# PBM: dnsmasq seems to ignore DNS servers across VPN

## VinzC

Hi.

Here's my N'th question about dnsmasq... I can no longer seem to have dnsmasq resolve names when connected through PPTP VPN. /etc/resolv.conf reflects what's in /etc/dnsmasq-resolv.conf plus the first line, which is 127.0.0.1 and causes DNS requests to be sent to the dnsmasq service that's running locally. Whenever I connect to a remote site using PPTP (I run pon <client name>) name resolution doesn't work and returns nothing when I query names belonging to the remote site. Name resolution against hosts that are on the Internet still works OTOH.

I'm also using OpenResolv to manage the various DNS servers I'd use. It works rather fine. So when I start a VPN connection, DNS server IP's are added to /etc/resolv.conf but before the line that designates my local network server. Hence DNS requests are sent to the remote DNS servers and then to the DNS server on the local network. OpenResolv does its work by adding the remote DNS servers to /etc/dnsmasq-resolv.conf. That works as expected.

After a couple of guesses, I tried to force dnsmasq to query the DNS servers at the other side of the VPN tunnel by removing (I commented out) the line with the IP address of my local network DNS server from /etc/dnsmasq-resolv.conf. It... Ô! worked! So the conclusion is dnsmasq doesn't seem to query the remote servers on the VPN network unless there is no local DNS server mentioned in /etc/dnsmasq-resolv.conf.

I then restored the line I deleted (I uncommented it), restarted dnsmasq and *poof* DNS queries (against the remote network) didn't work. So I'm guessing dnsmasq must probably «ignore» DNS server IP's if they belong to a VPN. I also find dnsmasq is so quick to give a response even with DNS servers that are on a remote network. I expect it to take its time to query remote DNS servers but the name resolution commands I use (like dig <remote name>) return almost immediately.

Is it a bug in dnsmasq? Or is there a way to force dnsmasq to wait a little longer for remote DNS server responses?

----------

## UberLord

You should configure two config files for dnsmasq dnsmasq-resolv.conf and dnsmasq-resolvconf.conf in resolvconf and dnsmasq.conf

----------

## VinzC

I've already done that -- following your advice. Is there something more I should do?

----------

## VinzC

I've tried to use option "strict-order" but in vain.

----------

## UberLord

I think you'll have to take this to the dnsmasq mailing lists as It Works For Me (tm)

----------

## VinzC

 *UberLord wrote:*   

> ... It Works For Me (tm)

 

 :Laughing: 

Thanks, I also think that's the only way to go right now. But right out of curiosity, what version do you use? I have version 2.49.

----------

## UberLord

2.49 also I think. But I'm mainly NetBSD based on my testing laptop, but I doubt that's the issue here.

----------

## VinzC

Hi Roy.

I've spent a long time on dnsmasq mailing list and I now think I've understood what's going on. First off dnsmasq has no sense of priority between DNS servers it queries. It sends queries to DNS servers it knows of and uses the fastest [that replied] as the default regardless of the strict-order option.

Now with my issue, it looks like adding lines that look like

```
server=/remote.domain.name/<remote DNS server IP>
```

would do the trick. I've tried that manually but I need to restart dnsmasq -- simply reload won't change. Next I wonder how to change /etc/dnsmasq-resolvconf.conf accordingly when the VPN connection is made...

Before I start my VPN connexion:

```
# Generated by resolvconf

server=//10.x.y.z
```

the file lists the DNS server IP addresses received by dhcpcd. After a VPN connection is made:

```
# Generated by resolvconf

enable-dbus
```

After closing any VPN connection:

```
# Generated by resolvconf

enable-dbus
```

There is something strange I don't understand here... Shouldn't that file be reset to what it was before making the connection?

----------

## UberLord

You could try making the VPN resolv.conf private, then it does what you want  :Smile: 

man resolvconf.conf describes private_interfaces

----------

## VinzC

I took my time I admit...

I emerged the latest version of openresolv (3.3.2) and here's what I get when I update DNS information, for example

```
/etc/resolvconf.conf: line 9: private_interfaces: command not found

/etc/resolvconf.conf: line 9: private_interfaces: command not found

dnsmasq         |* Stopping dnsmasq...                                                          [ ok ]

dnsmasq         |* Starting dnsmasq...                                                          [ ok ]

/etc/resolvconf.conf: line 9: private_interfaces: command not found

/etc/resolvconf.conf: line 9: private_interfaces: command not found

/etc/resolvconf.conf: line 9: private_interfaces: command not found
```

 :Shocked: 

Have I missed something?

