OpenVPN, resolvconf, and DNS domain resolution

dnsopenvpnresolv.confresolvconf

While at site1, I need to connect to site2 via OpenVPN. Once connected, the OpenVPN site2 pushes a DNS nameserver and domain search options. This causes all name resolutions for site1 to fail.

Example:

  1. Physically connected at site1, DHCP pushes DNS options and resolvconf manages them.
    /etc/resolv.conf 

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.1.101
nameserver 172.16.1.102
search site1.internal.domain

  2. Open OpenVPN tunnel to site2, OpenVPN pushes dhcp-option DNS and DOMAIN for site2 and /etc/openvpn/update-resolv-conf pushes them to resolvconf.
    /etc/resolv.conf 

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.1.5
nameserver 172.16.1.101
nameserver 172.16.1.102
search site2.internal.domain site1.internal.domain

  3. DNS resolution works for server.site2.internal.domain but fails for server.site1.internal.domain

Is there a way that any failed DNS request to site21 should fall-through to the site1 DNS servers? Or configure resolvconf that only queries for site2.internal.domain should be passed to the site2 nameserver?

I use an Ubuntu 14.04 machine at site1, and the OpenVPN server at site2 is a pfSense 2.2 box. I manage both sites so making changes to either side isn't a problem. Both domains are non-public and internal use only.

Best Answer

You can set up a local caching server that will watch your /etc/resolv.conf, as it's changed by resolvconf scripts, and try get its answers from all nameservers listed there.

On many systems it'll be enough to install the dnsmasq package, in addition to resolvconf.

The defaults should "just work" provided that no-resolv and no-poll directives are absent from /etc/dnsmasq.conf and lo interface is at the top of /etc/resolvconf/interface-order. If an upstream nameserver returns some arbitrary IPs for unresolvable addresses, strict-order in dnsmasq.conf can help. Your /etc/resolv.conf should only show nameserver 127.0.0.1.

If you prefer a fixed setup or connect to multiple unrelated networks and want to avoid leaking your private network names too all nameservers you should configure dnsmasq to query specific servers based on domain:

# /etc/dnsmasq.conf

# site1 servers
nameserver=/site1.internal.domain/172.16.1.101
nameserver=/site1.internal.domain/172.16.1.102

# site2 servers
nameserver=/site2.internal.domain/192.168.1.5

# default OpenNIC (optional, unless 'no-resolv' is set). 
server=51.15.98.97
server=172.104.136.243

For more info on dnsmasq options see here: http://oss.segetech.com/intra/srv/dnsmasq.conf

Related Question