Re: VPN + dnsmasq = split dns?
- Original Message - > From: "Mathieu Trudel-Lapierre" > To: "Olav Morken" > Cc: "Pavel Simerda" , "ML NetworkManager" > , "Tomas Hozza" > > Sent: Tuesday, December 2, 2014 9:30:09 PM > Subject: Re: VPN + dnsmasq = split dns? > > On Tue, Dec 2, 2014 at 1:24 PM, Olav Morken wrote: > [...] > >> I don't think it makes sense. Running a local DNS cache is good for > >> other reasons as well and I don't see a reason to drop dnsmasq just > >> because you are connected to a VPN. Or did I misunderstand? What > >> exactly is the problem with upstream NM and could we have a bug > >> report for it? > > > > Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network > > Manager assumes that if you are running dnsmasq you want split DNS > > with your VPN. That includes if you have a default route over your > > VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a > > fix for it, which involves disabling split DNS in that case. My > > problem was that the fix wasn't complete. > > > > Actually, I wrote at least some of the patches. The intent was that it > should work just as well if the default gateway goes through the VPN > (ie. no split-tunnel). > > If it doesn't work, that's a bug you can file on Launchpad against the > network-manager package (but I'm going to take a good look now since I > want to upstream these patches). > > > I certainly think that the "split DNS with default route"-problem > > would be something that should probably be fixed in Network Manager as > > well, unless dnsmasq is only supposed to be used with split DNS. If I > > understand correctly dnsmasq is the only DNS backend that implements > > split DNS with Network Manager at the moment, but if any others > > implemented it, they would probably need the same fix. > > Indeed. For now. With new versions of NetworkManager, unbound and dnssec-trigger, there will also be the unbound DNS backend with extended DNSSEC capabilities. Cheers, Pavel > > > Mathieu Trudel-Lapierre > Freenode: cyphermox, Jabber: mathieu...@gmail.com > 4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93 > ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
On Tue, Dec 02, 2014 at 15:30:09 -0500, Mathieu Trudel-Lapierre wrote: > On Tue, Dec 2, 2014 at 1:24 PM, Olav Morken wrote: > [...] > >> I don't think it makes sense. Running a local DNS cache is good for > >> other reasons as well and I don't see a reason to drop dnsmasq just > >> because you are connected to a VPN. Or did I misunderstand? What > >> exactly is the problem with upstream NM and could we have a bug > >> report for it? > > > > Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network > > Manager assumes that if you are running dnsmasq you want split DNS > > with your VPN. That includes if you have a default route over your > > VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a > > fix for it, which involves disabling split DNS in that case. My > > problem was that the fix wasn't complete. > > > > Actually, I wrote at least some of the patches. The intent was that it > should work just as well if the default gateway goes through the VPN > (ie. no split-tunnel). > > If it doesn't work, that's a bug you can file on Launchpad against the > network-manager package (but I'm going to take a good look now since I > want to upstream these patches). I already did: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1390623 Basically, as far as I can tell, the problem is when you have both IPv6 and IPv4, but only provide IPv4 DNS servers. The IPv4 DNS servers were added with split DNS in my case. Best regards, Olav Morken ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
On Tue, Dec 2, 2014 at 1:24 PM, Olav Morken wrote: [...] >> I don't think it makes sense. Running a local DNS cache is good for >> other reasons as well and I don't see a reason to drop dnsmasq just >> because you are connected to a VPN. Or did I misunderstand? What >> exactly is the problem with upstream NM and could we have a bug >> report for it? > > Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network > Manager assumes that if you are running dnsmasq you want split DNS > with your VPN. That includes if you have a default route over your > VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a > fix for it, which involves disabling split DNS in that case. My > problem was that the fix wasn't complete. > Actually, I wrote at least some of the patches. The intent was that it should work just as well if the default gateway goes through the VPN (ie. no split-tunnel). If it doesn't work, that's a bug you can file on Launchpad against the network-manager package (but I'm going to take a good look now since I want to upstream these patches). > I certainly think that the "split DNS with default route"-problem > would be something that should probably be fixed in Network Manager as > well, unless dnsmasq is only supposed to be used with split DNS. If I > understand correctly dnsmasq is the only DNS backend that implements > split DNS with Network Manager at the moment, but if any others > implemented it, they would probably need the same fix. Indeed. Mathieu Trudel-Lapierre Freenode: cyphermox, Jabber: mathieu...@gmail.com 4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93 ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
