Please provide any extra information you can to reproduce and debug this issue. I can't reproduce it. If both IPv4 and IPv6 are set to not take the default route, things are behaving correctly here; just like the DNS settings are correctly configured when no split-tunnelling is in use at all.
Also note that this will not work if dns=dnsmasq isn't set; this is important as some versions of NetworkManager have disabled that feature. >From my logs; calling on to kill -USR1 dnsmasq before doing any tests (5 sent to local (192.168.0.1), 0 to the VPN (10.x.x.1) DNS): ug 19 14:04:30 demeter NetworkManager[2922]: <debug> [1471629870.6888] dnsmasq[0x5580dd157040]: dnsmasq update successful Aug 19 14:05:16 demeter dnsmasq[5238]: horodatage 1471629916 Aug 19 14:05:16 demeter dnsmasq[5238]: taille de cache 0, 0/0 insertions dans le cache entrées non-expirées réutilisées Aug 19 14:05:16 demeter dnsmasq[5238]: requêtes transmises 40322, requêtes résolues localement 448 Aug 19 14:05:16 demeter dnsmasq[5238]: queries for authoritative zones 0 Aug 19 14:05:16 demeter dnsmasq[5238]: serveur 192.168.0.1#53: requêtes envoyées 5, requêtes réessayées ou échouées 0 Aug 19 14:05:16 demeter dnsmasq[5238]: serveur 10.x.x.1#53: requêtes envoyées 0, requêtes réessayées ou échouées 0 Aug 19 14:05:49 demeter dnsmasq[5238]: horodatage 1471629949 Aug 19 14:05:49 demeter dnsmasq[5238]: taille de cache 0, 0/0 insertions dans le cache entrées non-expirées réutilisées Aug 19 14:05:49 demeter dnsmasq[5238]: requêtes transmises 40324, requêtes résolues localement 448 Aug 19 14:05:49 demeter dnsmasq[5238]: queries for authoritative zones 0 Aug 19 14:05:49 demeter dnsmasq[5238]: serveur 192.168.0.1#53: requêtes envoyées 7, requêtes réessayées ou échouées 0 Aug 19 14:05:49 demeter dnsmasq[5238]: serveur 10.x.x.1#53: requêtes envoyées 0, requêtes réessayées ou échouées 0 Aug 19 14:06:06 demeter dnsmasq[5238]: horodatage 1471629966 Aug 19 14:06:06 demeter dnsmasq[5238]: taille de cache 0, 0/0 insertions dans le cache entrées non-expirées réutilisées Aug 19 14:06:06 demeter dnsmasq[5238]: requêtes transmises 40325, requêtes résolues localement 448 Aug 19 14:06:06 demeter dnsmasq[5238]: queries for authoritative zones 0 Aug 19 14:06:06 demeter dnsmasq[5238]: serveur 192.168.0.1#53: requêtes envoyées 7, requêtes réessayées ou échouées 0 Aug 19 14:06:06 demeter dnsmasq[5238]: serveur 10.x.x.1#53: requêtes envoyées 1, requêtes réessayées ou échouées 0 Followed by tries to resolve www.google.com (local), www.canonical.com (local), at which point you reached 7/0; then lcy01.buildd (intended for the VPN), which brings the status up to 7/1. The only one that went to the VPN was the request for lcy01.buildd; and it was rejected NXDOMAIN (and didn't go to the local DNS at all). Everything happened as intended. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1603898 Title: DNS resolution fails when using VPN and routing all traffic over it Status in network-manager package in Ubuntu: New Status in network-manager source package in Xenial: New Bug description: When using our company VPN, the Network Manager configured dnsmasq ends up in a weird state where its unable to answer queries because it's (incorrectly) sending them to 127.0.0.1:53 where nothing is listening. | root@ornery:~# nmcli con show 'Canonical UK - All Traffic' | grep -i dns | ipv4.dns: | ipv4.dns-search: | ipv4.dns-options: (default) | ipv4.ignore-auto-dns: no | ipv6.dns: | ipv6.dns-search: | ipv6.dns-options: (default) | ipv6.ignore-auto-dns: no | IP4.DNS[1]: 10.172.192.1 | root@ornery:~# ps auxfwwwww | grep [4]035 | nobody 4035 0.0 0.0 52872 1620 ? S Jun29 6:39 \_ /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d | root@ornery:~# Querying the DNS server provided by the VPN connection works; querying dnsmasq doesn't: | root@ornery:~# dig +short @10.172.192.1 www.openbsd.org | 129.128.5.194 | root@ornery:~# dig @127.0.1.1 www.openbsd.org | | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.1.1 www.openbsd.org | ; (1 server found) | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6996 | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 | | ;; QUESTION SECTION: | ;www.openbsd.org. IN A | | ;; Query time: 0 msec | ;; SERVER: 127.0.1.1#53(127.0.1.1) | ;; WHEN: Mon Jul 18 10:25:48 CEST 2016 | ;; MSG SIZE rcvd: 33 | | root@ornery:~# While running 'dig @127.0.1.1 www.openbsd.org': | root@ornery:~# tcpdump -i lo port 53 -v -n | tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes | 10:26:04.728905 IP (tos 0x0, ttl 64, id 56577, offset 0, flags [none], proto UDP (17), length 72) | 127.0.0.1.54917 > 127.0.1.1.53: 32273+ [1au] A? www.openbsd.org. (44) | 10:26:04.729001 IP (tos 0x0, ttl 64, id 49204, offset 0, flags [DF], proto UDP (17), length 61) | 127.0.1.1.53 > 127.0.0.1.54917: 32273 Refused$ 0/0/0 (33) | root@ornery:~# netstat -anp | grep 127.0.[01].1:53 | tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 4035/dnsmasq | udp 0 0 127.0.1.1:53 0.0.0.0:* 4035/dnsmasq | root@ornery:~# You can see below a) that dnsmasq thinks it is configured to use a DNS server provided by the VPN, and/but that b) it tries to answer a non local query like www.openbsd.org locally. | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq | Jul 18 09:29:22 ornery dnsmasq[4035]: time 1468830562 | Jul 18 09:29:22 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions re-used unexpired cache entries. | Jul 18 09:29:22 ornery dnsmasq[4035]: queries forwarded 1880976, queries answered locally 375041 | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | root@ornery:~# dig +short @127.0.1.1 www.openbsd.org | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | Jul 18 09:29:37 ornery dnsmasq[4035]: time 1468830577 | Jul 18 09:29:37 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions re-used unexpired cache entries. | Jul 18 09:29:37 ornery dnsmasq[4035]: queries forwarded 1880976, queries answered locally 375042 | Jul 18 09:29:37 ornery dnsmasq[4035]: queries for authoritative zones 0 | Jul 18 09:29:37 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 792, retried or failed 0 | root@ornery:~# This is on Ubuntu 16.04, with the following packages: | james@ornery:~$ COLUMNS=200 dpkg -l dnsmasq-base network-manager network-manager-openvpn | grep ^ii | ii dnsmasq-base 2.75-1ubuntu0.16.04.1 amd64 Small caching DNS proxy and DHCP/TFTP server | ii network-manager 1.2.0-0ubuntu0.16.04.2 amd64 network management framework (daemon and userspace tools) | ii network-manager-openvpn 1.1.93-1ubuntu1 amd64 network management framework (OpenVPN plugin core) | james@ornery:~$ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1603898/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
