Dnia 2024-02-26, o godz. 13:10:43 Anssi Saari <anssi.sa...@debian-user.mail.kapsi.fi> napisaĆ(a):
> Mariusz Gronczewski <x...@devrandom.pl> writes: > > > Offtopic but since Debian switched to systemd for DNS management on > > VPNs and suc I need to restart it sometimes multiple times to just > > get "right" DNS servers, because there appears to be no notion of > > priority: > > > > https://github.com/systemd/systemd/issues/27543 > > > > so now any time I connect to work (just openvpn tunnel, nothing > > fancy) I need to spam > > > > systemclt restart systemd-resolved ; sleep 1 ; cat /etc/resolv.conf > > > > few times till the dice rolls the right order of DNS servers... > > Interesting. I leaped on systemd-networkd and -resolved when I read > years ago it added interface specific DNS support. So now my local DNS > (dnsmasq in the router) handles my home network and what goes out via > the VPN (i.e. tun0 or wg0 these days) uses the VPN's DNS. ... in what way? You need to resolve DNS first before you know which interface the traffic is going out of. > Or if the > VPN is off, the local DNS forwards queries to DHCP assigned DNS. I > see no issues although I don't have the kind of VPN where some > external traffic goes through it only but might work for that too. > For me the default was that systemd-resolved dutifully spammed all > DNS queries to all DNS servers through all interfaces. > > This interface specific DNS was a little hard to setup as I > recall. Easier with WG than OpenVPN. > Our case is basically that: * some of the records exist only on VPN DNS server (private domains pointing to private IPs) * some of the records exist on outside but the VPN DNS returns private range IP addresses for it (so-called split-horizon DNS). So the only right way is to ask the first server on the list. That worked before systemd-resolved came as Debian scripts just put the VPN's DNS servers in the front. Now it is throw of the dice any time the daemon is restarted. The proper way would be either to: * ask in order, with components registering the DNS server specifying that priority so the daemon can result the sorted list * have a way to do per-domain exception and do "if domain is *.internal.example.com, ask VPN server's DNS" The second is possible in dnsmasq but not (AFAIK) in systemd. And currently neither "make systemd a DNS resolver" nor "use systemd-resolved provided DNS config" work reliably. -- Mariusz Gronczewski (XANi) <xani...@gmail.com> GnuPG: 0xEA8ACE64 https://devrandom.eu