On Thu, Nov 27, 2014 at 07:24:13 -0500, Pavel Simerda wrote: > > > Odd... I'm not quite sure why it would be happening that way. In any > > > case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and* > > > the VPN sends a domain name to NetworkManager. So I'd expect to see > > > your #1 case above also do "local" VPN DNS servers, with the DHCP > > > servers as fallback. > > > > After investigating this, I think I have found the cause of the behavior: > > > > Ubuntu carries a patch[1] which disables split DNS when it notices > > that it is on a VPN connection with a default route. This makes sense, > > since otherwise users of Ubuntu wouldn't be able to connect to VPNs as > > long as they are running dnsmasq (which they are by default). > > I don't think it makes sense. Running a local DNS cache is good for > other reasons as well and I don't see a reason to drop dnsmasq just > because you are connected to a VPN. Or did I misunderstand? What > exactly is the problem with upstream NM and could we have a bug > report for it? Ubuntu doesn't drop dnsmasq when running on a VPN. By default, Network Manager assumes that if you are running dnsmasq you want split DNS with your VPN. That includes if you have a default route over your VPN. Since that breaks DNS when you connect to your VPN, Ubuntu has a fix for it, which involves disabling split DNS in that case. My problem was that the fix wasn't complete. I certainly think that the "split DNS with default route"-problem would be something that should probably be fixed in Network Manager as well, unless dnsmasq is only supposed to be used with split DNS. If I understand correctly dnsmasq is the only DNS backend that implements split DNS with Network Manager at the moment, but if any others implemented it, they would probably need the same fix. However, since I don't run a "pure" Network Manager, I do not have the ability to test its behavior, so I don't think I can open a bug for this. Best regards, Olav Morken ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
> We also have a bug report for handling VPN DNS servers but that's about the > special case of having default IPv4 on VPN and default IPv6 on local > network. > > https://bugzilla.redhat.com/show_bug.cgi?id=1091356 Sorry, it seems to be entirely unrelated. ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
- Original Message - > From: "Olav Morken" > To: networkmanager-list@gnome.org > Sent: Friday, November 7, 2014 10:53:05 PM > Subject: Re: VPN + dnsmasq = split dns? > > Hi, > > sorry for the late response here. I finally found some time to look at > this again now. > > On Wed, Oct 22, 2014 at 13:54:32 -0500, Dan Williams wrote: > > > > > Let us know what the results are! > > > > > > For what it is worth, after futher testing we have determined that it > > > is the IPv6 configuration that "breaks" the DNS config. We have seen > > > three different behaviors, depending on the VPN config: > > > > > > 1. VPN with only IPv4 address and default route: > > > > > >The DNS servers are added as global DNS servers. > > > > > > 2. VPN with both IPv4 and IPV6 addresses and default routes, but only > > >IPv4 DNS servers pushed through VPN configuration: > > > > > >The DNS servers are added as local DNS servers, with no "global" > > >DNS servers. > > > > > > 3. VPN with both IPv4 and IPV6 addresses and default routes, and both > > >IPv4 and IPv6 DNS servers pushed through VPN configuration: > > > > > >The IPv4 DNS servers are added as "local" DNS servers, and one of > > >the IPv6 DNS servers are added as a "global" DNS server. > > > > > > It was scenario 2 that was the original problem. For now, it looks > > > like we have a workaround in scenario 3, since in that case we are > > > left with a IPv6 DNS server that can be used for global queries. > > > > > > A wild guess from me is that the Ubuntu devlopers noticed the broken > > > VPN DNS behavior with dnsmasq (since dnsmasq is the default on > > > Ubuntu), and fixed it for the IPv4-only VPN case, but forgot to handle > > > the IPv4-and-IPv6 case. > > > > > > I think I'll try to raise it as a Ubuntu-bug, and live with pushing an > > > IPv6 DNS server as a workaround. > > > > Odd... I'm not quite sure why it would be happening that way. In any > > case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and* > > the VPN sends a domain name to NetworkManager. So I'd expect to see > > your #1 case above also do "local" VPN DNS servers, with the DHCP > > servers as fallback. > > After investigating this, I think I have found the cause of the behavior: > > Ubuntu carries a patch[1] which disables split DNS when it notices > that it is on a VPN connection with a default route. This makes sense, > since otherwise users of Ubuntu wouldn't be able to connect to VPNs as > long as they are running dnsmasq (which they are by default). I don't think it makes sense. Running a local DNS cache is good for other reasons as well and I