Ubuntu
network-manager package

  1. Bug #1688018
  2. Comment #64

Comment 64 for bug 1688018

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

On 19.04 I can see the following (correct) behavior.

With VPN (turned on via NetworkManager):

# note: no "global" DNS servers have been configured by hand through systemd-resolved conf using "DNS=" directive

systemd-resolved --status

# ...

Link 15 (tun0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <vpndns1>
         DNS Servers: <vpndns1>
                      <vpndns2>
          DNS Domain: ~.

Link 2 (wlp59s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <local-dhcp-dns1>
         DNS Servers: <local-dhcp-dns1>
                      <local-dhcp-dns2>
          DNS Domain: deadbeefcafe

Without VPN:

systemd-resolved --status
# ...

Link 2 (wlp59s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <local-dhcp-dns1>
         DNS Servers: <local-dhcp-dns1>
                      <local-dhcp-dns2>
          DNS Domain: ~.
                      deadbeefcafe

"~." configuration goes to the tun0 interface once VPN is enabled and is removed from the physical interface. In this example it means that DHCP-advertised local DNS servers will be used for deadbeefcafe domain only and everything else will go through the DNS servers of a VPN service.

Clarifications on how "~." affects DNS request routing:

https://github.com/systemd/systemd/blame/v240/src/resolve/resolved-dns-scope.c#L1411-L1418
                 * "~." really trumps everything and clearly indicates that this interface shall receive all
                 * traffic it can get. */
http://manpages.ubuntu.com/manpages/disco/man5/resolved.conf.5.html#options
https://www.freedesktop.org/software/systemd/man/resolved.conf.html#Domains=

Packages:

ii network-manager 1.16.0-0ubuntu2 amd64 network management framework (daemon and userspace tools)
ii network-manager-config-connectivity-ubuntu 1.16.0-0ubuntu2 all NetworkManager configuration to enable connectivity checking
ii network-manager-gnome 1.8.20-1ubuntu1 amd64 network management framework (GNOME frontend)
ii network-manager-openvpn 1.8.10-1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.10-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii netplan.io 0.97-0ubuntu1~19.04.1 amd64 YAML network configuration abstraction for various backends
ii systemd 240-6ubuntu5.3 amd64 system and service manager

I have also captured DNS packets on all interfaces via Wireshark and confirmed that DNS requests go to the correct DNS servers on 19.04.