search

jonathanio / update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus.
Other
761 stars 94 forks source link

Reverse DNS lookup not working on local IPs #73

Closed Greelan closed 4 years ago

Greelan commented 4 years ago

Hi @jonathanio , thanks very much for your script. I've used it for some time and it addresses DNS leakage issues for me when using OpenVPN.

One behaviour though I have noticed is that using the DOMAIN ROUTE . option breaks local reverse DNS lookup. When I don't have OpenVPN running (and the script has not updated the DNS servers), I can happily do a reverse DNS lookup on local IPs. However, when the script does its work, local reverse DNS queries do not make it to the gateway (local DNS server) - they instead go over the OpenVPN tunnel and as a result return NXDOMAIN.

I realise the behaviour of DOMAIN ROUTE . is to ensure that all DNS queries not related to the DNS domain specifically associated with another interface, are routed to the default route interface. Local domain name lookups work fine, since my local domain is listed on the non-tunnel interface as the DNS domain. Is there some way of replicating that behaviour for reverse DNS lookups? That is, I want both DNS lookups on local domain names, and reverse DNS lookups on local IPs, to be directed to the local DNS server, rather than going down the tunnel.

Thanks!

piotr-dobrogost commented 4 years ago

Is https://github.com/systemd/systemd/issues/10081 related?

Greelan commented 4 years ago

Possibly is, thanks for the reference. Of course, the routing-only domain setting under update-systemd-resolved is different to that example, but it seems the underlying behaviour is equivalent.

The thread you referenced does suggest a workaround for me, by specifying the reverse DNS domains associated with the local search domain in a .networkconfig. Clunky, but should address the issue.

If it's the case that this is a behaviour of systemd itself, then I guess it is independent of the update-systemd-resolved script and so I will close this issue.

Greelan commented 4 years ago

PS - ended up adding the reverse DNS domains to my netplan config, rather than .network, as a config created for the latter appears to be either/or with DHCP (ie you can't just add domains to those served by DHCP).

piotr-dobrogost commented 4 years ago

you can't just add domains to those served by DHCP

You might be hitting https://github.com/systemd/systemd/issues/8174

Greelan commented 4 years ago

Nah, that looks different. Thanks anyway.