don't see a reason to drop dnsmasq just because you are connected to a VPN. Or did I misunderstand? What exactly is the problem with upstream NM and could we have a bug report for it? I wonder how much related is our Unbound bug report in Fedora: We also have a bug report for handling VPN DNS servers but that's about the special case of having default IPv4 on VPN and default IPv6 on local network. https://bugzilla.redhat.com/show_bug.cgi?id=1091356 > From what I can tell, the reason for the behavior I am seeing is that > the patch only fixes the split DNS for the first VPN configuration > it finds with a default route. > > Now, when you connect to a VPN with both IPv6 and IPv4, the first > configuration it finds may be the one with IPv6. In that case, it will > add the DNS servers from the IPv6 configuration (if any) without split > DNS. Any subsequent IPv4 configuration is still added using split DNS. > > I have filed a bug[2] for it on Launchpad. Good. But finally it would be good to fix this upstream. Cheers, Pavel > (Regarding the missing DHCP DNS servers, that is caused by a > different part of the patch, which makes sure that it doesn't add the > local DNS servers when it is on a VPN with a default route. This makes > sense, since reaching those DNS servers is unlikely to be what you > would want. It would also be likely to fail, since the DNS packets > would still be sent over the VPN with the default route.) > > [1] > http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/dnsmasq-vpn-dns-filtering.patch > [2] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1390623 > > Best regards, > Olav Morken > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list > ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
Hi, sorry for the late response here. I finally found some time to look at this again now. On Wed, Oct 22, 2014 at 13:54:32 -0500, Dan Williams wrote: > > > Let us know what the results are! > > > > For what it is worth, after futher testing we have determined that it > > is the IPv6 configuration that "breaks" the DNS config. We have seen > > three different behaviors, depending on the VPN config: > > > > 1. VPN with only IPv4 address and default route: > > > >The DNS servers are added as global DNS servers. > > > > 2. VPN with both IPv4 and IPV6 addresses and default routes, but only > >IPv4 DNS servers pushed through VPN configuration: > > > >The DNS servers are added as local DNS servers, with no "global" > >DNS servers. > > > > 3. VPN with both IPv4 and IPV6 addresses and default routes, and both > >IPv4 and IPv6 DNS servers pushed through VPN configuration: > > > >The IPv4 DNS servers are added as "local" DNS servers, and one of > >the IPv6 DNS servers are added as a "global" DNS server. > > > > It was scenario 2 that was the original problem. For now, it looks > > like we have a workaround in scenario 3, since in that case we are > > left with a IPv6 DNS server that can be used for global queries. > > > > A wild guess from me is that the Ubuntu devlopers noticed the broken > > VPN DNS behavior with dnsmasq (since dnsmasq is the default on > > Ubuntu), and fixed it for the IPv4-only VPN case, but forgot to handle > > the IPv4-and-IPv6 case. > > > > I think I'll try to raise it as a Ubuntu-bug, and live with pushing an > > IPv6 DNS server as a workaround. > > Odd... I'm not quite sure why it would be happening that way. In any > case, NM should only be doing split DNS when 'dns=dnsmasq' is set *and* > the VPN sends a domain name to NetworkManager. So I'd expect to see > your #1 case above also do "local" VPN DNS servers, with the DHCP > servers as fallback. After investigating this, I think I have found the cause of the behavior: Ubuntu carries a patch[1] which disables split DNS when it notices that it is on a VPN connection with a default route. This makes sense, since otherwise users of Ubuntu wouldn't be able to connect to VPNs as long as they are running dnsmasq (which they are by default). >From what I can tell, the reason for the behavior I am seeing is that the patch only fixes the split DNS for the first VPN configuration it finds with a default route. Now, when you connect to a VPN with both IPv6 and IPv4, the first configuration it finds may be the one with IPv6. In that case, it will add the DNS servers from the IPv6 configuration (if any) without split DNS. Any subsequent IPv4 configuration is still added using split DNS. I have filed a bug[2] for it on Launchpad. (Regarding the missing DHCP DNS servers, that is caused by a different part of the patch, which makes sure that it doesn't add the local DNS servers when it is on a VPN with a default route. This makes sense, since reaching those DNS servers is unlikely to be what you would want. It would also be likely to fail, since the DNS packets would still be sent over the VPN with the default route.) [1] http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/dnsmasq-vpn-dns-filtering.patch [2] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1390623 Best regards, Olav Morken ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: VPN + dnsmasq = split dns?
