[SOLVED] DNS config for two VPNs

rbaj · 2016-04-25 23:58:58

I'm trying to get name resolution to work with two VPNs simultaneously:

-- vpn1 is configured by OpenVPN and should be connected all the time
-- vpn2 is configured with Openconnect and only needed when remotely connecting to subdomains on my work's network (abc.xyz.com).
-- NetworkManager configures my physical ethernet/wireless connections

I'm using resolvconf to manage resolv.conf. All DNS requests go to the vpn1 DNS because OpenVPN calls resolvconf with the -x flag (via update-resolv-conf.sh) which makes the vpn1 DNS exclusive. But only one DNS can be exclusive so I can't add the vpn2 DNS and resolve the abc.xyz.com addresses.

Unbound has been suggested as a solution to DNS problems (I asked about it here) but I found the documentation confusing. Using 'root-hints' without any forward-zones understandably sends all DNS queries to the vpn1 DNS so I still can't resolve subdomains abc.xyz.com on vpn2. My understanding of networks is insufficient to set up forward-zones and stub-zones that resolve both vpn1 and vpn2 simultaneously.

Does anyone have any suggestions? The vpn1 DNS is at 10.4.0.1 while the vpn2 DNS at work always seems to be at an external IP 131.xx.xx.xx (even when I'm connected).

Thanks

Edit: perhaps I can hard-code the IP addresses at work into some sort of login script and avoid the second DNS entirely..

Last edited by rbaj (2016-04-29 12:32:32)

brebs · 2016-04-26 07:39:42

See Unbound forward-addr example.

rsmarples · 2016-04-26 10:02:57

Are you using the openresolv implementation of resolvconf?

If so some documentaion on setting it up with unbound:
http://roy.marples.name/projects/openresolv
http://roy.marples.name/projects/openre … ame=config
http://roy.marples.name/projects/openre … ig_unbound

rsmarples · 2016-04-26 10:03:54

resolvconf.conf(5) should also have all the details you need.

rbaj · 2016-04-26 12:12:27

Thanks, both. I'm using openresolv.

Currently the configs are:

/etc/resolvconf.conf
---
name_servers=127.0.0.1
resolv_conf=/etc/resolv.conf
unbound_conf=/etc/unbound-resolvconf.conf
private_interfaces=svpn   #vpn2

/etc/unbound/unbound.conf
---
include: /etc/unbound-resolvconf.conf

server:
  verbosity: 1
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  pidfile: "/var/run/unbound.pid"

  interface: 127.0.0.1
  trust-anchor-file: trusted-key.key
  root-hints: "/etc/unbound/root.hints"

  local-zone: "10.in-addr.arpa." nodefault   #vpn1
  local-zone: "168.192.in-addr.arpa." nodefault

  forward-zone: 
    name: "abc.com"   #company domain
    forward-addr: 131.227.xx.xx   #company internal dns
    forward-addr: 131.227.xx.xx

  forward-zone: 
    name: "xyz.abc.com"   #company subdomain 1
    forward-addr: 131.227.xx.xx   #company internal dns
    forward-addr: 131.227.xx.xx

  forward-zone: 
    name: "pqr.abc.com"   #company subdomain 2
    forward-addr: 131.227.xx.xx   #company internal dns
    forward-addr: 131.227.xx.xx

  forward-zone:
    name: "227.131.in-addr.arpa."   #reverse dns
    forward-addr: 131.227.xx.xx   #company internal dns
    forward-addr: 131.227.xx.xx

$resolvconf -l shows the correct DNS servers for the two vpns.
I get the correct IP address when I ping one of the internal subdomains, but I don't get any packets back.
$tcpdump port 53 shows the correct DNS being used for 10.xx.xx.xx, but doesn't show anything for the 131.227.xx.xx subdomain (but perhaps openconnect does DNS on another port).

What am I missing?

Edit: it's working with private_interfaces="*", thanks for your help.

Does this setup introduce any security holes that weren't already there, and if so can these be fixed with directives in unbound.conf?

Last edited by rbaj (2016-04-26 13:49:51)

rsmarples · 2016-04-26 15:24:20

Uh, you didn't include unbound-resolv.conf in your unbound.conf file
Once you do that, you can remove the forward-zone dec's from it.

rbaj · 2016-04-26 17:54:39

There isn't any unbound-resolv.conf

# cat /etc/resolvconf.conf 

unbound_conf=/etc/unbound-resolvconf.conf
...

# cat /etc/unbound/unbound.conf 

include: /etc/unbound-resolvconf.conf
...

Is this not what you mean? I guess not because removing the forward-zones breaks it..

Last edited by rbaj (2016-04-26 17:55:40)

rbaj · 2016-04-27 13:38:46

Although it seems to work fine with the above configs I get occasional errors, after which unbound restarts successfully:

unbound[3461]: /unbound.conf:1: error: cannot open include file '-resolvconf.conf': No such file or directory
unbound[3461]: read /unbound.conf failed: 1 errors in configuration file
...
unbound[3461]: [3461:0] notice: Restart of unbound 1.5.8.
unbound[3461]: [3461:0] fatal error: Could not read config file: /unbound.conf

Please could you elaborate on including unbound-resolv.conf?
Thanks

rsmarples · 2016-04-28 15:12:35

include: "/etc/unbound-resolvconf.conf"

Try placing it in quotes.

rbaj · 2016-04-29 10:37:17

That fixed the config error, and /etc/unbound-resolvconf.conf is being populated.

Thanks for all your help!

(For reference, in resolvconf.conf only the internal vpn needs to be listed in private-interfaces)

Edit: I got errors in the log caused by unbound's config file. These were solved by moving /etc/unbound-resolvconf.conf to /etc/unbound/unbound-resolvconf.conf

Last edited by rbaj (2016-05-18 12:43:24)

Arch Linux

#1 2016-04-25 23:58:58

[SOLVED] DNS config for two VPNs

#2 2016-04-26 07:39:42

Re: [SOLVED] DNS config for two VPNs

#3 2016-04-26 10:02:57

Re: [SOLVED] DNS config for two VPNs

#4 2016-04-26 10:03:54

Re: [SOLVED] DNS config for two VPNs

#5 2016-04-26 12:12:27

Re: [SOLVED] DNS config for two VPNs

#6 2016-04-26 15:24:20

Re: [SOLVED] DNS config for two VPNs

#7 2016-04-26 17:54:39

Re: [SOLVED] DNS config for two VPNs

#8 2016-04-27 13:38:46

Re: [SOLVED] DNS config for two VPNs

#9 2016-04-28 15:12:35

Re: [SOLVED] DNS config for two VPNs

#10 2016-04-29 10:37:17

Re: [SOLVED] DNS config for two VPNs

Board footer