----------

## UberLord

I'm guessing that private_interfaces in /etc/resolvconf.conf needs an = sign  :Wink: 

----------

## VinzC

 *UberLord wrote:*   

> I'm guessing that private_interfaces in /etc/resolvconf.conf needs an = sign 

 

Oops... I probably overlooked that. Thanks, I'll try common boolean values.

----------

## VinzC

```
private_interfaces

             These interfaces name servers will only be queried for the domains listed in

             their resolv.conf.  This is equivalent to the resolvconf -p option.
```

Sorry, Roy, I don't understand what I'm supposed to put there... Should I just put [remote, private] name server IP addresses (space separated) or just true/false, 0/1 or interface names? What I find misleading is "This is equivalent to the resolvconf -p option", which option has no value hence I didn't even expect an "=" there... Should I also create a list of resolv.conf for all these IP's?

Would I dare ask for an example, if you don't mind?...

Thanks.

EDIT: I tried private_interfaces=ppp[0-9]* (without being too sure) and started a new VPN connection... No change: my remote servers are still unknown, /etc/dnsmasq-resolvconf.conf still contains only that "enable-dbus" line, nothing else. Feeling desperate now...

EDIT: I'm now running dnsmasq-2.50.

```
/var/run/resolvconf/:

total 8

drwxr-xr-x 2 root root 4096 nov  9 14:34 interfaces

drwx------ 2 root root 4096 aoû  9 01:02 metrics

/var/run/resolvconf/interfaces:

total 8

-rw-r--r-- 1 root root 119 nov  9 08:24 bond0

-rw------- 1 root root  78 nov  9 14:34 ppp0
```

```
# Generated by ppp for ppp0

nameserver 192.168.x.8

nameserver 192.168.x.254
```

```
$ ping machine.remote.tld

$ ping: unknown host machine.remote.tld
```

 (not using real names, of course)

I don't understand anything anymore...

EDIT: Well, this time at least I only need to restart dnsmasq and I no longer need to edit /etc/dnsmasq-resolvconf.conf... But then local names are unknown... exactly as if I didn't have dnsmasq/resolvconf, i.e. as if /etc/resolv.conf had been overwritten with the VPN's resolver. |-( ...

EDIT: Lastly, poff does no longer clean remote NS IP addresses from /etc/resolv.conf nor /etc/dnsmasq-resolv.conf...

----------

## UberLord

The current version only supports an exact match on private_interfaces - a shell match list is not supported.

```
private_interfaces="pppoe0"
```

 *Quote:*   

> EDIT: Lastly, poff does no longer clean remote NS IP addresses from /etc/resolv.conf nor /etc/dnsmasq-resolv.conf...

 

poff probably does not know about resolvconf. It needs to be told.

----------

## VinzC

 *UberLord wrote:*   

> poff probably does not know about resolvconf. It needs to be told.

 

I understand yet how? I just wonder why pon seems kindof "aware" of openresolv (since dnsmasq-resolv.conf seems to be changed somehow when a connection is made) but poff. Unless I'm again totally mistaken, which I still completely ignore in fact. [Note it also seemed to work with poff before I upgraded then started to play with  openresolv.]

Given the amount of time (i.e. months) I've been trying to make this all work, would you mind shedding some examples so that I understand what I'm doing? E.g. what is the "private_interfaces" clause supposed to do (i.e. create files, where, what for) so that I can check it's working? Knowing I use exclusively pon and poff for my VPN connexions, what should I check first to make sure everything is ready to work with openresolv?