On Tue, 2014-10-21 at 07:09 +0200, Olav Morken wrote: > On Mon, Oct 20, 2014 at 16:20:03 -0500, Dan Williams wrote: > > On Fri, 2014-10-10 at 21:17 +0200, Olav Morken wrote: > > > Hi, > > > > > > I am trying to set up Network Manager to connect to an OpenVPN server, > > > and have trouble understanding how it applies the DNS settings it > > > receives from the server. > > > > Sorry for the late reply... > > > > Which version of NM do you have, and what distro? > > It's XUbuntu 14.04 with network-manager 0.9.8.8-0ubuntu7 > > (I guess I should have been clearer about it being included at the end > of my original message :) ) > > > > Basically, as far as I can tell, it automatically assumes that I want > > > to use split dns, and limits the DNS servers it receives from the > > > OpenVPN servers to the domains it assumes "belongs to" this > > > configuration. However, it also ignores the existing DNS servers it > > > has configured. > > > > By default, NM will not do split DNS, which means when the VPN is > > connected, the VPN nameservers replace the existing nameservers. This > > is required to ensure that if for some reason the VPN nameservers cannot > > be contacted, that your queries don't fall back to the non-VPN > > nameservers and return bogus (and potentially malicious) results. > > > > But, if you add "dns=dnsmasq" to > > the /etc/NetworkManager/NetworkManager.conf file and install 'dnsmasq', > > then NM will run in split DNS mode. Here, NM will spawn a private copy > > of dnsmasq and send it configuration to direct any queries ending in the > > domain passed back from the openvpn server (or entered into the NM > > configuration for that VPN connection) to the VPN nameservers, and > > everything else to the non-VPN nameservers. > > That is quite a large change in behavior for someone running with > dnsmasq. I also think it is the wrong behavior when we are pushing a > default route over the VPN. With a default route over the VPN it is > likely that we would want all traffic, including DNS traffic over the > VPN. It is also likely that the user would end up trying to contact > the local DNS servers over the VPN, which would break. If you want everything to go to the VPN nameservers, then 'dns=dnsmasq' isn't what you want, since that is what enables this local caching nameserver configuration. I guess you just want the non-local-caching configuration, where you can just not specify "dns=". > > > That leaves us with a dnsmasq configured with two nameservers it will > > > query for two specific subdomains, and no nameservers it will use for > > > other domains. The result is that dnsmasq is only willing to respond > > > to DNS queries for those subdomains, and respond with "REFUSED" for > > > every other domain. > > > > > > I assume that this is not the way it is supposed to work, since that > > > would mean that everyone connecting to a VPN would be unable to access > > > most of the Internet. I therefore assume that there is something wrong > > > with my configuration. > > > > That sounds like a bug; do you know if you have any custom dnsmasq > > configuration on that system? Also check two thigns: > > > > 1) /etc/resolv.conf should have "127.0.0.1" as the only namesever > > 2) Look in /var/run/NetworkManager (or /run/NetworkManager) for the > > 'dnsmasq.conf' file which is what NM sends to dnsmasq > > > > (the only caveat here is that if you run Ubuntu, this procedure may not > > apply as the info is sent to dnsmasq over D-Bus) > > I wasn't aware the Ubuntu had such significant changes to Network > Manager. In that case, I think the behavior we am seeing is > Ubuntu-specific. > > There is no customization of the dnsmasq settings on this system. (In > fact the behavior has been observed on several different Ubuntu > installations.) > > From the logs (included at the end of my original message): > > dnsmasq[1464]: setting upstream servers from DBus > dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain > 0.192.in-addr.arpa > dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org > dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain > 0.192.in-addr.arpa > dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org > > Nothing in the log about the original (non-VPN) DNS servers, so I am > guessing they were removed. I think with Ubuntu, dns=dnsmasq might be enabled by default. Can you check /etc/NetworkManager/NetworkManager.conf and if so, remove that line? > > Let us know what the results are! > > For what it is worth, after futher testing we have determined that it > is the IPv6 configuration that "breaks" the DNS config. We have seen > three different behaviors, depending on the VPN config: > > 1. VPN with only IPv4 address and default route: > >The DNS servers are added as global DNS servers. > > 2. VPN with both IPv4 and IPV6 addresses and default routes, but only >IPv4 DNS servers pushed th
Re: VPN + dnsmasq = split dns?
