[Bug 1783377] Re: systemd-resolved updated by network-manager-strongswan needed to restart to use the new dns servers

Vin'c 1783377 at bugs.launchpad.net
Tue Dec 1 07:46:26 UTC 2020 

I would add

https://wiki.strongswan.org/issues/3615

- Local workaround with a script triggered in `pre-up` stage to restart service
- Explanation of upstream workaround (see previous comment/commit) that uses a dummy TUN device

---
Also the workaround we use at the moment (choose from this one or the script from [strongswan#3615](https://wiki.strongswan.org/issues/3615)) :
use `network-manager` (static) instead of `systemd-resolved`

     sudo systemctl disable systemd-resolved.service
     sudo systemctl stop systemd-resolved

Put `dns=default` in the `[main]` section of your
`/etc/NetworkManager/NetworkManager.conf`:

    [main]
    dns=default

Delete the symlink /etc/resolv.conf

    rm /etc/resolv.conf

Restart network-manager

    sudo service network-manager restart



** Bug watch added: wiki.strongswan.org/issues #3615
   https://wiki.strongswan.org/issues/3615

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1783377

Title:
  systemd-resolved updated by network-manager-strongswan needed to
  restart to use the new dns servers

Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.1 / bionic

  systemd:
    Installé : 237-3ubuntu10.3

  Fresh install on a VM, was facing a bug when connecting to strongswan
  ikev2 vpn
  (https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705)

  -> Updated from cosmic the required packages for the VPN that has the
  bug fixed (5.6.2-2):

  network-manager-strongswan:
    Installé : 1.4.4-1
    Candidat : 1.4.4-1
   Table de version :
   *** 1.4.4-1 300
          300 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 Packages
          100 /var/lib/dpkg/status
       1.4.2-2 500
          500 http://fr.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
  libcharon-extra-plugins:
    Installé : 5.6.2-2ubuntu1
    Candidat : 5.6.2-2ubuntu1
   Table de version :
   *** 5.6.2-2ubuntu1 300
          300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
          100 /var/lib/dpkg/status
       5.6.2-1ubuntu2 500
          500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  libcharon-standard-plugins:
    Installé : 5.6.2-2ubuntu1
    Candidat : 5.6.2-2ubuntu1
   Table de version :
   *** 5.6.2-2ubuntu1 300
          300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
          100 /var/lib/dpkg/status
       5.6.2-1ubuntu2 500
          500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  libstrongswan-extra-plugins:
    Installé : 5.6.2-2ubuntu1
    Candidat : 5.6.2-2ubuntu1
   Table de version :
   *** 5.6.2-2ubuntu1 300
          300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
          100 /var/lib/dpkg/status
       5.6.2-1ubuntu2 500
          500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  libstrongswan-standard-plugins:
    Installé : 5.6.2-2ubuntu1
    Candidat : 5.6.2-2ubuntu1
   Table de version :
   *** 5.6.2-2ubuntu1 300
          300 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
          100 /var/lib/dpkg/status
       5.6.2-1ubuntu2 500
          500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  Before connecting the VPN, `systemd-resolve --status` shows :
           DNS Servers: 192.168.1.254 # my home box resolver

  After connecting :
           DNS Servers: 10.0.0.254    # DNS resolver provided by the VPN server
                        192.168.1.254 # my home box resolver

  This seems OK, but the resolution fails as it is still using the local DNS :
  systemd-resolved[270]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

  After issuing `systemctl reload-or-restart systemd-resolved.service`,
  everything seems fine.

  systemd-resolved[5651]: Got DNS stub UDP query packet for id 24298
  systemd-resolved[5651]: Looking up RR for my.host.inside.vpn IN A.
  systemd-resolved[5651]: Switching to DNS server 10.0.0.254 for interface enp0s3.
  systemd-resolved[5651]: Cache miss for my.host.inside.vpn IN A
  systemd-resolved[5651]: Transaction 9273 for <my.host.inside.vpn IN A> scope dns on enp0s3/*.
  systemd-resolved[5651]: Using feature level UDP+EDNS0 for transaction 9273.
  systemd-resolved[5651]: Using DNS server 10.0.0.254 for transaction 9273.

  I was hoping that `systemd-resolved` could find the new DNS without
  restarting its service after connecting to the VPN.

  Thanks for reading
  Best Regards,
  Vincent

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1783377/+subscriptions

More information about the foundations-bugs mailing list