On Tue, 2020-09-29 at 09:18 -0700, John M. Harris Jr wrote:
On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski-
Szmek
wrote:
> On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote:
>
> > On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro
> > wrote:
> >
> > > You can do this, but again, you need to use the command line.
> > > E.g.
> > > 'resolvectl dns tun0 8.8.8.8'
> > >
> > > We're actually no longer debating how systemd-resolved works;
> > > rather,
> > > we're now debating how NetworkManager chooses to configure
> > > systemd-resolved. systemd-resolved just does what it's told to
> > > do. It's
> > >
> > > actually NetworkManager that decides to split DNS according to
> > > routing
> > > by default as a matter of policy. It could do otherwise if it
> > > wanted
> > > to, but I think this is a good default. Nothing stops you from
> > > changing
> > >
> > > it though. :)
> >
> > Michael,
> > By what mechanism does NetworkManager "split DNS according to
> > routing"? If
> > it hasn't already made a request from both your cleartext and
> > your VPN
> > connection's DNS servers, it has no way of knowing what network
> > should be
> > used to get the right results. Routing and DNS are unrelated.
>
> NetworkManager pushes DNS server configuration (and associated bits
> like
> domain search and routing domains) over dbus to resolved. That way
> it
> "[tells resolved how to] split DNS according to routing". Of
> course, after
> the name has been resolved to an IP address, the packets to that IP
> address
> are routed too. So there is "routing" in the sense of deciding
> which
> interface is appropriate for a given DNS name and "routing" in the
> sense of
> deciding which interface is appropriate for a given IP address.
It seems that the terminology is fairly confusing, considering it's
right
alongside actual routing configuration.. Okay, so "routing" means
something
wildly different than you'd think with systemd-resolved, got it.
In most cases, in order to get to a DNS server inside a VPN, your
packets have
to have a route which can reach the IP of that server for that
interface,
which is configured using NetworkManager (or a VPN config file,
imported into
NM). Anyone that understands basic networking will likely be confused
by this
terminology.
That aside, where in NetworkManager do these "routing domains" get
specified?
In the connection itself (GUI or CLI), or they come from DHCP or SLAAC
or the VPN.
nmcli con mod rh-openvpn ipv4.dns-search "foobar.com"
nmcli con mod rh-openvpn ipv4.never-default true
combined with having a local caching DNS server (or resolved) enabled
will route queries for those search domains only to the VPN-provided
DNS servers.
There are corresponding GUI boxes for these in nm-connection-editor,
GNOME network settings, and KDE.
Dan
--
John M. Harris, Jr.
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org