On Mon, Oct 20, 2014 at 16:20:03 -0500, Dan Williams wrote: > On Fri, 2014-10-10 at 21:17 +0200, Olav Morken wrote: > > Hi, > > > > I am trying to set up Network Manager to connect to an OpenVPN server, > > and have trouble understanding how it applies the DNS settings it > > receives from the server. > > Sorry for the late reply... > > Which version of NM do you have, and what distro? It's XUbuntu 14.04 with network-manager 0.9.8.8-0ubuntu7 (I guess I should have been clearer about it being included at the end of my original message :) ) > > Basically, as far as I can tell, it automatically assumes that I want > > to use split dns, and limits the DNS servers it receives from the > > OpenVPN servers to the domains it assumes "belongs to" this > > configuration. However, it also ignores the existing DNS servers it > > has configured. > > By default, NM will not do split DNS, which means when the VPN is > connected, the VPN nameservers replace the existing nameservers. This > is required to ensure that if for some reason the VPN nameservers cannot > be contacted, that your queries don't fall back to the non-VPN > nameservers and return bogus (and potentially malicious) results. > > But, if you add "dns=dnsmasq" to > the /etc/NetworkManager/NetworkManager.conf file and install 'dnsmasq', > then NM will run in split DNS mode. Here, NM will spawn a private copy > of dnsmasq and send it configuration to direct any queries ending in the > domain passed back from the openvpn server (or entered into the NM > configuration for that VPN connection) to the VPN nameservers, and > everything else to the non-VPN nameservers. That is quite a large change in behavior for someone running with dnsmasq. I also think it is the wrong behavior when we are pushing a default route over the VPN. With a default route over the VPN it is likely that we would want all traffic, including DNS traffic over the VPN. It is also likely that the user would end up trying to contact the local DNS servers over the VPN, which would break. > > That leaves us with a dnsmasq configured with two nameservers it will > > query for two specific subdomains, and no nameservers it will use for > > other domains. The result is that dnsmasq is only willing to respond > > to DNS queries for those subdomains, and respond with "REFUSED" for > > every other domain. > > > > I assume that this is not the way it is supposed to work, since that > > would mean that everyone connecting to a VPN would be unable to access > > most of the Internet. I therefore assume that there is something wrong > > with my configuration. > > That sounds like a bug; do you know if you have any custom dnsmasq > configuration on that system? Also check two thigns: > > 1) /etc/resolv.conf should have "127.0.0.1" as the only namesever > 2) Look in /var/run/NetworkManager (or /run/NetworkManager) for the > 'dnsmasq.conf' file which is what NM sends to dnsmasq > > (the only caveat here is that if you run Ubuntu, this procedure may not > apply as the info is sent to dnsmasq over D-Bus) I wasn't aware the Ubuntu had such significant changes to Network Manager. In that case, I think the behavior we am seeing is Ubuntu-specific. There is no customization of the dnsmasq settings on this system. (In fact the behavior has been observed on several different Ubuntu installations.) >From the logs (included at the end of my original message): dnsmasq[1464]: setting upstream servers from DBus dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain 0.192.in-addr.arpa dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain 0.192.in-addr.arpa dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org Nothing in the log about the original (non-VPN) DNS servers, so I am guessing they were removed. > Let us know what the results are! For what it is worth, after futher testing we have determined that it is the IPv6 configuration that "breaks" the DNS config. We have seen three different behaviors, depending on the VPN config: 1. VPN with only IPv4 address and default route: The DNS servers are added as global DNS servers. 2. VPN with both IPv4 and IPV6 addresses and default routes, but only IPv4 DNS servers pushed through VPN configuration: The DNS servers are added as local DNS servers, with no "global" DNS servers. 3. VPN with both IPv4 and IPV6 addresses and default routes, and both IPv4 and IPv6 DNS servers pushed through VPN configuration: The IPv4 DNS servers are added as "local" DNS servers, and one of the IPv6 DNS servers are added as a "global" DNS server. It was scenario 2 that was the original problem. For now, it looks like we have a workaround in scenario 3, since in that case we are left with a IPv6 DNS server that can be used for global queries. A wild guess from me is that the Ubuntu devlopers noticed the broken VPN DNS behavi
Re: VPN + dnsmasq = split dns?
