Public bug reported:
I was setting up a fresh ubuntu xenial a few days ago (Ubuntu 16.04.1 LTS)
with network-manager 1.2.2-0ubuntu0.16.04.3.
I connect to an openvpn server that pushes a DNS Server to me:
push "dhcp-option DNS 172.24.32.1"
This DNS-Server is properly received and (as I have marked "use for this
network only"
configured correctely over DBus to dnsmasq (sorry, german logs):
Nov 15 22:23:47 chili dnsmasq[1422]: vorgelagerte Server von DBus gesetzt
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain 24.172.in-addr.arpa
So now dnsmasq has Nameservers for my vpn internal domain and the reverse
domains
of the routes pushed by the vpn. That's exactly what I want - for the VPN
ressources.
BUT (and this took me some time to understand) the previously valid nameservers
(originated from the DHCP server of the Wireless connection) are REMOVED. This
means
that dnsmasq is left with name servers for specific domains only, there are no
generic name servers available any more. If queried for a name resolution for
e.g.
"www.google.com", dnsmasq just returns an error message.
So while I had full IP connectivity in the network behind the VPN AND to the
internet, I had no name resolution any more for domains outside of the VPN.
I would have expected that the domain servers (that are specific to the VPN
Domains) are ADDED to the list of dnsmasq's servers, but they are replaced.
As (according to the dnsmasq man page) "More specific domains take precendence
over less specific domains", no leakage of DNS requests would happen in either
direction.
I even monitored the D-Bus communication and it can be seen that it uses
the "SetServersEx" command (which replaces the list).
I built a workaround using a script in /etc/NetworkManager/dispatcher.d combined
with a configuration file in /etc/NetworkManager/dnsmasq.d that points to a
"servers-file". When the vpn comes up, the script populates the servers-file
from the $IP4_NAMESERVERS variable and HUPs dnsmasq, which finally gives me
in /var/log/syslog:
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 8.8.8.8#53
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain 24.172.in-addr.arpa
Of course the script undos the changes when the vpn comes down again. If anyone
is interested, I can share my script - but it is quite specific to my use
case so I wonder if others are interested in...
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1642063
Title:
Split DNS with openvpn erroneously removes nameservers from dnsmasq
Status in network-manager package in Ubuntu:
New
Bug description:
I was setting up a fresh ubuntu xenial a few days ago (Ubuntu 16.04.1 LTS)
with network-manager 1.2.2-0ubuntu0.16.04.3.
I connect to an openvpn server that pushes a DNS Server to me:
push "dhcp-option DNS 172.24.32.1"
This DNS-Server is properly received and (as I have marked "use for this
network only"
configured correctely over DBus to dnsmasq (sorry, german logs):
Nov 15 22:23:47 chili dnsmasq[1422]: vorgelagerte Server von DBus gesetzt
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain 24.172.in-addr.arpa
So now dnsmasq has Nameservers for my vpn internal domain and the reverse
domains
of the routes pushed by the vpn. That's exactly what I want - for the VPN
ressources.
BUT (and this took me some time to understand) the previously valid
nameservers
(originated from the DHCP server of the Wireless connection) are REMOVED.
This means
that dnsmasq is left with name servers for specific domains only, there are no
generic name servers available any more. If queried for a name resolution for
e.g.
"www.google.com", dnsmasq just returns an error message.
So while I had full IP connectivity in the network behind the VPN AND to the
internet, I had no name resolution any more for domains outside of the VPN.
I would have expected that the domain servers (that are specific to the VPN
Domains) are ADDED to the list of dnsmasq's servers, but they are replaced.
As (according to the dnsmasq man page) "More specific domains take
precendence
over less specific domains", no leakage of DNS requests would happen in
either direction.
I even monitored the D-Bus communication and it can be seen that it uses
the "SetServersEx" command (which replaces the list).
I built a workaround using a script in /etc/NetworkManager/dispatcher.d
combined
with a configuration file in /etc/NetworkManager/dnsmasq.d that points to a
"servers-file". When the vpn comes up, the script populates the servers-file
from the $IP4_NAMESERVERS variable and HUPs dnsmasq, which finally gives me
in /var/log/syslog:
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 8.8.8.8#53
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für
Domain 24.172.in-addr.arpa
Of course the script undos the changes when the vpn comes down again. If
anyone
is interested, I can share my script - but it is quite specific to my use
case so I wonder if others are interested in...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1642063/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