----------

## UberLord

To demonstrate private_interfaces with examples.

```

#resolvconf.conf

private_interfaces=

# resolv.conf for vpn0

nameserver 1.2.3.4

domain foo.org

# resolv.conf for eth0

nameserver 5.6.7.8

domain bar.com

# dnsmasq-resolv.conf

nameserver 5.6.7.8

nameserver 1.2.3.4

# dnsmasq-resolvconf.conf

server=/bar.com/5.6.7.8

server=/foo.org/1.2.3.4

```

```

#resolvconf.conf

private_interfaces=vpn0

# resolv.conf for vpn0

nameserver 1.2.3.4

domain foo.org

# resolv.conf for eth0

nameserver 5.6.7.8

domain bar.com

# dnsmasq-resolv.conf

nameserver 5.6.7.8

# dnsmasq-resolvconf.conf

server=/bar.com/5.6.7.8

server=/foo.org/1.2.3.4

```

If you can improve the description in the resolvconf man page, please tell me how  :Smile: 

As to poff not working with resolvconf, simply do "resolvconf -l" either side of a poff call to check that the entry is infact removed.

----------

## VinzC

 *UberLord wrote:*   

> To demonstrate private_interfaces with examples.

 

```

#resolvconf.conf

private_interfaces=

# resolv.conf for vpn0

nameserver 1.2.3.4

domain foo.org

# resolv.conf for eth0

nameserver 5.6.7.8

domain bar.com

# dnsmasq-resolv.conf

nameserver 5.6.7.8

nameserver 1.2.3.4

# dnsmasq-resolvconf.conf

server=/bar.com/5.6.7.8

server=/foo.org/1.2.3.4

```

```

#resolvconf.conf

private_interfaces=vpn0

# resolv.conf for vpn0

nameserver 1.2.3.4

domain foo.org

# resolv.conf for eth0

nameserver 5.6.7.8

domain bar.com

# dnsmasq-resolv.conf

nameserver 5.6.7.8

# dnsmasq-resolvconf.conf

server=/bar.com/5.6.7.8

server=/foo.org/1.2.3.4

```

 *UberLord wrote:*   

> As to poff not working with resolvconf, simply do "resolvconf -l" either side of a poff call to check that the entry is infact removed.

 

Now I'm wondering if it wouldn't be simpler (for me at least) if I just intercepted calls to pon/poff to just add nameserver clauses to dnsmasq configuration files instead. I think it's all I need to reach my local network even though a VPN connection is active. I've been told in the lists the least to do is add the appropriate server=/domain/ip clauses to the configuration, which I can always do from ip-up and ip-down wrapper scripts, right?

I will need to prevent /etc/resolv.conf from being overwritten, which is the main reason I installed openresolv. Maybe the latter best fits more difficult use cases, I don't know. Another issue is I'm not sure DNS domain names are sent by pptp daemon so only the VPN client knows what domain names the connection serves, right?

 *UberLord wrote:*   

> If you can improve the description in the resolvconf man page, please tell me how 

 

Sure. Some examples like the ones you gave are welcome. You should also explain where to find the various files we my find after openresolv has been configured. For example, I sought many places in vain before I ended up in /var/run/resolvconf/{interfaces,metrics}. Good to know what these directories are for -- it might be obvious for an experienced user but that doesn't fit to me, obviously  :Wink:  .

I also wondered (and I'm still) how openresolv interacts with name resolution just by adding several files in strategical places. That'd be nice to describe as well.

The resolvconf -l command si also worth some words, just like you've explained. I suppose I'm not the only one who uses pon and poff instead of [bloody] Networkmanager [from Hell].

----------

## UberLord

 *VinzC wrote:*   

>  *UberLord wrote:*   If you can improve the description in the resolvconf man page, please tell me how  
> 
> Sure. Some examples like the ones you gave are welcome. You should also explain where to find the various files we my find after openresolv has been configured. For example, I sought many places in vain before I ended up in /var/run/resolvconf/{interfaces,metrics}. Good to know what these directories are for -- it might be obvious for an experienced user but that doesn't fit to me, obviously  .
> 
> I also wondered (and I'm still) how openresolv interacts with name resolution just by adding several files in strategical places. That'd be nice to describe as well.
> ...

 

private_interfaces is documented in resolvconf.conf(5).

/var/run/resolvconf and resolvconf -l are documeted in resolvconf(8 ).

I've documented how the subcribers (dnsmasq, named) react with resolvconf here

http://roy.marples.name/projects/openresolv/changeset/e0710e98a3c9254c7984e7bffb021d73edab66a0

This should be good enough.

But to solve your issue, we are rapidly heading nowhere fast.

Now, to solve this I think we should take this to email as I'll need to know your exact config files, resolvconf -l output and the dnsmasq files produced. None of this is really suitable for forum posts.

Email me at roy@marples.name

----------

