Ubuntu – systemd-resolved, resolvconf.service, resolvconf and openresolv. Why, which and how

dnsnetworkingresolv.confsystemd-resolvedvpn

I'm using a VPN client which adds two name servers to /etc/resolv.conf. All my connections are managed by Network-Manager.

I have to use this VPN client for my work VPN but after Ubuntu went to systemd-resolved in 16.10 I am having problems with my connection and DNS. Looks like systemd-resolved changes /etc/resolv.conf back to default name servers for some reason which makes internal pages not resolve. I looked into this some more and ended up replacing resolvconf with openresolv. That helped a lot, but still systemd-resolved resets /etc/resolv.conf after the VPN has been up for a while.

It could be just as the connection is up or after a few minutes or sometimes not at all. I then disabled systemd-resolved and the systemd resolvconf.service and only run openresolv. It all works well it seems.

However, this is all very confusing. Is there a reason for using systemd-resolved with one of the others? It was enabled in Ubuntu 16.10 so I thought there must be a reason for it but it seems to cause a fight over /etc/resolv.conf.

It would be great if I could just run operesolv and get this explained. I have done quite a bit of reading on it but I still do not understand why /etc/resolv.conf is managed like it is, only that when I use systemd for it I can't use my VPN client.

Best Answer

I managed to change the script that handles these configuration items in OpenVPN in Ubuntu (tested on 18.04). Here is a patch for that:

--- /etc/openvpn/update-resolv-conf.orig    2019-03-13 19:14:16.163914424 +0400
+++ /etc/openvpn/update-resolv-conf 2019-03-13 19:29:30.380420708 +0400
@@ -15,7 +15,7 @@
 #     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
 #

-[ -x /sbin/resolvconf ] || exit 0
+[ -x /usr/bin/systemd-resolve ] || exit 0
 [ "$script_type" ] || exit 0
 [ "$dev" ] || exit 0

@@ -43,16 +43,16 @@
        fi
    done
    R=""
-   [ "$SRCHS" ] && R="search $SRCHS
-"
+   for SRCH in $SRCHS ; do
+       R="${R}--set-domain=$SRCH "
+   done
    for NS in $NMSRVRS ; do
-           R="${R}nameserver $NS
-"
+       R="${R}--set-dns=$NS "
    done
-   echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+   /usr/bin/systemd-resolve -i ${dev} ${R}
    ;;
   down)
-   /sbin/resolvconf -d "${dev}.openvpn"
+   echo "Doing nothing, interface disappears."
    ;;
 esac

You will need to add the following items to your OpenVPN configuration file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Related Solutions

DNS – 16.10 Fails to Resolve

I experienced similar problems, for example with adding an extra USB wifi dongle. First I disabled dnsmasq in networkmanager as described above and I stopped dnsmasq (service dnsmasq stop)

I noticed that when resolving broke during my VPN connecting, the routing table looks slightly different (output of route command). The name of the Gateway is DD-WRT in the case it does not work and simply 'gateway' when it does work. The output of this did not change:

nmcli device show wlp1s0 | grep IP4.DNS

It kept showing my router IP. A workaround to get it to work for a while is to restart systemd-resolvd:

sudo service systemd-resolved restart

Since dnsmasq is out of the equation, it is either systemd-resolvd that is the cause of the issue, or anything changing the routing table.

So this is the only difference I see:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    601    0        0

which works. And this when it does NOT work:

ubuntu@ubuntu-Lenovo-Yoga-2-11:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DD-WRT          0.0.0.0         UG    601    0        0 wlp1s0

And the same name difference on the VPN line :

vpn-dns.name gateway         255.255.255.255 UGH   0      0        0 wlp1s0

Who knows what may influence the routing table? It would be great if we can identify this so a bug report can be filed. I am getting seriously sick and tired of pursuing all these bugs, but I would like to get them fixed so future users and us will be happy :).

[update] It seems stopping systemd-resolved may fix this and not negatively impact other stuff. You can try that and let it know if it does break stuff. I saw when running systemd-resolvd in debug when it broke:

Removing scope on link wlp1s0, protocol llmnr, family AF_INET
Removing scope on link wlp1s0, protocol llmnr, family AF_INET6
Removing scope on link *, protocol dns, family *

To disable:

sudo systemctl disable systemd-resolved.service

I updated the Ubuntu report with suggestions. [/update] Add: Note: the bug report : https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317 has a patch for 17.04 for some issues. Please check the bug report and if possible test the patch. Thank you!

[update]

Please check the above mentioned bug report, the issue seems to be resolved for 17.10 and with a simple command DNS leakage can be disabled too.

[/update]

Ubuntu – /run/resolvconf/resolv.conf ubuntu 18.04

In Ubuntu 18.04 and later, the usual arrangement is:

ls -al /etc/resolv.conf
/etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

If yours is not the same, I suggest that you do:

sudo rm -f /etc/resolv.conf
ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Reboot.

Best Answer

Related Solutions

DNS – 16.10 Fails to Resolve

Ubuntu – /run/resolvconf/resolv.conf ubuntu 18.04

Related Question