Ubuntu
network-manager-openvpn package

  1. Bug #1169437
  2. Comment #11

Comment 11 for bug 1169437

Revision history for this message
Thomas Hood (jdthood) wrote : Re: network-manager dnsmasq openvpn DNS issue

P.S. Oscar, and everyone else who has commented, please say what version of network-manager-openvpn you are using.

I have just done some testing. I have the following package versions.

    network-manager 0.9.8.0-0ubuntu17
    network-manager-dev 0.9.8.0-0ubuntu6
    network-manager-gnome 0.9.8.0-1ubuntu2
    network-manager-openvpn 0.9.8.2-1ubuntu2

When I make an OpenVPN connection to corp.com via my home LAN which has local TLD "mydom" I see the following in /var/log/syslog.

    [...] NetworkManager[1247]: <info> Internal DNS: 172.17.1.2

Whether dns=dnsmasq or not I get the following.

    $ nmcli -f IP4 dev list | grep DNS
    IP4.DNS[1]: 192.168.1.254
    IP4.DNS[1]: 192.168.1.254

In fact, nmcli seems to have no knowledge at all of the VPN. But this doesn't seem to matter.

Now (a) if "dns=dnsmasq" then NetworkManager passes the address 127.0.1.1 (which is the listen address of the dnsmasq instance that it controls) to resolvconf

    $ cat /run/resolvconf/interface/NetworkManager
    domain mydom
    search corp.com mydom
    nameserver 127.0.1.1

which turns up in resolv.conf .

    $ cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1
    search mydom corp.com

and passes the correct addresses to the dnsmasq instance that it controls, as evidenced by dnsmasq's messages in syslog.

    [...] dnsmasq[5803]: setting upstream servers from DBus
    [...] dnsmasq[5803]: using nameserver 172.17.1.2#53 for domain 17.172.in-addr.arpa
    [...] dnsmasq[5803]: using nameserver 172.17.1.2#53 for domain corp.com
    [...] dnsmasq[5803]: using nameserver 192.168.1.254#53
    [...] dnsmasq[5803]: using nameserver 192.168.1.254#53

Testing reveals that LAN, Internet and VPN names are all resolved correctly and I can see with wireshark that the DNS queries are forwarded to the correct addresses by dnsmasq. That is *.corp.com queries go to 172.17.1.2 and other queries to 192.168.1.254.

If (b) "dns=dnsmasq" is commented out then NetworkManager passes the VPN nameserver and LAN nameserver addresses, in that order, to resolvconf.

    $ cat /run/resolvconf/interface/NetworkManager
    domain mydom
    search corp.com mydom
    nameserver 172.17.1.2
    nameserver 192.168.1.254

    $ cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 172.17.1.2
    nameserver 192.168.1.254
    search mydom corp.com

Testing reveals that Internet and VPN names are resolved correctly but LAN names are not and I can see that all queries go to the VPN nameserver.

This is all as I would expect, except (as I mentioned earlier) for the nmcli output, which fails to include any VPN information.

Conclusion: I can't reproduce the bug. Name service works for me with or without "dns=dnsmasq" insofar as I would expect.