Ubuntu
network-manager package

Split DNS with openvpn erroneously removes nameservers from dnsmasq

Bug #1642063 reported by manic
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
New
Undecided
Unassigned

Bug Description

I was setting up a fresh ubuntu xenial a few days ago (Ubuntu 16.04.1 LTS)
with network-manager 1.2.2-0ubuntu0.16.04.3.

I connect to an openvpn server that pushes a DNS Server to me:

push "dhcp-option DNS 172.24.32.1"

This DNS-Server is properly received and (as I have marked "use for this network only"
configured correctely over DBus to dnsmasq (sorry, german logs):

Nov 15 22:23:47 chili dnsmasq[1422]: vorgelagerte Server von DBus gesetzt
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für Domain 24.172.in-addr.arpa

So now dnsmasq has Nameservers for my vpn internal domain and the reverse domains
of the routes pushed by the vpn. That's exactly what I want - for the VPN ressources.

BUT (and this took me some time to understand) the previously valid nameservers
(originated from the DHCP server of the Wireless connection) are REMOVED. This means
that dnsmasq is left with name servers for specific domains only, there are no
generic name servers available any more. If queried for a name resolution for e.g.
"www.google.com", dnsmasq just returns an error message.

So while I had full IP connectivity in the network behind the VPN AND to the
internet, I had no name resolution any more for domains outside of the VPN.

I would have expected that the domain servers (that are specific to the VPN
Domains) are ADDED to the list of dnsmasq's servers, but they are replaced.
As (according to the dnsmasq man page) "More specific domains take precendence
over less specific domains", no leakage of DNS requests would happen in either direction.

I even monitored the D-Bus communication and it can be seen that it uses
the "SetServersEx" command (which replaces the list).

I built a workaround using a script in /etc/NetworkManager/dispatcher.d combined
with a configuration file in /etc/NetworkManager/dnsmasq.d that points to a
"servers-file". When the vpn comes up, the script populates the servers-file
from the $IP4_NAMESERVERS variable and HUPs dnsmasq, which finally gives me
in /var/log/syslog:

Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 8.8.8.8#53
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für Domain example.com
Nov 15 22:23:47 chili dnsmasq[1422]: Benutze Namensserver 172.24.32.1#53 für Domain 24.172.in-addr.arpa

Of course the script undos the changes when the vpn comes down again. If anyone
is interested, I can share my script - but it is quite specific to my use
case so I wonder if others are interested in...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.