On Tuesday, September 29, 2020 9:36:38 AM MST Dan Williams wrote: > On Tue, 2020-09-29 at 09:18 -0700, John M. Harris Jr wrote: > > > On Tuesday, September 29, 2020 5:13:48 AM MST Zbigniew Jędrzejewski- > > Szmek > > wrote: > > > > > On Mon, Sep 28, 2020 at 11:41:12PM -0700, John M. Harris Jr wrote: > > > > > > > > > > On Monday, September 28, 2020 9:39:17 AM MST Michael Catanzaro > > > > wrote: > > > > > > > > > > > > > You can do this, but again, you need to use the command line. > > > > > E.g. > > > > > 'resolvectl dns tun0 8.8.8.8' > > > > > > > > > > We're actually no longer debating how systemd-resolved works; > > > > > rather, > > > > > we're now debating how NetworkManager chooses to configure > > > > > systemd-resolved. systemd-resolved just does what it's told to > > > > > do. It's > > > > > > > > > > actually NetworkManager that decides to split DNS according to > > > > > routing > > > > > by default as a matter of policy. It could do otherwise if it > > > > > wanted > > > > > to, but I think this is a good default. Nothing stops you from > > > > > changing > > > > > > > > > > it though. :) > > > > > > > > > > > > Michael, > > > > By what mechanism does NetworkManager "split DNS according to > > > > routing"? If > > > > it hasn't already made a request from both your cleartext and > > > > your VPN > > > > connection's DNS servers, it has no way of knowing what network > > > > should be > > > > used to get the right results. Routing and DNS are unrelated. > > > > > > > > > NetworkManager pushes DNS server configuration (and associated bits > > > like > > > domain search and routing domains) over dbus to resolved. That way > > > it > > > "[tells resolved how to] split DNS according to routing". Of > > > course, after > > > the name has been resolved to an IP address, the packets to that IP > > > address > > > are routed too. So there is "routing" in the sense of deciding > > > which > > > interface is appropriate for a given DNS name and "routing" in the > > > sense of > > > deciding which interface is appropriate for a given IP address. > > > > > > It seems that the terminology is fairly confusing, considering it's > > right > > alongside actual routing configuration.. Okay, so "routing" means > > something > > wildly different than you'd think with systemd-resolved, got it. > > > > In most cases, in order to get to a DNS server inside a VPN, your > > packets have > > to have a route which can reach the IP of that server for that > > interface, > > which is configured using NetworkManager (or a VPN config file, > > imported into > > NM). Anyone that understands basic networking will likely be confused > > by this > > terminology. > > > > That aside, where in NetworkManager do these "routing domains" get > > specified? > > > In the connection itself (GUI or CLI), or they come from DHCP or SLAAC > or the VPN. > > nmcli con mod rh-openvpn ipv4.dns-search "foobar.com" > nmcli con mod rh-openvpn ipv4.never-default true > > combined with having a local caching DNS server (or resolved) enabled > will route queries for those search domains only to the VPN-provided > DNS servers. > > There are corresponding GUI boxes for these in nm-connection-editor, > GNOME network settings, and KDE. Dan, This would require a list of search domains a mile long, and for the end user to know what needs to go over the VPN anyway. Additionally, this may well break scripts that expect a given short name complication, but end up getting it from a different domain, since they're all in search domains now. -- John M. Harris, Jr. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
