Ubuntu – DNS-Settings on Network-Manager when using VPN

dnsnetwork-managervpnvpnc

I recently updated to 19.04 and noticed some change in NetworkManager when using VPNs.

I want to use a VPN with an own local DNS-server, which is pushed from DHCP
I have seperate VPN profiles. One for a "full VPN" which installes a default-route to the remote network, and one "split tunnel" profile, having the setting for local resources only enabled

Since i updated to 19.04, NetworkManager seems to only use the pushed DNS server, what means when the default-route is allowed to install (when checkbox "use this connection only for resources on its network") is not checked.

Let NetworkManager install a default route:

~$ resolvectl status tun0
Link 16 (tun0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.1
         DNS Servers: 192.168.1.1
          DNS Domain: local.domain

activate checkbox for local resources only in the same vpn profile:

~$ resolvectl status tun0
Link 8 (tun0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

This setting was working independently from default-route-setting before, seems like it changed with new 19.04 NetworkManager (v1.16.0). Can anyone confirm?

Edit: This is a desktop installation. Here are some details:

~$ ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Apr 20 15:41 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search uman.enbw.net

~$ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

~$ cat /etc/netplan/*.yaml
# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

Best Answer

I googled here and have exactly the same issue too. (Ubuntu 19.04)

For me, this answer solved.

nmcli c modify <vpn-settings-name> ipv4.dns-search '<domain>'

You should specify <vpn-settings-name> that corresponds to a VPN setting name in GUI. And <domain> is the domain name you want to search via DNS in the remote network.

After reconnecting to VPN, systemd-resolved status ppp0 shows

Link 6 (ppp0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.1
         DNS Servers: 192.168.1.1 (<--- my dns)
                      192.168.1.10
          DNS Domain: corp

Related Solutions

Ubuntu – Network only using one DNS when connected to VPN

From your configuration, your dnsmasq installation is getting the list of DNS servers to use from /etc/resolv.conf. By default, dnsmasq tries to favor using DNS servers that are up, but will only send a given request to a single DNS server. This can cause problems if you have multiple DNS servers that can/will only serve certain queries.

I believe you can solve this issue by making sure you have a DNS server on your LAN (the one you use when you aren't connected to the VPN) set up in /etc/resolv.conf, as well as the DNS server on the corporate network you want to use over the VPN.

Then, you will need to edit /etc/default/dnsmasq and add or edit the DNSMASQ_OPTS= line to include --all-servers.

If you are still unable to get DNS queries with this setup, copy the resolv.conf file you created during the steps above to another location, like ~/resolv.conf, set /etc/resolv.conf up with nameserver 127.0.0.1 and set the following option in /etc/dnsmasq.conf:

resolv-file=/home/your_username/resolv.conf

That should configure your system to query your dnsmasq installation for DNS, and it will in turn use both your local DNS server and the VPN DNS server for every query.

Edit: You can find the DNS servers you are currently using for a particular connection using the nmcli tool. For finding the DNS servers used by my wireless connection, I used the following syntax:

nmcli dev list iface wlan0 | grep IP4.DNS

If you run this command while you are not connected to your VPN, and then again when you are connected and are able to resolve your corporate addresses, you should get your list of DNS servers off and on the VPN. I hope this helps.

Edit 2: Looking at your routing tables, it appears your VPN administrator has set you up to route all your traffic through the VPN while you're connected (your default gateway changes to a VPN address). Since both of your DNS servers are public addresses, and neither have a specific route set up while you are on the VPN, you are trying to do normal DNS lookups through the VPN and that is what is failing.

You may have a couple ways to make this work, depending on your VPN setup:

If the VPN will allow you to access the internet through the corporate network, but not perform DNS queries to servers on the internet, add routes to your DNS servers like so: sudo route add -host 83.255.245.11 gw 192.168.0.1, and sudo route add -host 193.150.193.150 gw 192.168.0.1 after connecting to the VPN.
If the VPN will not allow you to access the internet through the corporate network, you will need to change the default gateway settings on your computer to point at 192.168.0.1 after you connect to the VPN. In this case, you will want to set up your usual default gateway and then add network routes to access VPN-only equipment.

You may need to whittle down your routing table in the connected-to-the-VPN case shown in your second pastebin to the following:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
10.100.0.0      10.100.0.105    255.255.255.0   UGH   0      0        0 tun0
10.100.0.105    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Then, add routes as you need to in order to access the corporate equipment. In the routing table shown above I have assumed a /24 network on the VPN, which may be incorrect. You'll have to set the mask appropriately.

Ubuntu – 16.10 fail to resolve DNS

I experienced similar problems, for example with adding an extra USB wifi dongle. First I disabled dnsmasq in networkmanager as described above and I stopped dnsmasq (service dnsmasq stop)

I noticed that when resolving broke during my VPN connecting, the routing table looks slightly different (output of route command). The name of the Gateway is DD-WRT in the case it does not work and simply 'gateway' when it does work. The output of this did not change:

nmcli device show wlp1s0 | grep IP4.DNS

It kept showing my router IP. A workaround to get it to work for a while is to restart systemd-resolvd:

sudo service systemd-resolved restart

Since dnsmasq is out of the equation, it is either systemd-resolvd that is the cause of the issue, or anything changing the routing table.

So this is the only difference I see:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    601    0        0

which works. And this when it does NOT work:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DD-WRT          0.0.0.0         UG    601    0        0 wlp1s0

And the same name difference on the VPN line :

vpn-dns.name gateway         255.255.255.255 UGH   0      0        0 wlp1s0

Who knows what may influence the routing table? It would be great if we can identify this so a bug report can be filed. I am getting seriously sick and tired of pursuing all these bugs, but I would like to get them fixed so future users and us will be happy :).

[update] It seems stopping systemd-resolved may fix this and not negatively impact other stuff. You can try that and let it know if it does break stuff. I saw when running systemd-resolvd in debug when it broke:

Removing scope on link wlp1s0, protocol llmnr, family AF_INET
Removing scope on link wlp1s0, protocol llmnr, family AF_INET6
Removing scope on link *, protocol dns, family *

To disable:

sudo systemctl disable systemd-resolved.service

I updated the Ubuntu report with suggestions. [/update] Add: Note: the bug report : https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317 has a patch for 17.04 for some issues. Please check the bug report and if possible test the patch. Thank you!

[update]

Please check the above mentioned bug report, the issue seems to be resolved for 17.10 and with a simple command DNS leakage can be disabled too.

[/update]

Best Answer

Related Solutions

Ubuntu – Network only using one DNS when connected to VPN

Ubuntu – 16.10 fail to resolve DNS

Related Question