Could you include what gets written to your syslog while the VPN connection is established?
SIGUSR1 to dnsmasq tells you what server it's talking to, but unfortunately not for what domain... Based on your described symptoms, I'm suspecting that the openvpn plugin told NM to configure dnsmasq only for the domains pushed by the VPN server rather than for all domains (as it should when you route everything over the VPN). If that's what happened, you should see log lines like: Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain stgraber.net Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 16.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 17.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 18.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 19.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 22.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.30#53 for domain 56.149.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain stgraber.net Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 16.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 17.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 18.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 19.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 22.172.in-addr.arpa Jul 18 22:14:06 castiana dnsmasq[9394]: using nameserver 172.16.20.31#53 for domain 56.149.in-addr.arpa And resolution of any of record that's part of one of those domains would succeed. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1603898 Title: DNS resolution fails when using VPN and routing all traffic over it Status in network-manager package in Ubuntu: New Bug description: When using our company VPN, the Network Manager configured dnsmasq ends up in a weird state where its unable to answer queries because it's (incorrectly) sending them to 127.0.0.1:53 where nothing is listening. | root@ornery:~# nmcli con show 'Canonical UK - All Traffic' | grep -i dns | ipv4.dns: | ipv4.dns-search: | ipv4.dns-options: (default) | ipv4.ignore-auto-dns: no | ipv6.dns: | ipv6.dns-search: | ipv6.dns-options: (default) | ipv6.ignore-auto-dns: no | IP4.DNS[1]: 10.172.192.1 | root@ornery:~# ps auxfwwwww | grep [4]035 | nobody 4035 0.0 0.0 52872 1620 ? S Jun29 6:39 \_ /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d | root@ornery:~# Querying the DNS server provided by the VPN connection works; querying dnsmasq doesn't: | root@ornery:~# dig +short @10.172.192.1 www.openbsd.org | 129.128.5.194 | root@ornery:~# dig @127.0.1.1 www.openbsd.org | | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.1.1 www.openbsd.org | ; (1 server found) | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6996 | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 | | ;; QUESTION SECTION: | ;www.openbsd.org. IN A | | ;; Query time: 0 msec | ;; SERVER: 127.0.1.1#53(127.0.1.1) | ;; WHEN: Mon Jul 18 10:25:48 CEST 2016 | ;; MSG SIZE rcvd: 33 | | root@ornery:~# While running 'dig @127.0.1.1 www.openbsd.org': | root@ornery:~# tcpdump -i lo port 53 -v -n | tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes | 10:26:04.728905 IP (tos 0x0, ttl 64, id 56577, offset 0, flags [none], proto UDP (17), length 72) | 127.0.0.1.54917 > 127.0.1.1.53: 32273+ [1au] A? www.openbsd.org. (44) | 10:26:04.729001 IP (tos 0x0, ttl 64, id 49204, offset 0, flags [DF], proto UDP (17), length 61) | 127.0.1.1.53 > 127.0.0.1.54917: 32273 Refused$ 0/0/0 (33) | root@ornery:~# netstat -anp | grep 127.0.[01].1:53 | tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 4035/dnsmasq | udp 0 0 127.0.1.1:53 0.0.0.0:* 4035/dnsmasq | root@ornery:~# You can see below a) that dnsmasq thinks it is configured to use a DNS server provided by the VPN, and/but that b) it tries to answer a non local query like www.openbsd.org locally. | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq | Jul 18 09:29:22 ornery dnsmasq[4035]: time 1468830562 | Jul 18 09:29:22 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions re-used unexpired cache entries. | Jul 18 09:29:22 ornery dnsmasq[4035]: queries forwarded 1880976, queries answered locally 375041 | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | root@ornery:~# dig +short @127.0.1.1 www.openbsd.org | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | Jul 18 09:29:37 ornery dnsmasq[4035]: time 1468830577 | Jul 18 09:29:37 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions re-used unexpired cache entries. | Jul 18 09:29:37 ornery dnsmasq[4035]: queries forwarded 1880976, queries answered locally 375042 | Jul 18 09:29:37 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:37 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | root@ornery:~# This is on Ubuntu 16.04, with the following packages: | james@ornery:~$ COLUMNS=200 dpkg -l dnsmasq-base network-manager network-manager-openvpn | grep ^ii | ii dnsmasq-base 2.75-1ubuntu0.16.04.1 amd64 Small caching DNS proxy and DHCP/TFTP server | ii network-manager 1.2.0-0ubuntu0.16.04.2 amd64 network management framework (daemon and userspace tools) | ii network-manager-openvpn 1.1.93-1ubuntu1 amd64 network management framework (OpenVPN plugin core) | james@ornery:~$ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1603898/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