On Fri, 2014-10-10 at 21:17 +0200, Olav Morken wrote: > Hi, > > I am trying to set up Network Manager to connect to an OpenVPN server, > and have trouble understanding how it applies the DNS settings it > receives from the server. Sorry for the late reply... Which version of NM do you have, and what distro? > Basically, as far as I can tell, it automatically assumes that I want > to use split dns, and limits the DNS servers it receives from the > OpenVPN servers to the domains it assumes "belongs to" this > configuration. However, it also ignores the existing DNS servers it > has configured. By default, NM will not do split DNS, which means when the VPN is connected, the VPN nameservers replace the existing nameservers. This is required to ensure that if for some reason the VPN nameservers cannot be contacted, that your queries don't fall back to the non-VPN nameservers and return bogus (and potentially malicious) results. But, if you add "dns=dnsmasq" to the /etc/NetworkManager/NetworkManager.conf file and install 'dnsmasq', then NM will run in split DNS mode. Here, NM will spawn a private copy of dnsmasq and send it configuration to direct any queries ending in the domain passed back from the openvpn server (or entered into the NM configuration for that VPN connection) to the VPN nameservers, and everything else to the non-VPN nameservers. > That leaves us with a dnsmasq configured with two nameservers it will > query for two specific subdomains, and no nameservers it will use for > other domains. The result is that dnsmasq is only willing to respond > to DNS queries for those subdomains, and respond with "REFUSED" for > every other domain. > > I assume that this is not the way it is supposed to work, since that > would mean that everyone connecting to a VPN would be unable to access > most of the Internet. I therefore assume that there is something wrong > with my configuration. That sounds like a bug; do you know if you have any custom dnsmasq configuration on that system? Also check two thigns: 1) /etc/resolv.conf should have "127.0.0.1" as the only namesever 2) Look in /var/run/NetworkManager (or /run/NetworkManager) for the 'dnsmasq.conf' file which is what NM sends to dnsmasq (the only caveat here is that if you run Ubuntu, this procedure may not apply as the info is sent to dnsmasq over D-Bus) Let us know what the results are! Dan > I am however unable to tell what makes it choose this behavior. I > tried to look at the code, and found the location where it adds the > domains[1], but I was unable to find a way to override this behavior. > > Does anyone have any suggestions for what may trigger this behavior, > and what I can do to avoid it? > > (Configuration details and logs from network manager included below.) > > Best regards, > Olav Morken > > > [1] > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=60cce4004284242f0891160e21979a3027da6e0e#n234 > > > Configuration: > > Both the client and server have IPv6 enabled. > > The VPN configuration on the client side doesn't contain anything too > exiting. It uses a TCP connection to port 443, a TUN device, and > username+password authentication. Both the IPv4 and the IPv6 settings > are set to "Automatic(VPN)" > > The OpenVPN server is configured with a TUN device and topology > subnet. It pushes the following (slightly anonymized) options to the > client: > > push "dhcp-option DNS 198.51.100.57" > push "dhcp-option DNS 198.51.100.168" > push "dhcp-option DOMAIN example.org" > push "redirect-gateway def1 bypass-dhcp" > push "route-ipv6 2000::/3" > > > Software versions: > XUbuntu 14.04 > network-manager 0.9.8.8-0ubuntu7 > network-manager-openvpn 0.9.8.2-1ubuntu4 > openvpn 2.3.2-7ubuntu3 > > Log from connection: > NetworkManager[924]: IPv4 configuration: > NetworkManager[924]:Internal Gateway: 192.0.2.1 > NetworkManager[924]:Internal Address: 192.0.2.2 > NetworkManager[924]:Internal Prefix: 25 > NetworkManager[924]:Internal Point-to-Point Address: 0.0.0.0 > NetworkManager[924]:Maximum Segment Size (MSS): 0 > NetworkManager[924]:Forbid Default Route: no > NetworkManager[924]:Internal DNS: 198.51.100.57 > NetworkManager[924]:Internal DNS: 198.51.100.168 > NetworkManager[924]:DNS Domain: 'example.org' > NetworkManager[924]: IPv6 configuration: > NetworkManager[924]:Internal Address: 2001:db81:4561::1000 > NetworkManager[924]:Internal Prefix: 64 > NetworkManager[924]:Internal Point-to-Point Address: > 2001:db81:4561::1 > NetworkManager[924]:Maximum Segment Size (MSS): 0 > NetworkManager[924]:Static Route: 2000::/3 Next Hop: 2000:: > NetworkManager[924]:Forbid Default Route: no > NetworkManager[924]:DNS Domain: 'example.org' > NetworkManager[924]: VPN connection 'example-openvpn-config' (IP > Config Get) complete. > NetworkManager[924]: Policy
VPN + dnsmasq = split dns?
