkmanager-list > _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
