On Tue, 2020-09-29 at 09:18 -0700, John M. Harris Jr wrote:
On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski- Szmek wrote:
On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote:
On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro wrote:
You can do this, but again, you need to use the command line. E.g. 'resolvectl dns tun0 8.8.8.8'
We're actually no longer debating how systemd-resolved works; rather, we're now debating how NetworkManager chooses to configure systemd-resolved. systemd-resolved just does what it's told to do. It's
actually NetworkManager that decides to split DNS according to routing by default as a matter of policy. It could do otherwise if it wanted to, but I think this is a good default. Nothing stops you from changing
it though. :)
Michael, By what mechanism does NetworkManager "split DNS according to routing"? If it hasn't already made a request from both your cleartext and your VPN connection's DNS servers, it has no way of knowing what network should be used to get the right results. Routing and DNS are unrelated.
NetworkManager pushes DNS server configuration (and associated bits like domain search and routing domains) over dbus to resolved. That way it "[tells resolved how to] split DNS according to routing". Of course, after the name has been resolved to an IP address, the packets to that IP address are routed too. So there is "routing" in the sense of deciding which interface is appropriate for a given DNS name and "routing" in the sense of deciding which interface is appropriate for a given IP address.
It seems that the terminology is fairly confusing, considering it's right alongside actual routing configuration.. Okay, so "routing" means something wildly different than you'd think with systemd-resolved, got it.
In most cases, in order to get to a DNS server inside a VPN, your packets have to have a route which can reach the IP of that server for that interface, which is configured using NetworkManager (or a VPN config file, imported into NM). Anyone that understands basic networking will likely be confused by this terminology.
That aside, where in NetworkManager do these "routing domains" get specified?
In the connection itself (GUI or CLI), or they come from DHCP or SLAAC or the VPN.
nmcli con mod rh-openvpn ipv4.dns-search "foobar.com" nmcli con mod rh-openvpn ipv4.never-default true
combined with having a local caching DNS server (or resolved) enabled will route queries for those search domains only to the VPN-provided DNS servers.
There are corresponding GUI boxes for these in nm-connection-editor, GNOME network settings, and KDE.
Dan
-- John M. Harris, Jr.
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org