systemd and search domains.

Ken D'Ambrosio ken at jots.org
Wed Jan 8 17:24:43 EST 2020 

On 2020-01-08 16:22, Dennis Straffin wrote:

> Newer Ubuntu systems use systemd-resolved which doesn't seem to support split-horizon dns (at least last time I looked).
> 
> One solution is to go back to using dnsmasq.

Wups.  Meant to reply with this to all, earlier.  Going to add verbiage
for dnsmasq, too. 

============================================================== 

Welp. 

* I used to do the dnsmasq thing, and it works really well, but it's
kind of a pain to set up all the DNS servers and stuff for internal use,
and you occasionally get stuff wrong.  It's a big enough win for VPN to
be handling that that I think I'll let it continue doing it. 

* I tried Joshua's suggestion of openresolv, and it's got exactly what I
want, and happily prepends the domain to resolv.conf... until the VPN
(GlobalProtect) steps on it. 

* I did some systemd reading, and realized that there's a way to do this
through systemd: edit /etc/systemd/resolved.conf.  Which likewise gets
stepped on by GlobalProtect 

* I tried Ted's idea, thinking maybe I hadn't looked closely enough at
the network UI, and I was right: I hadn't!  Except when I went to edit
the entries, they echoed exactly what I'd done with
/etc/systemd/resolved.conf.  So it's probably fronting exactly that. 

I *think* I'd be able to make it work through OpenConnect, except that
it seems OpenConnect isn't doing MFA (at least, with the GlobalProtect?)
 Nutshell: clearly, it's time for a self-written inotify daemon and call
it a day.  Because it's stupid easy to prepend a line with my domain
name every time the file changes, whereas I'm gettin' old trying to
figure this out through a more elegant mechanism. 

Thanks for suggestions, all! 

-Ken

> * Install dnsmasq:
> 
> apt get install dnsmasq
> 
> * Update /etc/NetworkManager/NetworkManager.conf:
> 
> [main]
> 
> ...
> 
> dns=dnsmasq
> 
> * Add a dnsmasq config file to /etc/NetworkManager/dnsmasq.d/foo.conf with your servers:
> server=/foo.bar/bar.baz/1.2.3.4
> 
> * Restart network manager:
> 
> sudo service network-manager restart
> 
> * You might have to stop and disable the dnsmasq and resolved units:
> 
> sudo systemctl stop systemd-resolved dnsmasq
> sudo systemctl disable systemd-resolved dnsmasq
> 
> * You might also have to link /etc/resolv.conf to the network manager generated one:
> 
> sudo mv /etc/resolv.conf /etc/resolv.conf.orig
> sudo ln -s /run/NetworkManager/resolv.conf /etc/resolv.conf
> 
> -Dennis
> 
> On 1/8/20 2:37 PM, Ken D'Ambrosio wrote: 
> 
>> Hey, all.  When I fire up my VPN, it re-writes my /etc/resolv.conf.  
>> Shocker.  But I *want* it to, because then all my DNS stuff is good for 
>> my company.  But it's NOT good for my personal domain.  I'd like to have 
>> that added to the search domains.  I'm in Ubuntu; not sure if that 
>> matters.  From my reading:
>> * I can the search domains on a per-interface manner, but that seems 
>> hokey, and subject to issues if I use something (e.g., Bluetooth) to be 
>> my conduit to the 'Net.
>> * /etc/resolv.conf shouldn't be manually modified as it'll just get 
>> overwritten (and I don't want to make it immutable because I want it to 
>> change depending on whether I'm using VPN or no)
>> * /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if 
>> you're running NetworkManager
>> 
>> So, my question: is there an elegant, global way to set/append to my DNS 
>> domain search list?  Or am I just gonna wind up writing a daemon to wham 
>> an resolv.conf in-place depending on the current network config?
>> 
>> Thanks,
>> 
>> -Ken
>> _______________________________________________
>> gnhlug-discuss mailing list
>> gnhlug-discuss at mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> 
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/pipermail/gnhlug-discuss/attachments/20200108/8bff82c4/attachment.html

More information about the gnhlug-discuss mailing list