Arch Linux

apollo22

Member

Registered: 2018-04-13

Posts: 34

DNS per VPN connection - How do you call it ?

Hi,

While reading the NetworkManager page on the wiki, I was intrigued by the relation of "Split DNS" with VPNs.

I could only only find the following two ressources:
  https://utcc.utoronto.ca/~cks/space/blo … dDNSforVPN
  https://zaitcev.livejournal.com/222221.html

As I understand, this is about using different nameservers depending on the VPN connection, which can only be done (to my knowledge), using the requested hostname. This necessarily involve a local DNS Resolver, with what is called "forward zone".

However, Split DNS is about answering to DNS queries based on the source of the DNS query (this description might be incomplete).

This leads me to the 2 following questions:

1) How do you call this type of DNS configuration

2) Do you know of any tool to autoconfigure your local DNS Resolver to forward requests to the correct DNS Server based on the connection (using DHCP Options 119, or any other tool) ?

rsmarples

Member

Registered: 2009-05-12

Posts: 287

Re: DNS per VPN connection - How do you call it ?

1) Split Horizon DNS is generally a server side configuration - https://en.wikipedia.org/wiki/Split-horizon_DNS

2) Yes! It's called resolvconf. One of it's design goals is to allow decent VPN base DNS lookups.
You need to install a more powerful resolver than libc (such as unbound, dnsmasq, bind, etc) and then provide a simple config telling openresolv which one(s) you want to configure.

Arch has openresolv in the core repository.
https://roy.marples.name/projects/openresolv
https://roy.marples.name/projects/openresolv/config

However, there is a downside to this approach - every network config tool that is a "one stop" solution don't integrate well this this as they have - or want to have - their own solutions for this.
NetworkManager is the worst because it lumps ALL DNS it knows about into one resolvconf entry which means the VPN split you want won't work because it controls DNS too.
This might have changed as I've not used NetworkManager in quite a few years now. Someone please correct me if this has changed at all.

The same might be true for systemd (I don't know).

If you use separate tools - such as dhcpcd-gtk/qt for SSID selection / static IP setup alongside a VPN of choice such as OpenVPN or WireGuard.

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

1) I'm sorry, apparently my question was unprecise. I know Split Horizon DNS, I would like to know if you know how to call the technique where you use different nameserver depending on the queried hostname (at least the domain part).

2) resolvconf does not solve this issue, it allows multiple applications to modify "/etc/resolv.conf", but the DNS queries would all go to the same server, no matter what the queried domain is. As stated:

This necessarily involve a local DNS Resolver, with what is called "forward zone".

In this case, resolv.conf would point to "127.0.0.1".

NB: openresolv integrates well with NetworkManager today

EDIT: Indeed openresolv solve this issue.

Last edited by apollo22 (2019-04-07 15:04:58)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 670

Re: DNS per VPN connection - How do you call it ?

AFAIK NetworkManager relies on the server advertising a search domain for split DNS to work. The local resolver then sets up correct forwarding zones for each search domain. GNOME wiki explains some of this: https://wiki.gnome.org/Projects/NetworkManager/DNS .

The section in NetworkManager's page used to be called "Enable DNS caching", but I renamed it to its current title "DNS caching and split DNS" because NetworkManager.conf(5) mentions "split DNS" when describing the main.dns setting.

Last edited by nl6720 (2019-04-07 11:44:06)

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

Thanks for the gnome wiki link, it actually answers my second question. (I know have to integrate it with some OpenVPN config )

Related to the first question, I find it misleading to call this feature "split DNS", because of the spread usage of the "Split Horizon DNS".

Do you know of any other name, or can you think about any other explicit name so that we could modify the NetworkManager documentation to be more explicit ?

EDIT: Just saw "split-DNS resolver" on the wiki. Anyone agree ?

Last edited by apollo22 (2019-04-07 12:09:04)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 670

Re: DNS per VPN connection - How do you call it ?

NetworkManager's documentation calls it "split DNS" so blame its developers, or ask them if there's a better term.

Changes to a wiki article should really be discussed in its talk page so that all interested parties can participate.

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

Sorry, my intention is not to blame anyone. The objective would be to find a appropriate name together so that we can modify the NetworkManager documentation.

As for the wiki, I think it's a good idea to follow current naming convention. So for now keeping the "split DNS" name on the wiki seems to me to be the best option.

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 670

Re: DNS per VPN connection - How do you call it ?

