[Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS

Nicholas Stommel 1624317 at bugs.launchpad.net
Tue Jun 6 07:43:28 UTC 2017 

>From the Debian man pages, it seems like this is not in fact a problem
of systemd itself, as it allows for domain routing exclusively for dns
servers on a single interface using the routing-only domain. My patch
effectively just tells the  NetworkManager to make a systemd bus call
for the routing-only domain when the connection is a vpn tun or tap
link. In fact, this feature of systemd, the routing-only domain, is a
marked improvement from the glibc API, which has no equivalent concept
of dns servers limited to a system link. The SetLinkDomains method of
the systemd-resolved API allows for this behavior.

>From SYSTEMD.NETWORK(5):

"The "routing-only" domain "~." (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) has special effect. It causes all DNS traffic which does not match another configured domain routing entry to be routed to DNS servers specified for this interface. This setting is useful to prefer a certain set of DNS servers if a link on which they are connected is available.
 
This setting is read by systemd-resolved.service(8). "Search domains" correspond to the domain and search entries in resolv.conf(5). Domain name routing has no equivalent in the traditional glibc API, which has no concept of domain name servers limited to a specific link."

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624317

Title:
  systemd-resolved breaks VPN with split-horizon DNS

Status in systemd:
  New
Status in network-manager package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  I use a VPN configured with network-manager-openconnect-gnome in which
  a split-horizon DNS setup assigns different addresses to some names
  inside the remote network than the addresses seen for those names from
  outside the remote network.  However, systemd-resolved often decides
  to ignore the VPN’s DNS servers and use the local network’s DNS
  servers to resolve names (whether in the remote domain or not),
  breaking the split-horizon DNS.

  This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
  https://bugzilla.redhat.com/show_bug.cgi?id=1151544

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1624317/+subscriptions

More information about the foundations-bugs mailing list