I pushed branch bg/dns-bgo746422. I think it should solve the leaks in
case of full-tunnel VPNS when using dnsmasq or systemd-resolved. It
basically:
- allows users to specify that connections get the default lookup
domain through the special entry "~."
- automatically adds "~." to connections with the default route
- applies rules from comment 32 to decide which domains are used
based on DNS priority.
Other things that I didn't do, but can be done later (if necessary)
are:
- as noticed by Thomas, you can't override the NM decision of
automatically adding "~." to connections with default route.
Actually, you can add "~." to another connection with a lower
priority value, and it will override the "~." added by NM on the
first connection. Perhaps this is enough. Otherwise we could
introduce another special domain.
- I haven't added a new dns setting with duplicates of the existing
ipvx properties. I think it's really a different issue and should
be solved separately.
- Also I didn't add the dns.lookup-domain property, as the "~."
domain is sufficient and it is just another case of the
routing-only domains we already support.
I pushed branch bg/dns-bgo746422. I think it should solve the leaks in
case of full-tunnel VPNS when using dnsmasq or systemd-resolved. It
basically:
- allows users to specify that connections get the default lookup
domain through the special entry "~."
- automatically adds "~." to connections with the default route
- applies rules from comment 32 to decide which domains are used
based on DNS priority.
Other things that I didn't do, but can be done later (if necessary)
are:
- as noticed by Thomas, you can't override the NM decision of
automatically adding "~." to connections with default route.
Actually, you can add "~." to another connection with a lower
priority value, and it will override the "~." added by NM on the
first connection. Perhaps this is enough. Otherwise we could
introduce another special domain.
- I haven't added a new dns setting with duplicates of the existing
ipvx properties. I think it's really a different issue and should
be solved separately.
- Also I didn't add the dns.lookup-domain property, as the "~."
domain is sufficient and it is just another case of the
routing-only domains we already support.
What do you think?