Different dns resolver for domain

Question

Different dns resolver for domain

bhack opened this issue 6 years ago · 16 comments

Is it possibile to limit the openvPN dns traffic ony for the OpenVPN pushed search domain?

This is how it is handled witih dnsmaq:
https://www.vojcik.net/configure-different-dns-resolvers-for-domains-in-ubuntu/

Answer 1 · 2018-06-23T21:12:45.000Z

At this point in time I think you would need to find a way to configure the DNS through systemd-resolved to set a search domain of . on the master DNS and then the DOMAIN and DOMAIN-SEARCH will only direct those specific queries via the VPN link.

However, there is no option to invert the search (i.e. tell systemd-resolved to NOT send selected domains) nor a way to get OpenVPN to affect the search configuration of other links.

Answer 2 · 2018-06-24T00:03:29.000Z

There was something in systemd for limit the query for domain limited dns. But how we can automate this? Need we something upstream, in openvpn, or in systemd. A general use case is that you are on a lagged vpn and you don't want to route out of vpn domains dns queries trought the vpn.

Answer 3 · 2018-07-02T10:04:01.000Z

A general use case is that you are on a lagged vpn and you don't want to route out of vpn domains dns queries trought the vpn.

This is often referred to as leaking DNS queries (to DNS server accessible through VPN connection in this case) which might help when searching for a solution to the problem. Searching Google for systemd resolved openvpn dns leak brings issue systemd/systemd#7182 (systemd-resolved causes dns leaks when connected via vpn) which describes opposite problem where someone wants all DNS queries go through VPN connection. Reading this issue might help understand how systemd-resolved behaves while using VPN connection.

Answer 4 · 2018-07-02T10:11:54.000Z

@piotr-dobrogost Yes I know but I always found the inverted leaking DNS problem. The inverted case is supported also by openvpn block-outside-dns option.

Answer 5 · 2018-07-02T11:31:05.000Z

To make it perfectly clear; you want connections to go through VPN interface, but resolution of domain names to be done through non VPN interface? Is this for specific domains only or for all domains?

Answer 6 · 2018-07-02T11:47:43.000Z

Yes VPN dns for VPN domains only.

Answer 7 · 2018-07-02T11:49:16.000Z

Instead here we can only have VPN dns for all the requests.

Answer 8 · 2018-07-03T09:55:02.000Z

Yes VPN dns for VPN domains only.

In this case I think this is easy to configure and should work.
As Lennart Poettering states in his comment

if the domain matches at least one configured search/routing domain, then the request is sent to all interfaces that have a matching search/routing domain

it should be enough to set either DOMAIN, DOMAIN-SEARCH or DOMAIN-ROUTE per docs at https://github.com/jonathanio/update-systemd-resolved#usage Maybe you are hitting systemd's issue
3420 – domain-limited DNS servers should not appear as global nameservers in resolved's resolv.conf or issue
3421 – resolved: Don't use domain-limited DNS servers for other queries (yes, I know you referenced this issue already)? What version of systemd you have? What is your configuration (you could take a look at systemd/systemd#9335 to see what kind of information may be reported)? I also asked for clarification on what does domain-specific DNS server really mean at systemd/systemd#3420 (comment)

Answer 9 · 2018-07-03T11:22:42.000Z

@jonathanio
What do you think about adding additional column to table at https://github.com/jonathanio/update-systemd-resolved#usage listing dbus calls made for each option? This would allow more advanced users to quickly see what semantics to expect. Also it would be nice to have some links to systemd-resolved docs in the Notes column.
Btw, in sentence

Requests for example.net and example.org will also be routed though to the four DNS servers listed too

either the word also or too is superfluous and I guess though was meant to be through.

Answer 10 · 2018-07-03T12:57:14.000Z

I'm happy about that. Anything which makes it easier to understand or more useful to users will get a 👍 from me! 😄

Answer 11 · 2018-09-12T15:58:15.000Z

In my case, I want to use my internal DNS servers over my vpn connection to lookup internal services. This is partly because some internal servers are NOT published externally, and partly because using the internal address on some services gives me more functionality. I do NOT want to lookup external addresses using the internal dns over vpn as those may needlessly redirect me to the internal proxy and slow down those requests. ie:

vpn connection for 10.0.0.0/24
ns1.example.com and ns2.example.com delivered with 10...* address over vpn for use with example.com, example.net and example.org
external dns on wlan0 set to 8.8.8.8

how do I setup systemd-resolved to always use only the 10...* dns servers for the listed domains and always use only the 8.8.8.8 for any other domain?

I'd like my eth0 or wlan0 etc interfaces DNS entries to be considered global, but my vpn0 interface DNS to be domain specific.

Answer 12 · 2018-09-13T13:01:52.000Z

@timriker
Take a look at https://unix.stackexchange.com/q/442598/5355 It's different scenario but there you will find information on how to configure routing of DNS requests for specific domains.

Answer 13 · 2018-09-13T16:15:57.000Z

Thank you. I'll try something like this in my vpn startup script and see how it goes.

/usr/bin/systemd-resolve \
                        --interface=vpn0 \
                        --set-dns=10.8.8.8 \
                        --set-dns=10.4.4.4 \
                        --set-domain=example.com \
                        --set-domain=example.net \
                        --set-domain=example.org \
                        --set-domain=~.

Answer 14 · 2019-05-19T17:05:50.000Z

This is certainly outside the scope of this script, as it is about configuring the VPN link only. However, I've added a section in the README.md on DNS Leakage. It covers the scenarios of preventing leakage over untrusted networks, as well as how to (try and) prevent leakage over corporate/private links too. Hopefully, this will help others.

Answer 15 · 2019-05-20T04:04:14.000Z

In many cases internal DNS is the only place to look up internal hosts. Certainly the VPN should handle this.
In a few case internal DNS will not lookup external hosts, or will return invalid results. While on VPN, external DNS should be used for hosts that are external. This is particularly important if the network you are currently on is doing something like DNS64 to route external IPv4 traffic through a 6to4, I'm not using that setup, just pointing out that there are other possible configurations that might need split dns solutions.

Answer 16 · 2019-05-20T04:33:04.000Z

@timriker, agreed, and to that end, I've added documentation on how to possibly manage this in the documentation, specifically by adding Domains=. to your network configuration. There is no "blacklist route" facility within systemd-resolved which would allow me to add the configuration needed to "route these domains but nothing else" through the servers on the VPN link.