vpn-slice icon indicating copy to clipboard operation
vpn-slice copied to clipboard
verified publisher icon dlenski

Split DNS check incorrectly uses ResolveConfSplitDNSProvider on Fedora 37

Open DamnedElric opened this issue 2 years ago • 7 comments

A bit of background:

ResolveConfSplitDNSProvider interacts with the DNS resolver using resolvconf, while ResolvedSplitDNSProvider uses resolvectl. vpn-slice decides which of these to use by inspecting /etc/resolv.conf.

If I understand things correclty, it looks for the string "/run/systemd/resolve/" in /etc/resolv.conf, which is not present on Fedora 37. Instead, it might be better to check whether resolvectl exists on the system?

Using resolvctl allows me to make the split DNS a bit more splitty with the following change (the last line is the only change).

            self._resolvectl(*([ 'domain', tundev ] + [ format(x) for x in domains ]))
            self._resolvectl(*([ 'dns', tundev ] + [ format(x) for x in nameservers ]))
            self._resolvectl(*([ 'default-route', tundev, 'false' ]))

This disables the default-route flag from the tunneled interface, which means it won't be used to DNS queries UNLESS it's in the domains list.

Without this change, every DNS query is sent to the tunneled resolver, even if another resolver has already answered the query.

I'd submit this as a merge request, but I don't understand the code well enough to make sure that this won't break anyone else's setup. Feel free to reach out for more info.

DamnedElric avatar Apr 18 '23 13:04 DamnedElric

/etc/resolv.conf must be a symlink, where does it point to? Said otherwise, what is the output of the following command?

readlink /etc/resolv.conf

Is this issued fixed by #126?

DimitriPapadopoulos avatar May 06 '23 21:05 DimitriPapadopoulos

Seems like using NetworkManager /etc/resolv.conf is not a symlink and NetworkManager manages the file.

Janhouse avatar Jul 05 '23 06:07 Janhouse

According to the systemd-resolved documentation:

Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are supported:

  • systemd-resolved maintains the /run/systemd/resolve/stub-resolv.conf file for compatibility with traditional Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also contains a list of search domains that are in use by systemd-resolved. The list of search domains is always kept up-to-date. Note that /run/systemd/resolve/stub-resolv.conf should not be used directly by applications, but only through a symlink from /etc/resolv.conf. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved with correct search domains settings. This mode of operation is recommended.
  • A static file /usr/lib/systemd/resolv.conf is provided that lists the 127.0.0.53 DNS stub (see above) as only DNS server. This file may be symlinked from /etc/resolv.conf in order to connect all local clients that bypass local DNS APIs to systemd-resolved. This file does not contain any search domains.
  • systemd-resolved maintains the /run/systemd/resolve/resolv.conf file for compatibility with traditional Linux programs. This file may be symlinked from /etc/resolv.conf and is always kept up-to-date, containing information about all known DNS servers. Note the file format's limitations: it does not know a concept of per-interface DNS servers and hence only contains system-wide DNS server definitions. Note that /run/systemd/resolve/resolv.conf should not be used directly by applications, but only through a symlink from /etc/resolv.conf. If this mode of operation is used local clients that bypass any local DNS API will also bypass systemd-resolved and will talk directly to the known DNS servers.
  • Alternatively, /etc/resolv.conf may be managed by other packages, in which case systemd-resolved will read it for DNS configuration data. In this mode of operation systemd-resolved is consumer rather than provider of this configuration file.

Note that the selected mode of operation for this file is detected fully automatically, depending on whether /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf or lists 127.0.0.53 as DNS server.

As far as I know, Fedora 37 desktops are based on systemd-resolved underneath NetworkManager, in which case /etc/resolv.conf is supposed to be a symlink. Which mode does Fedora 37 support? What are the contents of /etc/resolv.conf? Are you certain this file has not been modified by other programs, such as different VPN clients? Try resetting the network configuration.

DimitriPapadopoulos avatar Jul 05 '23 08:07 DimitriPapadopoulos

I guess I commented in the wrong issue. I use Archlinux with NetworkManager, I probably should have put my comment in #124 , since that is the exact error I get.

Janhouse avatar Jul 05 '23 08:07 Janhouse

Indeed, Arch Linux is not based on systemd-resolved, and /etc/resolv.conf is not a symlink on that distribution. Does #126 fix your issue?

DimitriPapadopoulos avatar Jul 05 '23 08:07 DimitriPapadopoulos

Also see https://github.com/dlenski/vpn-slice/pull/118#issuecomment-1624177196.

dlenski avatar Jul 13 '23 19:07 dlenski 

readlink /etc/resolv.conf

That outputs ../run/systemd/resolve/stub-resolv.conf

Is this issued fixed by #126?

That path seems to be the same, so hopefully the fix is also the same :+1:

Apologies for the slow reply, seems I missed the original notifications.

DamnedElric avatar Jul 14 '23 19:07 DamnedElric