Hi, I am trying to set up Network Manager to connect to an OpenVPN server, and have trouble understanding how it applies the DNS settings it receives from the server. Basically, as far as I can tell, it automatically assumes that I want to use split dns, and limits the DNS servers it receives from the OpenVPN servers to the domains it assumes "belongs to" this configuration. However, it also ignores the existing DNS servers it has configured. That leaves us with a dnsmasq configured with two nameservers it will query for two specific subdomains, and no nameservers it will use for other domains. The result is that dnsmasq is only willing to respond to DNS queries for those subdomains, and respond with "REFUSED" for every other domain. I assume that this is not the way it is supposed to work, since that would mean that everyone connecting to a VPN would be unable to access most of the Internet. I therefore assume that there is something wrong with my configuration. I am however unable to tell what makes it choose this behavior. I tried to look at the code, and found the location where it adds the domains[1], but I was unable to find a way to override this behavior. Does anyone have any suggestions for what may trigger this behavior, and what I can do to avoid it? (Configuration details and logs from network manager included below.) Best regards, Olav Morken [1] http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=60cce4004284242f0891160e21979a3027da6e0e#n234 Configuration: Both the client and server have IPv6 enabled. The VPN configuration on the client side doesn't contain anything too exiting. It uses a TCP connection to port 443, a TUN device, and username+password authentication. Both the IPv4 and the IPv6 settings are set to "Automatic(VPN)" The OpenVPN server is configured with a TUN device and topology subnet. It pushes the following (slightly anonymized) options to the client: push "dhcp-option DNS 198.51.100.57" push "dhcp-option DNS 198.51.100.168" push "dhcp-option DOMAIN example.org" push "redirect-gateway def1 bypass-dhcp" push "route-ipv6 2000::/3" Software versions: XUbuntu 14.04 network-manager 0.9.8.8-0ubuntu7 network-manager-openvpn 0.9.8.2-1ubuntu4 openvpn 2.3.2-7ubuntu3 Log from connection: NetworkManager[924]: IPv4 configuration: NetworkManager[924]:Internal Gateway: 192.0.2.1 NetworkManager[924]:Internal Address: 192.0.2.2 NetworkManager[924]:Internal Prefix: 25 NetworkManager[924]:Internal Point-to-Point Address: 0.0.0.0 NetworkManager[924]:Maximum Segment Size (MSS): 0 NetworkManager[924]:Forbid Default Route: no NetworkManager[924]:Internal DNS: 198.51.100.57 NetworkManager[924]:Internal DNS: 198.51.100.168 NetworkManager[924]:DNS Domain: 'example.org' NetworkManager[924]: IPv6 configuration: NetworkManager[924]:Internal Address: 2001:db81:4561::1000 NetworkManager[924]:Internal Prefix: 64 NetworkManager[924]:Internal Point-to-Point Address: 2001:db81:4561::1 NetworkManager[924]:Maximum Segment Size (MSS): 0 NetworkManager[924]:Static Route: 2000::/3 Next Hop: 2000:: NetworkManager[924]:Forbid Default Route: no NetworkManager[924]:DNS Domain: 'example.org' NetworkManager[924]: VPN connection 'example-openvpn-config' (IP Config Get) complete. NetworkManager[924]: Policy set 'example-openvpn-config' (tun0) as default for IPv4 routing and DNS. NetworkManager[924]: Policy set 'example-openvpn-config' (tun0) as default for IPv6 routing and DNS. NetworkManager[924]: Writing DNS information to /sbin/resolvconf dnsmasq[1464]: setting upstream servers from DBus dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain 0.192.in-addr.arpa dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain 0.192.in-addr.arpa dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
