Namespace DNS resolver is pushed to the global resolver configuration

[Asuranceturix]

I seem to be experiencing the oppposite as the issue #7 . In my case, when the VPN is not active, the contents of /etc/resolv.conf are:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

However, whenever I start the VPN (namespaced-openvpn --namespace vpn --writepid foo.pid --log bar.log --daemon --config foobar.ovpn --daemon), the server pushes its DNS server and somehow it ends up prepended to /etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 1.2.3.4
nameserver 127.0.0.53

The line nameserver 1.2.3.4 is the only contents of /etc/netns/vpn/resolv.conf. When I kill the OpenVPN process, /etc/resolv.conf reverts to its original contents. What am I doing wrong?

[slingamn]

Interesting. Are you running NetworkManager? This is possibly a bad interaction with NetworkManager's openvpn integration. Here's a precedent: https://bugzilla.redhat.com/show_bug.cgi?id=1172012

There are several possible resolutions to this issue, some involving code changes to namespaced-openvpn. (Others might involve reconfiguring or removing one of these packages: NetworkManager, NetworkManager-openvpn, or resolvconf.) I'm interested in getting more information about your setup:

• What distribution is this? What versions of systemd, NetworkManager, and resolvconf are installed? Is the NetworkManager-openvpn package (typically named something like network-manager-openvpn or NetworkManager-openvpn-gnome) installed?
• What is the expected relationship between systemd-resolved and resolvconf? On Ubuntu Bionic, it seems that resolvconf is replaced entirely by systemd-resolved:

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53

I am currently recommending (in the "DNS hardening" section of the README) that people not use resolvconf(8), for related but distinct reasons. And it seems possible that removing or disabling resolvconf will fix your problem. However, systemd-resolved also has issues. And the typical user may not be able to do without some means of automatically updating /etc/resolv.conf in the root namespace.

[Asuranceturix]

The machine runs Ubuntu 18.04 (no NetworkManager or friends) and resolvconf was still lingering from the previous version before the upgrade (16.04). As you point out, they seem to interact badly, because I have removed resolvconf and now it looks that it works as expected.

Thanks for the suggestions and sorry for the troubles.

[slingamn]

No worries! Reports like this are very useful.

You might want to take a look at the "DNS hardening" section of the README to see if the cautions about systemd-resolved apply to you.