Stuart Henderson <stu.li...@spacehopper.org> wrote:
> On 2024-02-15, Rudolf Sykora <rsyk...@disroot.org> wrote:
> > Josh Grosse <j...@jggimi.net> wrote:
> >> On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
> >> > my computer is connected to a LAN, from which it obtains its
> >> > IP and also local-DNS-server IP via DHCP. The latter is then
> >> > inserted into /etc/resolv.conf by, I believe, resolvd. The
> >> > computer is furthermore connected via wireguard VPN to
> >> > another network with its own DNS server, serving the local
> >> > IPs there. The DNS server in my LAN, of course, does not
> >> > know the (non-public) IPs in the remote network. However, as
> >> > it comes 1st in /etc/resolv.conf, the nameserver that comes
> >> > next (I manually added it to the file) --- and which would
> >> > know the answer --- is never asked. I can stop resolvd and
> >> > use the DNS server within the VPN for all the traffic. But
> >> > I'd still prefer to have most of the work done by the local
> >> > DNS server, and only if it doesn't know I would ask the
> >> > server in the VPN. Is there anything simple I can do?
> >>
> >> Take a look at unwind(8) and unwind.conf(5).
> >
> >
> > Ok. Creating /etc/unwind.conf with
> >
> > forwarder {X.X.X.X}
> >
> > where X.X.X.X is the IP address of the DNS server within the VPN,
> > and turning on unwind with
> >
> > ;rcctl enable unwind
> > ;rcctl start unwind
> >
> > does do something, in the sense that I get all the symbolic
> > names resolved. But can I tell what DNS server was asked for
> > the translation? --- so that I can check that it is the
> > local nameserver (as obtained from the local DHCP server)
> > that gets queried first and only when it does not know the
> > answer, unwind asks VPN DNS server (X.X.X.X above) for the
> > answer?
>
> you can't do "fallback if domain doesn't exist in the first resolver",
> but you can tell it to always use the forwarder for certain domains.
> as well as configuring the forwarder, use something like "preference
> autoconf" and "force forwarder {some.domain other.domain}".
Thanks. I think
force forwarder {vpn.domain}
works for me.
Ruda
