On Mon, Feb 26, 2024 at 10:42 AM Mariusz Gronczewski <x...@devrandom.pl> wrote: > > Dnia 2024-02-26, o godz. 13:10:43 > Anssi Saari <anssi.sa...@debian-user.mail.kapsi.fi> napisał(a): > > > Mariusz Gronczewski <x...@devrandom.pl> writes: > > > > > Offtopic but since Debian switched to systemd for DNS management on > > > VPNs and suc I need to restart it sometimes multiple times to just > > > get "right" DNS servers, because there appears to be no notion of > > > priority: > > > > > > https://github.com/systemd/systemd/issues/27543 > > > > > > so now any time I connect to work (just openvpn tunnel, nothing > > > fancy) I need to spam > > > > > > systemclt restart systemd-resolved ; sleep 1 ; cat /etc/resolv.conf > > > > > > few times till the dice rolls the right order of DNS servers... > > > > Interesting. I leaped on systemd-networkd and -resolved when I read > > years ago it added interface specific DNS support. So now my local DNS > > (dnsmasq in the router) handles my home network and what goes out via > > the VPN (i.e. tun0 or wg0 these days) uses the VPN's DNS. > > ... in what way? You need to resolve DNS first before you know which > interface the traffic is going out of.
I _think_ that depends on the configuration. You can use local DNS for name resolution, or remote (VPN) DNS for name resolution. Sometimes both are used at the same time. I think that's called "split DNS" or "split brain DNS." > > Or if the > > VPN is off, the local DNS forwards queries to DHCP assigned DNS. I > > see no issues although I don't have the kind of VPN where some > > external traffic goes through it only but might work for that too. > > For me the default was that systemd-resolved dutifully spammed all > > DNS queries to all DNS servers through all interfaces. > > > > This interface specific DNS was a little hard to setup as I > > recall. Easier with WG than OpenVPN. > > > > Our case is basically that: > > * some of the records exist only on VPN DNS server (private domains > pointing to private IPs) > * some of the records exist on outside but the VPN DNS returns private > range IP addresses for it (so-called split-horizon DNS). > > So the only right way is to ask the first server on the list. That > worked before systemd-resolved came as Debian scripts just put the > VPN's DNS servers in the front. Now it is throw of the dice any time > the daemon is restarted. > > The proper way would be either to: > > * ask in order, with components registering the DNS server specifying > that priority so the daemon can result the sorted list > * have a way to do per-domain exception and do "if domain is > *.internal.example.com, ask VPN server's DNS" > > The second is possible in dnsmasq but not (AFAIK) in systemd. And > currently neither "make systemd a DNS resolver" nor "use > systemd-resolved provided DNS config" work reliably. Jeff