Hi Farkas,
I think you need more traditional dns cache like dnsmasq or unbound. I
don't think there is a good syntax to configure per-domain nameservers,
which would be implementation independent. I think the way to go would
be to make forwarding declarations on VPN provided nameservers. It would
work well with autoconfiguration, systemd-resolved would be able to
configure it.
In other words, do not bring the complexity to clients with resolved.
Instead, just list all domains with special nameservers in VPN
dns.search. Prefix them with ~ to avoid using them to search. Just
ensure VPN only domain names are sent to VPN provided DNS. Let proper
DNS implementations handle forwarding internally, with possible caching.
That way, you will have on client just set of domains coming from the
interface and set of servers handling them. Forwarding to specific
nameservers for every domain would be handled only at dns resolvers of
VPN, not client side.
Just configure both 1.2.3.4 and 5.6.7.8 to forward all names valid for
the VPN. Domains not authoritative on them forward away. If not
possible, create one cache instance with all forwards, which only would
be offered by VPN connection. Even when dnsmasq or unbound would be able
to configure those domains, there is no good auto-configuration protocol
to make it working out of the box. You would need prepare manual
configuration solution, which would be difficult to handle in all cases.
Especially for mobile devices. I think it would be easier to manage,
especially long term.
Just my 2 cents
Petr
On 27. 04. 23 14:46, Farkas Levente wrote:
Hi,
I already read many docs about systemd-resolved, but still to able to
solve my very simple use case for name resolution.
Suppose we've two (not only one!) private/internal domain and both of
them have a separate dns server. eg:
- domain: a.com dns: 1.2.3.4
- domain: b.com dns: 5.6.7.8
Assume we use a vpn and we only access to these domains and dns
servers only when we connect to the vpn. What's more we use some
wireguard vpn solutions like tailscale, netbird or netmaker. This is
important since these has it's own internal dns servers and domains.
The dns servers usually listen on the local ip address of the
wireguard interface eg:
- domain: netbird.cloud dns: 100.76.1.2
This means i've 2 interface:
- enp6s0 (lan)
- wt0 (wireguard)
What I'd like to achieve:
- if the vpn is not connected
- all dns query goes to 8.8.8.8
- if vpn is connected:
- netbird.cloud goes to 100.76.1.2
- a.com goes through wt0 to 1.2.3.4
- b.com goes through wt0 to 5.6.7.8
- all other domain goes to 8.8.8.8
- and of course my search domains netbird.cloud a.com b.com
as far as i see systemd-resolved assume all dns on the same interface
has the same role and serve the same domains (which is not true in
this case). if I start systemd-netword i've only one list for DNS and
one for domains. Even though I can define
DNS=100.76.1.2%wt0#netbird.cloud 1.2.3.4%wt0#a.com 5.6.7.8%wt0#b.com
but it's not working. And if I also add
Domains=netbird.cloud a.com b.com
that's not help either.
So can I configure more domain to different dns server(s) on the same
interface or not? How can I configure more dns servers for one domain?
eg a.com can have 2 dns servers?
What's more if it's as laptop and I can go to the office where the
a.com and b.com domain no longer required to route (since these are
the internal domains) BUT the vpn connection still required and the
netbird.cloud domain still should have to be resolved on the wt0
interface, than I can't put this into network interface specific
.network config file since the wt0 is up both at the office and at home.
IMHO this is a very realistic setup where i've more than one domain
and more then one dns servers.
Is it currently not possible or just way too complicated?
Thanks in advance.
Regards.
ps. anyway this 1.2.3.4%wt0#a.com configuration reminds me to the old
sendmail config files. which was so cryptic that no one can configure.
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
