update-systemd-resolved icon indicating copy to clipboard operation
update-systemd-resolved copied to clipboard

Published 20 hours ago verified publisher icon jonathanio

Support new "DNSDefaultRoute" option?

Open piotr-dobrogost opened this issue 6 years ago • 2 comments

In version 240 of systemd there's the new option DNSDefaultRoute introduced by https://github.com/systemd/systemd/pull/11050 with the following description:

Takes a boolean argument. If true, this link's configured DNS servers are used for resolving domain names that do not match any link's configured Domains= setting. If false, this link's configured DNS servers are never used for such domains, and are exclusively used for resolving names that match at least one of the domains configured on this link. If not specified defaults to an automatic mode: queries not matching any link's configured domains will be routed to this link if it has no routing-only domains configured.

Probably it should be supported somehow :)

piotr-dobrogost avatar Jan 03 '19 22:01 piotr-dobrogost

how would such a support look? i'd need something similar, but i think it's not in the options we get passed from openvpn, my typical env looks like this:

foreign_option_1=dhcp-option DOMAIN [our internal domain]
foreign_option_2=dhcp-option DNS [internal dns server]
foreign_option_3=dhcp-option NTP [other internal server]

so "do i want other DNS requests than for the specific internal domain to go through this link?" is more of a user decision than something we can extract from the caller environment. so far there is no config for this project, would this be reason enough to add one?

fwiw, i added a networkd-dispatcher script to set this in the meantime, but supporting this proper would be preferred of course.

> cat /etc/networkd-dispatcher/routable.d/vpn-no-dns-defaultroute

#!/bin/sh

# disable dns lookups going through customer VPN link's DNS servers unless it's
# for their internal domain.

set -eux


case "$IFACE" in
	*vpn)
		resolvectl default-route "$IFACE" false
		;;
esac

JohannesSchilling avatar Jun 27 '22 12:06 JohannesSchilling

how would such a support look?

It might look a little like this.

From the user's perspective, controlling whether DNSDefaultRoute is in effect for a given VPN interface happens via:

# Some OpenVPN client config or other
dhcp-option DEFAULT-ROUTE yes # or "no"

Because, handily, OpenVPN seems to support arbitrary names for dhcp-option "directives".

The support-additional-dbus-calls branch of my update-systemd-resolved fork is based on the polkit-rules-definition branch of same (it uses the systems/integration/whatever testing framework from the latter). I have a draft PR (#100) for polkit-rules-definition, and had planned to wait to submit a PR for the support-additional-dbus-calls branch. However, since there seems to be interest in supporting control over the DNSDefaultRoute setting, I can open a PR for that now (well, soon, anyway).

tomeon avatar Jun 27 '22 18:06 tomeon

I can open a PR for that now (well, soon, anyway).

As it turns out, perhaps "soon" was a bit optimistic... :grimacing:

tomeon avatar Dec 10 '22 19:12 tomeon