Prevent VPN from overriding my DNS!

Questions about cabled networking
Forum rules
Before you post please read how to get help
User avatar
bernd.wechner
Level 2
Level 2
Posts: 83
Joined: Sat Sep 05, 2015 6:22 am

Prevent VPN from overriding my DNS!

Postby bernd.wechner » Thu Jul 06, 2017 1:19 am

I have a gateway that acts as a DNS and resolves .lan names nicely. Mostly it works fine. Sometimes not.

Right now is one of those not times so it afforded me the opportunity/need to do some diagnostics.

Turns out issue not with the gateway. Basically:

Code: Select all

dig @192.169.0.1 whatever.lan

works a charm. And yet:

Code: Select all

dig whatever.lan

does not!

Why?

I find dig's output painful to say the least, so easier is nslookup and:

Code: Select all

nslookup whatever.lan

reports:

Code: Select all

Server:      192.168.1.10
Address:   192.168.1.10#53

** server can't find whatever.lan: NXDOMAIN


So it's using 192.168.0.10.

And now the clues start mounting. Can I force my system to use 192.168.0.1 as DNS? Seems I can't find a way. If I add it to:

Code: Select all

$ cat /etc/resolvconf/resolv.conf.d/base
nameserver 192.168.0.1

alas it produces this:

Code: Select all

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.1.10
nameserver 192.168.1.6
nameserver 192.168.0.1

and while that's sort of nice I don't know whence the first two entries come and don't want them (I think). I want resolution to happed from my gateway and switch, 192.168.0.1.

Whence cometh the first two entries and how do I lose them or otherwise achieve resoluton via 192.168.0.1.

Penny dropped and I worked it out! I have vpnc running a VPN! Killed the VPN and then all was good again. Local name resolution works:

Code: Select all

$ nslookup whatever.lan
Server:      192.168.0.1
Address:   192.168.0.1#53

Non-authoritative answer:
Name:   whatever.lan
Address: 192.168.0.xx

Wonderful!

So the question becomes how can I say to Linux:

Use my gateway FIRST then the VPN DNS!

Why does vpnc insert DNS entries. I want to append them! I want my .lan addresses to resolve with priority!

Would love to understand how to prioritise my local DNS!

User avatar
bernd.wechner
Level 2
Level 2
Posts: 83
Joined: Sat Sep 05, 2015 6:22 am

Re: Prevent VPN from overriding my DNS!

Postby bernd.wechner » Tue Aug 22, 2017 3:11 am

Bump. Would love to hear some views on this.

I realize in the mean time it's slightly more complicated. As my router basically resolves all .lan and no-tld domains and forwards the rest onwards to my ISP's DNS, what I expect/wish, vpnc to do when inserting my VPNs router is to inform my router to forward to it not my ISPs.

So normal resolution for me looks like:

Device on my LAN -> Router DNS (resolves .lan and no-tld names) -> ISP DNS (resolves all other names)

and vpnc should ideally produce this:

Device on my LAN -> Router DNS (resolves .lan and no-tld names) -> VPN DNS (resolves all other names)

but is instead doing this:

Device on my LAN -> VPN DNS (resolves all names) -> Router DNS (names never reach it for resolution)

And my desired scenario is more complicate because the current scenario sees vpnc update /etc/resolv.conf on my LAN device (the machine vpnc runs on) and I'd like it to inform my router of an update to its DNS forwarding rules.

Which may not be possible? And has the side effect that everyone on my LAN (family) is resolving through the VPN DNS too but that shouldn't be an issue. It too is simply resolving LAN names at work and forwarding the rest on to it's ISP DNS.


Return to “Ethernet”