[Dnssec-trigger] [Bug] incorrect DNS servers are used when network-manager connects to VPN

Paul Wouters paul at nohats.ca
Thu Sep 4 12:32:46 UTC 2014

On Wed, 3 Sep 2014, Ralf Jung wrote:

> I am using OpenConnect - it not being on your list may explain the
> problem ;-) . I had hoped that there would be some general solution to
> hook into NM, that doesn't require additional work for each VPN
> provider. Is there a common infrastructure, or would I have to start
> from scratch if I wanted to add support to OpenConnect for this?

There is a somewhat generic method, but your VPN software gets the
DNS servers via its VPN protocol, and it needs to expose this somehow
to either NM or dnssec-trigger or unbound.

> So unbound needs to be explicitly supported for this use by the VPN
> providers, but dnssec-trigger can hook into that properly? After all, it
> has to re-do the probe after the VPN connection is established.

It should not need to re-probe. If you have VPN DNS servers, you are
basically forced to use those. For the IPsec case, you also get a
domain, so unbound can be told to only use those DNS servers for that
domain. So probing it makes no sense, you need to use it anyway to get
the internal DNS view at the other end of the VPN.

But some VPN protocols might required you send all DNS queries to them.


More information about the dnssec-trigger mailing list