GNOME Bugzilla – Bug 685962
VPN domains in dnsmasq config on local connections
Last modified: 2020-11-12 14:26:01 UTC
There is a problem with configuration of dnsmasq when used with NetworkManager. If connection on routes configuration is marked as "Use for resources of this connection only" then, NM should write in configuration file for dnsmasq information about scope of work of associated dns server. For example: server=/domainname.loc/10.1.5.5 server=/1.10.in-addr.arpa/10.1.5.5 instead: server=10.1.5.5 Let say, I have access to corporate local domain without general access to internet. But on this network exist http proxy server. Now to get general access to internet: I mark this connection as local only. I connect using openvpn to my private server outside of corporate network. From my private server I have full access to internet. In that case all routes are configured correctly, except dnsmasq settings which get form in that case as follow: server=/vpnnet.loc/192.168.1.1 server=/1.168.192.in-addr.arpa/192.168.1.1 server=10.1.5.5 Which of course is wrong, and should be as follow: server=/domainname.loc/10.1.5.5 server=/1.10.in-addr.arpa/10.1.5.5 server=192.168.1.1
I'm afraid NetworkManager currently doesn't know the list of domains for the VPNs in general. So this is much bigger than just changing the configuration.
Not sure. As vpn I use openvpn connection which sets the address automatically, and also domain information (I think openvpn uses some kind of dhcp protocol). I don't know about another vpn systems. But anyway, please consider following: - If the connection is marked as local (activated "Use this connection only for resources on its network") it would be nice if NetworkManager would do the same for dns defined on this connection. I mean restrict usage of its dns servers to this connection resources only. - And the same for vpns. If vpn have activated "Use this connection only for resources on its network", then do the same, restrict usage of dns to the connection resources only. If such a thing would be done, then user can strictly define how he want to handle network traffic, and as follow dns usage. In such a case user will have possibility to set for example priority of wifi over cable network, etc just by restricting traffic with deletion of default routes, and as follow setting of dns restrictions.
> - If the connection is marked as local (activated "Use this connection > only for resources on its network") it would be nice if NetworkManager would do > the same for dns defined on this connection. I mean restrict usage of its dns > servers to this connection resources only. We will definitely have to consider this also on our path to DNSSEC support. > - And the same for vpns. If vpn have activated "Use this connection > only for resources on its network", then do the same, restrict usage of dns to > the connection resources only. I don't know if this is generally possible.
NM bugzilla reorganization... sorry for the bug spam.
Another relevant use case: dns=dnsmasq in config. Network A: Local office network with a bunch of servers, but the office's Internet connection is currently down. Network B: Mobile Internet access via phone connected over "USB Ethernet". Both of these provide a default route (since they both normally provide an Internet connection. NM normally gives priority to the default gateway from the local network, So I can access local servers but nothing else due to the wrong default route being picked. If I go to the properties of the local office connection and select "Use this connection only for resources on its network", then NM will remove the default route to the local network, and also make the DNS from the Mobile connection the primary. This allows me access to the Internet, but now DNS queries for internal servers fail. The generated dnsmasq.conf is: server=192.168.42.129 server=<an ipv6> server=192.168.1.19 server=192.168.1.2 Expected behavior: When "Use this connection only for resources on its network" has been selected for a local network, the DNS suffix for that connection (provided by DHCP) should be applied to the dnsmasq server-statement for the servers provided from that network.
So this seems to work for VPN connections. If I tick "Use this connection only for resources on its network" then the dns servers associated with that connection will only be queried for entries inside the search domain. It seems not to work on wired connections though.
From my point of view, there seems to be the opposite problem in Network Manager 1.0.2, look at nm-dns-dnsmasq.c: /* Use split DNS for VPN configs */ for (iter = (GSList *) vpn_configs; iter; iter = g_slist_next (iter)) { if (NM_IS_IP4_CONFIG (iter->data)) add_ip4_config (conf, NM_IP4_CONFIG (iter->data), TRUE); else if (NM_IS_IP6_CONFIG (iter->data)) add_ip6_config (conf, NM_IP6_CONFIG (iter->data), TRUE); } At least for those connection providing a default route, I would not like to have such a split DNS setup, where dnsmasq queries the VPN provided DNS server only for specific domains. Instead, the VPN DNS should be the new default DNS server and local DNS servers should be disabled. However, with this code, the VPN provided DNS server will be almost disabled for general usage. Since the local network might be untrusted (this is why you use a VPN tunnel with a default route), this is a security problem.
bugzilla.gnome.org is being shut down in favor of a GitLab instance. We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time. If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/ Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).