On 19.04 I can see the following (correct) behavior.
With VPN (turned on via NetworkManager):
# note: no "global" DNS servers have been configured by hand through systemd-resolved conf using "DNS=" directive
systemd-resolved --status
# ...
Link 15 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <vpndns1>
DNS Servers: <vpndns1> <vpndns2>
DNS Domain: ~.
Link 2 (wlp59s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1> <local-dhcp-dns2>
DNS Domain: deadbeefcafe
Without VPN:
systemd-resolved --status
# ...
Link 2 (wlp59s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1> <local-dhcp-dns2>
DNS Domain: ~. deadbeefcafe
"~." configuration goes to the tun0 interface once VPN is enabled and is removed from the physical interface. In this example it means that DHCP-advertised local DNS servers will be used for deadbeefcafe domain only and everything else will go through the DNS servers of a VPN service.
Clarifications on how "~." affects DNS request routing:
ii network-manager 1.16.0-0ubuntu2 amd64 network management framework (daemon and userspace tools)
ii network-manager-config-connectivity-ubuntu 1.16.0-0ubuntu2 all NetworkManager configuration to enable connectivity checking
ii network-manager-gnome 1.8.20-1ubuntu1 amd64 network management framework (GNOME frontend)
ii network-manager-openvpn 1.8.10-1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.10-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii netplan.io 0.97-0ubuntu1~19.04.1 amd64 YAML network configuration abstraction for various backends
ii systemd 240-6ubuntu5.3 amd64 system and service manager
I have also captured DNS packets on all interfaces via Wireshark and confirmed that DNS requests go to the correct DNS servers on 19.04.
On 19.04 I can see the following (correct) behavior.
With VPN (turned on via NetworkManager):
# note: no "global" DNS servers have been configured by hand through systemd-resolved conf using "DNS=" directive
systemd-resolved --status
# ...
Link 15 (tun0)
<vpndns2>
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <vpndns1>
DNS Servers: <vpndns1>
DNS Domain: ~.
Link 2 (wlp59s0)
<local- dhcp-dns2>
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1>
DNS Domain: deadbeefcafe
Without VPN:
systemd-resolved --status
# ...
Link 2 (wlp59s0)
<local- dhcp-dns2>
deadbeefcafe
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1>
DNS Domain: ~.
"~." configuration goes to the tun0 interface once VPN is enabled and is removed from the physical interface. In this example it means that DHCP-advertised local DNS servers will be used for deadbeefcafe domain only and everything else will go through the DNS servers of a VPN service.
Clarifications on how "~." affects DNS request routing:
https:/ /github. com/systemd/ systemd/ blame/v240/ src/resolve/ resolved- dns-scope. c#L1411- L1418 manpages. ubuntu. com/manpages/ disco/man5/ resolved. conf.5. html#options /www.freedeskto p.org/software/ systemd/ man/resolved. conf.html# Domains=
* "~." really trumps everything and clearly indicates that this interface shall receive all
* traffic it can get. */
http://
https:/
Packages:
ii network-manager 1.16.0-0ubuntu2 amd64 network management framework (daemon and userspace tools) manager- config- connectivity- ubuntu 1.16.0-0ubuntu2 all NetworkManager configuration to enable connectivity checking manager- gnome 1.8.20-1ubuntu1 amd64 network management framework (GNOME frontend) manager- openvpn 1.8.10-1 amd64 network management framework (OpenVPN plugin core) manager- openvpn- gnome 1.8.10-1 amd64 network management framework (OpenVPN plugin GNOME GUI) 19.04.1 amd64 YAML network configuration abstraction for various backends
ii network-
ii network-
ii network-
ii network-
ii netplan.io 0.97-0ubuntu1~
ii systemd 240-6ubuntu5.3 amd64 system and service manager
I have also captured DNS packets on all interfaces via Wireshark and confirmed that DNS requests go to the correct DNS servers on 19.04.