Ubuntu – Prioritize VPN’s DNS Server

18.04network-managersystemdsystemd-resolved

Is there a way to prioritize a particular DNS server only when connecting to a VPN (OpenVPN) through Network Manager or one of its configuration files?

I have a VPN (192.168.1.*) I frequently connect to that has DNS (192.168.1.53) configured to resolve host names of the form *.internal.example.com on its network. My local router (192.168.0.1) has DD-WRT on it with Google's DNS setup (those aren't strictly needed).

I've replaced the systemd /etc/resolv.conf stub with a symlink to /run/systemd/resolve/resolv.conf so that host names will actually resolve using the VPN's DNS server. Yesterday it was working fine because the VPN's DNS server was at the top of the list.

# /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
# ...

nameserver 192.168.1.53
nameserver 192.168.0.1
nameserver 8.8.8.8
# Too many DNS servers configured, the following entries may be ignored.
nameserver 8.8.4.4
search Home internal.example.com

However, when I connected today the DNS entries were reordered.

# /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
# ...

nameserver 192.168.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
# Too many DNS servers configured, the following entries may be ignored.
nameserver 192.168.1.53
search Home internal.example.com

The order frequently changes after a reboot. Sometimes upon reconnection to the VPN I notice the order changes (after experiencing the resolution issue).

systemd-resolve works just fine and can resolve the hosts using the proper DNS server.

$ systemd-resolve --status --no-pager
Global
          DNSSEC NTA: ...

Link 10 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.1.53
          DNS Domain: internal.example.com

Link 2 (eno1)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1
                      8.8.8.8
                      8.8.4.4
                      192.168.1.53
          DNS Domain: Home

$ systemd-resolve srv1.internal.example.com
srv1.internal.example.com: 192.168.1.113

-- Information acquired via protocol DNS in 2.1ms.
-- Data is authenticated: no

ping, nslookup, and ssh all fail though.

$ ping srv1.internal.example.com
ping: srv1.internal.example.com: Name or service not known

$ nslookup srv1.internal.example.com
Server:         192.168.0.1
Address:        192.168.0.1#53

** server can't find srv1.internal.example.com: NXDOMAIN

$ ssh srv1.internal.example.com
ssh: Could not resolve hostname srv1.internal.example.com: Name or service not known

A few notes.

I connect to the VPN through Network Manager. I have the VPN's DNS manually specified on the VPN under: IPv4 > DNS Servers.

I tried using a separate wired ethernet connection configured with the VPN's DNS under: IPv4 > Other DNS Servers.

Best Answer

As you accept using dnsmasq, how about this:

Point your resolv.conf to 127.0.0.1 (nameserver 127.0.0.1)
Try this config on your dnsmasq:

server=/internal.example.com/192.168.1.53
server=8.8.8.8

This would use 192.168.1.53 for domain "internal.example.com" and 8.8.8.8 for everything else.

Take a look at "-S, --local, --server=" option on dnsmasq man page.

Update: You may also want to disable DHCP, so to avoid conflicts with your local router. Maybe listening only on lo (127.0.0.1) interface.

Related Solutions

Ubuntu – 16.10 fail to resolve DNS

I experienced similar problems, for example with adding an extra USB wifi dongle. First I disabled dnsmasq in networkmanager as described above and I stopped dnsmasq (service dnsmasq stop)

I noticed that when resolving broke during my VPN connecting, the routing table looks slightly different (output of route command). The name of the Gateway is DD-WRT in the case it does not work and simply 'gateway' when it does work. The output of this did not change:

nmcli device show wlp1s0 | grep IP4.DNS

It kept showing my router IP. A workaround to get it to work for a while is to restart systemd-resolvd:

sudo service systemd-resolved restart

Since dnsmasq is out of the equation, it is either systemd-resolvd that is the cause of the issue, or anything changing the routing table.

So this is the only difference I see:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    601    0        0

which works. And this when it does NOT work:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DD-WRT          0.0.0.0         UG    601    0        0 wlp1s0

And the same name difference on the VPN line :

vpn-dns.name gateway         255.255.255.255 UGH   0      0        0 wlp1s0

Who knows what may influence the routing table? It would be great if we can identify this so a bug report can be filed. I am getting seriously sick and tired of pursuing all these bugs, but I would like to get them fixed so future users and us will be happy :).

[update] It seems stopping systemd-resolved may fix this and not negatively impact other stuff. You can try that and let it know if it does break stuff. I saw when running systemd-resolvd in debug when it broke:

Removing scope on link wlp1s0, protocol llmnr, family AF_INET
Removing scope on link wlp1s0, protocol llmnr, family AF_INET6
Removing scope on link *, protocol dns, family *

To disable:

sudo systemctl disable systemd-resolved.service

I updated the Ubuntu report with suggestions. [/update] Add: Note: the bug report : https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317 has a patch for 17.04 for some issues. Please check the bug report and if possible test the patch. Thank you!

[update]

Please check the above mentioned bug report, the issue seems to be resolved for 17.10 and with a simple command DNS leakage can be disabled too.

[/update]

Ubuntu – DNS set to systemd’s 127.0.0.53 – how to change permanently

You can install a package resolvconf, which will modify the way /etc/resolv.conf is built up at system boot.

sudo apt install resolvconf

You can then create or modify a file /etc/resolvconf/resolv.conf.d/tail. If you put in this file a line nameserver 8.8.8.8, this line will be added at the end of /run/resolvconf/resolv.conf at boot. /etc/resolv.conf will now be a symbolic link to this file.

Post Scriptum:

Almost two years after posting my answer I came across https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1778946 which explains exactly why merely installing resolvconf solved a dns problem I had at the time. I feel I have to share this here.

Although my answer addresses the question in a proper way, indeed a warning should be added that, if you want/need to do this, probably something else is wrong. This was already stated by @intelfx at the time, 127.0.0.53 should work by itself.

According that bug report, after a pptp VPN goes down, resolv.conf is restored with the wrong access rights. ping ubuntu.com does not work, sudo ping ubuntu.com does. Installing resolvconf solved it, because it takes over resolv.conf, restoring it with correct rights. Changing systemd-resolve settings is no solution in this case, since the bug is in ppp. But an alternative, maybe simpler solution is sudo chmod a+r /etc/resolv.conf after VPN down. And this can be automated by putting an executable script in /etc/NetworkManager/dispatcher.d with contents:

#!/bin/sh
if [[ "$1"="ppp0" && "$2"="vpn-down" ]]; then  
    /bin/chmod a+r /etc/resolv.conf
fi

In all cases the contents of resolv.conf do not change. And, yes, I know pptp must be avoided because of security issues, but at the time I thought of it as a good excercise for an ubuntu newbie. I imagined it would work out of the box. Little did I know that it would give me a headache, as diagnosed so well by @intelfx.

Best Answer

Related Solutions

Ubuntu – 16.10 fail to resolve DNS

Ubuntu – DNS set to systemd’s 127.0.0.53 – how to change permanently

Related Question