dnsmasq not working with OpenVPN

Bug #1636395 reported by QkiZ on 2016-10-25
92
This bug affects 19 people
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Undecided
Unassigned
openvpn-systemd-resolved (Ubuntu)
Undecided
Unassigned

Bug Description

I'm using OpenVPN configured with Network Manager. My VPN have a DNS server configured by OpenVPN and config pushed by it while connecting. This server is not registered by dnsmasq so domain names are not resolved but pinging by IP address works. When I test name resolving by pointing to DNS server (172.16.1.1) from VPN provider it's works. For example:

$ host google.com 172.16.1.1
Using domain server:
Name: 172.16.1.1
Address: 172.16.1.1#53
Aliases:

google.com has address 172.217.0.174
google.com has IPv6 address 2607:f8b0:400b:807::200e
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

But if I test without pointing DNS server is not working:

$ host google.com
;; connection timed out; no servers could be reached

My /etc/resolv.conf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

To repair this bug I have to kill dnsmasq and it's automatically reloaded.

QkiZ (qkiz) wrote :
drplix (pjr-1060) wrote :

I can confirm this problem. Since updating to 16.10 DNS fails when openvpn connection is enabled in NetworkManager. Intranet DNS lookups do not work - so the corporate servers cannot be reached. Additionally all my traffic is routed through the VPN and all external internet traffic is blocked.

A partial fix is to disable dnsmasq in /etc/NetworkManager/NetworkManager.conf

[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

[ifupdown]
managed=false

And to restart NM with: sudo service network-manager restart

After this external traffic works again - but intranet hosts are still not resolvable - so I have to add manual settings in /etc/hosts for the intranet.

In 16.04 openvpn with pushed DNS worked perfectly - the openvpn server has not been changed and is still working fine for other clients.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dnsmasq (Ubuntu):
status: New → Confirmed
drplix (pjr-1060) wrote :

Still looking for an answer to the DNS problems we're now seeing with OpenVPN. For reference it seems there is a general discussion of DNS issues with 16.10

https://ubuntuforums.org/showthread.php?t=2340142

With respect to VPN pushed DNS the following comment indicates the same problem as this bug but with a Juniper VPN...

https://ubuntuforums.org/showthread.php?t=2340142&p=13559269#post13559269

drplix (pjr-1060) wrote :

Added package dependency to this bug for: openvpn-systemd-resolved

It seems that package might also not be working correctly...

"This is a helper script designed to integrate OpenVPN with the
systemd-resolved service via DBus instead of trying to override
/etc/resolv.conf, or manipulate systemd-networkd configuration files."

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn-systemd-resolved (Ubuntu):
status: New → Confirmed
raffraffraff (raffraffraff) wrote :

This is a fairly old thread but I thought I'd throw my own experience in. I'm using 16.04.2, and the breakage happened when I last did a system update (about a week ago). Previously, it was working perfectly with the following configuration:

1. uninstalled resolvconf
2. Added 'dns=dnsmasq' to /etc/NetworkManager/NetworkManager.conf
3. Using Cisco compatible (vpnc) VPN

My resolv.conf has always used '127.0.1.1', and name resolution via dnsmasq worked fine on or off the VPN. Since the upgrade, dnsmasq name resolution is broken. If I 'sudo pkill dnsmasq', NetworkManager just dumps all of the DNS server entries into /etc/resolv.conf and removes 127.0.1.1 (thus temporarily fixing the issue).

If I strace dnsmasq, I can it hitting my local DNS servers (never the VPN DNS servers) but it still never gets an answer, even for something like 'www.google.com'.

Here's something weirder. I can start the dnsmasq service (sudo systemctl start dnsmasq.service) it binds to 127.0.0.1 (NetworkManager-owned dnsmasq uses 127.0.1.1). This works PERFECTLY. I can dig @127.0.0.1 for pretty much any host on the internet or the VPN and I get an answer.

The two processes run different commands:
Systemd Service:
/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

NetworkManager owned service:
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

If I edit the /etc/resolv.conf and 127.0.0.1 as a nameserver and everything is fine.

QkiZ (qkiz) wrote :

I started using DNS Crypt. I set for connections to use local DNS Crypt forwarder. Now it works everytime.

Nicholas Stommel (nstommel) wrote :

Credit to QkiZ, the dnscrypt-proxy service works EVERY TIME and ignores the (completely broken) DNS resolution of dnsmasq and resolvconf. Even with the newest version of network-manager (1.2.6) on 16.04 LTS and all its dependencies:
network-manager
libnm-glib-vpn1
libnm-glib4
libnm0
libnm-util2

No more DNS resolution issues!
To apply this workaround (which actually also offers some security benefits against DNS leakage), use:
sudo apt install dnscrypt-proxy
In the network manager, select "Edit Connections", select the primary (non-VPN) network you use, click on the "IPv4 Settings" tab, change the "Method" tab to "Automatic (DHCP) addresses only", then add 127.0.0.2 to the "DNS servers:" box. Save your changes, then restart the connection by disabling and enabling networking. Now go to https://www.opendns.com/welcome/ and you should see a nice check mark.
Now, your network connection and VPN should work (meaning DNS resolution won't break on you) every single time you wake up from suspend or use
sudo service network-manager restart
Good stuff!

Nicholas Stommel (nstommel) wrote :

Okay so I have found the issue pertaining to dns resolution on Ubuntu 16.04.2! There is a critical bug in the package dnsmasq-base here: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776 The fix hasn't yet been applied to the current version of dnsmasq-base.

This time I have all the dependencies on 1.2.6 at their newest version and installing the patched .deb version provided by Harald Rudell fixes DNS name resolution on wakeup/suspend and with restart of the network manager, all while cooperating with openvpn. I hope this helps anyone on 16.04.2 LTS!

wget https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+attachment/4780245/+files/dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb

sudo dpkg -i dnsmasq-base_2.76-4ubuntu1FIX1639776ubuntu1_amd64.deb

This appears to have actually worked, and is much better than using dnscrypt-proxy (which I have found to be incredibly slow) or holding back a bunch of packages.

QkiZ (qkiz) wrote :

Thx for solution. I will test it but I think that I give up with dnscrypt. It works fine for me.

QkiZ (qkiz) wrote :

I mean not give up with dnscrypt.

Tim Booth (tbooth) wrote :

Hi,

I'm having exactly the same problem as described by @raffraffraff - after connection to the VPN the dnsmasq instance handled by NetworkManager no longer makes DNS queries for addresses outside the VPN (eg. google.com) but it can resolve ones internal to the VPN (eg. web-dev.myorg.private).

Using DIG to make a direct DNS query to any remote DNS server works fine, so it looks like dnsmasq has got in a tizz.

To add a little more info...

I'm able to add a file /etc/NetworkManager/dnsmasq.d/debug containing the line "log-queries" and I can see lines in syslog like:

... dnsmasq[25056]: forwarded www.google.com to 129.215.205.191

So obviously dnsmasq is trying to process the requests but failing.

I can also see dnsmasq picking up new configurations from DBUS as I connect/disconnect but there are no errors reported.

I also note that dnsmasq is trying to make queries via the public DNS servers, but when connected to the VPN all the queries should go to the trusted DNS server provided on the VPN (this is discussed in bug 1639776) but I think this is a separate issue.

Ubuntu 16.04.2 LTS
dnsmask-base 2.75-1ubuntu0.16.04.2
network-manager 1.2.6-0ubuntu0.16.04.1

Cheers,

TIM

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments