Closed mf69 closed 5 years ago
@mf69,
This is correct. There are two options available for setting domain names on a link: DOMAIN
and DOMAIN-SEARCH
. The former, DOMAIN
, sets the formal domain name of the host on that link, as well as then act as the primary search domain for bare hostnames on the VPN link. DOMAIN-SEARCH
adds in the additional search domains, but does not set them as formal domain names for the host (there can be only one, and why DOMAIN
only takes the last set value).
What you probably want is either to convert them all to DOMAIN-SEARCH
, if the formal domain name of the host isn't important, or set DOMAIN
for foo.bar.example.com
and DOMAIN-SEARCH
for bar.example.com
and example.com
.
I hope this helps.
To be clear I was converting from the /etc/openvpn/update-resolv-conf script which handles the DOMAIN options as search domains.
OpenVPN has no such dhcp-option DOMAIN-SEARCH -- at least in the man page!?
Upon googling around I found some interesting threads / posts including this one from 2008! https://openvpn.net/archive/openvpn-users/2008-01/msg00073.html which talks about dhcp option 119 but apparently that isn't supported in openvpn either.
See https://github.com/OpenVPN/openvpn/blob/master/contrib/pull-resolv-conf/client.up lines 53-56 for the (prior) behavior I was expecting.
There are differences in the way that /etc/resolv.conf
and systemd-resolved
behave in this regard, and this configuration is a compromise to deal with that. It's why there's also DOMAIN-ROUTE
to deal with another option available in the configuration for systemd-resolved
which isn't supported by /etc/resolv.conf
options.
As for DOMAIN-SEARCH
- anything after dhcp-option
in OpenVPN is ignored by the daemon and simply passed to the up/down scripts (except in Windows, where it understands the DOMAIN
or ADAPTER_DOMAIN_SUFFIX
depending on your setup) . That is why you won't see it documented in the man pages, as it's up to the up/down scripts to define and describe their meaning.
I've made changes to this script - see PR #67 - today that changes the way DOMAIN
works - it will now set the first value as the primary domain for search, and then any others will be treated the same as DOMAIN-SEARCH
. Once I release v1.3.0 this should have the behaviour you expect.
The script seems to support only 1 (the last) search domain even when multiple are passed in the openvpn push / pull options ...
<14>Jun 17 11:56:17 update-systemd-resolved: Link 'tun0' coming up <14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.1 <14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.2 <14>Jun 17 11:56:17 update-systemd-resolved: Adding IPv4 DNS Server 10.10.10.3 <14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain foo.bar.example.com <14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain bar.example.com <14>Jun 17 11:56:17 update-systemd-resolved: Setting DNS Domain example.com <14>Jun 17 11:56:17 update-systemd-resolved: SetLinkDNS(7 3 2 4 10 10 10 1 2 4 10 10 10 2 2 4 10 10 10 3) <14>Jun 17 11:56:17 update-systemd-resolved: SetLinkDomains(7 1 example.com false) ... $ systemd-resolve --status ... Link 6 (tun0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 10.10.10.1 10.10.10.2 10.10.10.3 DNS Domain: example.com ... (Names and IPs changed to protect the innocent)