[Dnssec-trigger] [Bug] incorrect DNS servers are used when network-manager connects to VPN

Tomas Hozza thozza at redhat.com
Mon Sep 15 10:46:48 UTC 2014

----- Original Message -----
> On Wed, 3 Sep 2014, Ralf Jung wrote:
> > I am using OpenConnect - it not being on your list may explain the
> > problem ;-) . I had hoped that there would be some general solution to
> > hook into NM, that doesn't require additional work for each VPN
> > provider. Is there a common infrastructure, or would I have to start
> > from scratch if I wanted to add support to OpenConnect for this?
> There is a somewhat generic method, but your VPN software gets the
> DNS servers via its VPN protocol, and it needs to expose this somehow
> to either NM or dnssec-trigger or unbound.

As Paul said, there is an integration with NM if the VPN software exposes
necessary information to the NM. The information is then read using libnm
API from NM by dnssec-trigger hooks.

I'm not a big fan of every VPN software re-configuring unbound on its
own. This is really bad approach and should not be used. We should
rather use solution that is able to configure unbound every time
in the same way for a particular network configuration. If multiple
pieces of software reconfigure unbound dynamically we may end up with
strange configuration when network configuration changes.

> > So unbound needs to be explicitly supported for this use by the VPN
> > providers, but dnssec-trigger can hook into that properly? After all, it
> > has to re-do the probe after the VPN connection is established.
> It should not need to re-probe. If you have VPN DNS servers, you are
> basically forced to use those. For the IPsec case, you also get a
> domain, so unbound can be told to only use those DNS servers for that
> domain. So probing it makes no sense, you need to use it anyway to get
> the internal DNS view at the other end of the VPN.
> But some VPN protocols might required you send all DNS queries to them.
> Paul

Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc.                               http://cz.redhat.com

More information about the dnssec-trigger mailing list