how to setup split-dns for vpn with network-manager

14.04 networking network-manager dns dnsmasq
6,890

To get the D-Bus controlled dnsmasq that NetworkManager runs to use different DNS servers, there are the following options (obviously adjust domains and IP addresses in the examples):

  • Add a file to /etc/NetworkManager/dnsmasq.d that sets the DNS server for the subnet you want: myvpn-server.conf could contain server=/myvpn.domain.com/10.8.4.9. This will always be respected by dnsmasq even when not connected to the VPN, in which case queries for these domains should time out. Disadvantage is that you need to specify the IP address statically, advantage is simplicity
  • Use D-Bus to talk directly to dnsmasq to tell it to update the servers using something like sudo dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetDomainServers "array:string:192.168.0.1,/myvpn.domain.com/10.8.4.9". This could be scripted when the vpn connects. You'd need to look up existing DNS servers (the 192.168.0.1 in my example) over D-Bus or using nm-cli
  • Use D-Bus to talk to Network Manager itself and tell it to update the servers. Here's an example of doing this using Python which would require some work to include the current servers.

I'm using the first option and have only tried preliminary versions of the other two

Share:
6,890
geo
Author by

geo

Updated on September 18, 2022

Comments

  • geo
    geo over 1 year

    I want to create a split-DNS config on a 14.04 desktop machine with both a local eth network and a VPN connection. Ie I should send DNS lookups for address ranges that are accessed via the vpn to the (private) DNS servers that are configured for that particular vpn connection. Other addresses which are served via the local net should use different (public) dns servers.

    https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/ suggests this is easy to do now that we have a local dnsmasq resolver. Quote:

    The big advantage is that if you connect to a VPN, instead of having all your DNS traffic be routed through the VPN like in the past, you’ll instead only send DNS queries related to the subnet and domains announced by that VPN. This is especially interesting for high latency VPN links where everything would be slowed down in the past.

    But I can not figure out how to make this work! With VPN inactive network-manager tells dnsmasq to use the local public DNS servers as its upstream servers (this is good). If I now activate a VPN connection network-manager tells dnsmasq to change the upstream dns servers to the private ones configured for the vpn connection. And now all my local traffic goes to vpn for its dns lookups (this is bad!).

    If I had a "real" dnsmasq setup I could tell it in dnsmasq.conf to route specific lookups to specific dns servers. But how does this work with the cut-down dnsmasq / network-manager setup provided with Ubuntu desktop?

    I guess that one option is just to install the full dnsmasq, but this then means that I need to maintain config details in 2 separate places which is the sort of thing that network-manager mostly overcomes. Any suggestions?

    • jdthood
      jdthood almost 9 years
    • jdthood
      jdthood almost 9 years
      You say "this is bad", but it is not illegal (i.e., against an RFC) for the machine to use the VPN nameservers for all queries. The VPN nameservers should have information both about the VPN and about the Internet. What is disadvantageous is, first, that doing this may be slow. Second, if the local network is a different private network, then doing this leaks local names to the VPN. Admitted, but DNS was never designed to maintain the privacy of namespaces; the design of DNS assumes that there is only one global public namespace.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

/var/run/dnsmasq/resolv.conf nameserver contents
Lost editing DNS config in Ubuntu 18.04
NetworkManager writing to resolv.conf every reboot, breaking dnsmasq?
Why do none of my local servers resolve?
dnsmasq : failed to create listening socket for port 53: Address already in use
DNS Issue in ubuntu 14.04
VIrtual network
Unable to change file attributes (e.g. immutable) on /etc/resolv.conf
How do I to set the DNS server for a device using nmcli?
Ubuntu KVM Guest DNS problems