From your configuration, your dnsmasq installation is getting the list of DNS servers to use from /etc/resolv.conf
. By default, dnsmasq tries to favor using DNS servers that are up, but will only send a given request to a single DNS server. This can cause problems if you have multiple DNS servers that can/will only serve certain queries.
I believe you can solve this issue by making sure you have a DNS server on your LAN (the one you use when you aren't connected to the VPN) set up in /etc/resolv.conf
, as well as the DNS server on the corporate network you want to use over the VPN.
Then, you will need to edit /etc/default/dnsmasq
and add or edit the DNSMASQ_OPTS=
line to include --all-servers
.
If you are still unable to get DNS queries with this setup, copy the resolv.conf file you created during the steps above to another location, like ~/resolv.conf
, set /etc/resolv.conf
up with nameserver 127.0.0.1
and set the following option in /etc/dnsmasq.conf
:
resolv-file=/home/your_username/resolv.conf
That should configure your system to query your dnsmasq installation for DNS, and it will in turn use both your local DNS server and the VPN DNS server for every query.
Edit: You can find the DNS servers you are currently using for a particular connection using the nmcli
tool. For finding the DNS servers used by my wireless connection, I used the following syntax:
nmcli dev list iface wlan0 | grep IP4.DNS
If you run this command while you are not connected to your VPN, and then again when you are connected and are able to resolve your corporate addresses, you should get your list of DNS servers off and on the VPN. I hope this helps.
Edit 2: Looking at your routing tables, it appears your VPN administrator has set you up to route all your traffic through the VPN while you're connected (your default gateway changes to a VPN address). Since both of your DNS servers are public addresses, and neither have a specific route set up while you are on the VPN, you are trying to do normal DNS lookups through the VPN and that is what is failing.
You may have a couple ways to make this work, depending on your VPN setup:
If the VPN will allow you to access the internet through the corporate network, but not perform DNS queries to servers on the internet, add routes to your DNS servers like so: sudo route add -host 83.255.245.11 gw 192.168.0.1
, and sudo route add -host 193.150.193.150 gw 192.168.0.1
after connecting to the VPN.
If the VPN will not allow you to access the internet through the corporate network, you will need to change the default gateway settings on your computer to point at 192.168.0.1 after you connect to the VPN. In this case, you will want to set up your usual default gateway and then add network routes to access VPN-only equipment.
You may need to whittle down your routing table in the connected-to-the-VPN case shown in your second pastebin to the following:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
10.100.0.0 10.100.0.105 255.255.255.0 UGH 0 0 0 tun0
10.100.0.105 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Then, add routes as you need to in order to access the corporate equipment. In the routing table shown above I have assumed a /24 network on the VPN, which may be incorrect. You'll have to set the mask appropriately.
I experienced similar problems, for example with adding an extra USB wifi dongle.
First I disabled dnsmasq in networkmanager as described above and I stopped dnsmasq (service dnsmasq stop)
I noticed that when resolving broke during my VPN connecting, the routing table looks slightly different (output of route command).
The name of the Gateway is DD-WRT in the case it does not work and simply 'gateway' when it does work.
The output of this did not change:
nmcli device show wlp1s0 | grep IP4.DNS
It kept showing my router IP.
A workaround to get it to work for a while is to restart systemd-resolvd:
sudo service systemd-resolved restart
Since dnsmasq is out of the equation, it is either systemd-resolvd that is the cause of the issue, or anything changing the routing table.
So this is the only difference I see:
ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 601 0 0
which works.
And this when it does NOT work:
ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default DD-WRT 0.0.0.0 UG 601 0 0 wlp1s0
And the same name difference on the VPN line :
vpn-dns.name gateway 255.255.255.255 UGH 0 0 0 wlp1s0
Who knows what may influence the routing table?
It would be great if we can identify this so a bug report can be filed.
I am getting seriously sick and tired of pursuing all these bugs, but I would like to get them fixed so future users and us will be happy :).
[update]
It seems stopping systemd-resolved may fix this and not negatively impact other stuff. You can try that and let it know if it does break stuff.
I saw when running systemd-resolvd in debug when it broke:
Removing scope on link wlp1s0, protocol llmnr, family AF_INET
Removing scope on link wlp1s0, protocol llmnr, family AF_INET6
Removing scope on link *, protocol dns, family *
To disable:
sudo systemctl disable systemd-resolved.service
I updated the Ubuntu report with suggestions.
[/update]
Add: Note: the bug report :
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317
has a patch for 17.04 for some issues.
Please check the bug report and if possible test the patch. Thank you!
[update]
Please check the above mentioned bug report, the issue seems to be resolved for 17.10 and with a simple command DNS leakage can be disabled too.
[/update]
Best Answer
I googled here and have exactly the same issue too. (Ubuntu 19.04)
For me, this answer solved.
You should specify
<vpn-settings-name>
that corresponds to a VPN setting name in GUI. And<domain>
is the domain name you want to search via DNS in the remote network.After reconnecting to VPN,
systemd-resolved status ppp0
shows