I didn't want to imply anything negative with "blame", I just wanted to point out that it's the was upstream's decision to use that term.
I didn't realize you were talking about changing the official docs. Sorry, I don't know enough about DNS to suggest any change.

rsmarples

Member

Registered: 2009-05-12

Posts: 287

Re: DNS per VPN connection - How do you call it ?

2) resolvconf does not solve this issue, it allows multiple applications to modify "/etc/resolv.conf", but the DNS queries would all go to the same server, no matter what the queried domain is. As stated:

This necessarily involve a local DNS Resolver, with what is called "forward zone".

In this case, resolv.conf would point to "127.0.0.1".

That is not the case. resolvconf takes the input from many resolv.conf files passed to it via applications such as DHCP and VPN clients.
It then uses this to manage /etc/resolv.conf AND a more powerful resolver.
Here again: https://roy.marples.name/projects/openresolv

Take the following resolv.conf files which have been generated by a DHCP client and sent to resolvconf:

# resolv.conf from bge0
search foo.com
nameserver 1.2.3.4

# resolv.conf from tap0
domain bar.org
nameserver 5.6.7.8

In this instance, queries for foo.com will go to 1.2.3.4 and queries for bar.org will go to 5.6.7.8. This does require the resolvers to be configured to pickup the resolvconf generated configuration for them though.

Lets expand this some more - you would get similar output from running `resolvconf -l` - the key part being two distinct resolv.conf files being managed from different interfaces. The lan interface(s) and the vpn interface.
If you just see one listed which contains all the entries then it won't work.

Now, to get it to work, you need to setup a more powerful resolver so /etc/resolv.conf should just be this:

nameserver 127.0.0.1

Full instructions to configure this are here: https://roy.marples.name/projects/openresolv/config
And then your DNS server of choice running locally would be configured with two forwarders - one specific for the VPN and the other for everything else.

NB: openresolv integrates well with NetworkManager today

Well, lets see the ouput of resolvconf -l with lan and vpn connected before we break out the champagne

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

Indeed you are right.

I thought I knew what openresolv was, discarding your answer, sorry about that.

Thank you very much for the correction

PS: Currently integrating it, but all requests get resolved by the same DNS server

progandy

Member

Registered: 2012-05-17

Posts: 5,280

Re: DNS per VPN connection - How do you call it ?

Since when is /etc/resolv.conf such an elaborate tool? As far as I know (edit: and I can decipher from the resolv.conf manpage), glibc just dumbly uses the first 3 nameservers listed in resolv.conf and tries to append the domain given in "search" to query for hostnames without any dots.

Edit: Sorry, disregard that. Somehow I totally missed that whole half of openresolv where you can use other resolvers as its backend...

Last edited by progandy (2019-04-07 18:30:54)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

We are talking about using "openresolv" to manage /etc/resolv.conf (and apparently can also configure some DNS Resolvers)

progandy

Member

Registered: 2012-05-17

Posts: 5,280

Re: DNS per VPN connection - How do you call it ?

Thanks. Somehow I totally missed that openresolv supports multiple resolver backends, even though I read the documentation and the article twice. I guess I should stop posting for today.

Last edited by progandy (2019-04-07 18:32:59)

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

apollo22

Member

Registered: 2018-04-13

Posts: 34

Re: DNS per VPN connection - How do you call it ?

NB: openresolv integrates well with NetworkManager today

Well, lets see the ouput of resolvconf -l with lan and vpn connected before we break out the champagne

It seems I was wrong again, Network Manager only advertise a single interface, so this is not (yet) possible to implement this only using NetworkManager.

Last edited by apollo22 (2019-05-07 19:21:42)

rsmarples

Member

Registered: 2009-05-12

Posts: 287

Re: DNS per VPN connection - How do you call it ?

Well, that *is* a shame.

However, it seems you don't need resolvconf here:
https://wiki.gnome.org/Projects/NetworkManager/DNS

So, since last year NetworkManager supports it via dnsmasq or systemd - sucks if you prefer unbound or bind or something else.
Even if you get it working, it looks like it lacks many features openresolv supports such as exluding specific name servers/domains and other such tooling when the supplied DNS is wrong.

You might also have luck as someone tried a dispatcher script which should work. Might need some tweaking:
https://superuser.com/questions/1041567 … solvconf-u

Good luck!

PS - This is why I dislike NetworkManager and SystemD. Neither have any good solution to actually do useful stuff like this and sometimes actively go out of the way to make it impossible without invasive patches.
But each to their own, I try and help when I can.