Support Multiple Search Domains
mf69 opened this issue · 5 comments
The script seems to support only 1 (the last) search domain even when multiple are passed in the openvpn push / pull options
...
<14>Jun 17 11:56:17 update-systemd-resolved: Link 'tun0' coming up
<14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.1
<14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.2
<14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.3
<14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain foo.bar.example.com
<14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain bar.example.com
<14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain example.com
<14>Jun 17 11:56:17 update-systemd-resolved: SetLinkDNS(7 3 2 4 10 10 10 1 2 4 10 10 10 2 2 4 10 10 10 3)
<14>Jun 17 11:56:17 update-systemd-resolved: SetLinkDomains(7 1 example.com false)
...
$ systemd-resolve --status
...
Link 6 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.10.10.1
10.10.10.2
10.10.10.3
DNS Domain: example.com
...
(Names and IPs changed to protect the innocent)
This is correct. There are two options available for setting domain names on a link: DOMAIN and DOMAIN-SEARCH. The former, DOMAIN, sets the formal domain name of the host on that link, as well as then act as the primary search domain for bare hostnames on the VPN link. DOMAIN-SEARCH adds in the additional search domains, but does not set them as formal domain names for the host (there can be only one, and why DOMAIN only takes the last set value).
What you probably want is either to convert them all to DOMAIN-SEARCH, if the formal domain name of the host isn't important, or set DOMAIN for foo.bar.example.com and DOMAIN-SEARCH for bar.example.com and example.com.
I hope this helps.
To be clear I was converting from the /etc/openvpn/update-resolv-conf script which handles the DOMAIN options as search domains.
OpenVPN has no such dhcp-option DOMAIN-SEARCH -- at least in the man page!?
Upon googling around I found some interesting threads / posts including this one from 2008!
https://openvpn.net/archive/openvpn-users/2008-01/msg00073.html
which talks about dhcp option 119 but apparently that isn't supported in openvpn either.
See https://github.com/OpenVPN/openvpn/blob/master/contrib/pull-resolv-conf/client.up
lines 53-56 for the (prior) behavior I was expecting.
There are differences in the way that /etc/resolv.conf and systemd-resolved behave in this regard, and this configuration is a compromise to deal with that. It's why there's also DOMAIN-ROUTE to deal with another option available in the configuration for systemd-resolved which isn't supported by /etc/resolv.conf options.
As for DOMAIN-SEARCH - anything after dhcp-option in OpenVPN is ignored by the daemon and simply passed to the up/down scripts (except in Windows, where it understands the DOMAIN or ADAPTER_DOMAIN_SUFFIX depending on your setup) . That is why you won't see it documented in the man pages, as it's up to the up/down scripts to define and describe their meaning.
I've made changes to this script - see PR #67 - today that changes the way DOMAIN works - it will now set the first value as the primary domain for search, and then any others will be treated the same as DOMAIN-SEARCH. Once I release v1.3.0 this should have the behaviour you expect.