<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p id="reply-intro">On 2020-01-08 16:22, Dennis Straffin wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored --> <tt>Newer Ubuntu systems use systemd-resolved which doesn't seem to support split-horizon dns (at least last time I looked).<br /><br />One solution is to go back to using dnsmasq.<br /></tt></blockquote>
<p>Wups. Meant to reply with this to all, earlier. Going to add verbiage for dnsmasq, too.</p>
<p>==============================================================</p>
<p>Welp.</p>
<p>* I used to do the dnsmasq thing, and it works really well, but it's kind of a pain to set up all the DNS servers and stuff for internal use, and you occasionally get stuff wrong. It's a big enough win for VPN to be handling that that I think I'll let it continue doing it.</p>
<p>* I tried Joshua's suggestion of openresolv, and it's got exactly what I want, and happily prepends the domain to resolv.conf... until the VPN (GlobalProtect) steps on it.</p>
<p>* I did some systemd reading, and realized that there's a way to do this through systemd: edit /etc/systemd/resolved.conf. Which likewise gets stepped on by GlobalProtect</p>
<p>* I tried Ted's idea, thinking maybe I hadn't looked closely enough at the network UI, and I was right: I hadn't! Except when I went to edit the entries, they echoed exactly what I'd done with /etc/systemd/resolved.conf. So it's probably fronting exactly that.</p>
<p>I *think* I'd be able to make it work through OpenConnect, except that it seems OpenConnect isn't doing MFA (at least, with the GlobalProtect?) Nutshell: clearly, it's time for a self-written inotify daemon and call it a day. Because it's stupid easy to prepend a line with my domain name every time the file changes, whereas I'm gettin' old trying to figure this out through a more elegant mechanism.</p>
<p>Thanks for suggestions, all!</p>
<p>-Ken</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><tt><br />* Install dnsmasq:<br /></tt>
<pre><tt>apt get install dnsmasq</tt></pre>
<tt><br />* Update </tt><tt><tt>/etc/NetworkManager/NetworkManager.conf</tt><tt>:<br /></tt></tt>
<pre><tt><tt>[main]</tt></tt></pre>
<pre><tt><tt>...</tt></tt></pre>
<pre><tt>dns=dnsmasq</tt></pre>
<tt><br /></tt><tt>* Add a dnsmasq config file to /etc/NetworkManager/</tt><tt><code>dnsmasq.d/foo.conf
with your servers:</code></tt><br /><tt><code><tt><code><code>server=/foo.bar/bar.baz/1.2.3.4<br />
<br />
* Restart network manager:<br />
</code></code></tt></code></tt>
<pre><tt><code><tt><code><code>sudo service network-manager restart</code></code></tt></code></tt></pre>
<pre><tt><code><tt><code><code></code></code></tt></code></tt></pre>
<tt><code><code><br />
* You might have to stop and disable the dnsmasq and resolved
units:</code></code></tt><br />
<pre>sudo systemctl stop systemd-resolved dnsmasq
sudo systemctl disable systemd-resolved dnsmasq</pre>
<tt><code><code><br />
* You might also have to link /etc/resolv.conf to the network
manager generated one</code></code></tt>:<br />
<pre>sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/NetworkManager/resolv.conf /etc/resolv.conf</pre>
<tt><code><code><br />
-Dennis<br />
</code><br /><br /></code></tt>
<div class="moz-cite-prefix">On 1/8/20 2:37 PM, Ken D'Ambrosio wrote:</div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<pre class="moz-quote-pre">Hey, all. When I fire up my VPN, it re-writes my /etc/resolv.conf.
Shocker. But I *want* it to, because then all my DNS stuff is good for
my company. But it's NOT good for my personal domain. I'd like to have
that added to the search domains. I'm in Ubuntu; not sure if that
matters. From my reading:
* I can the search domains on a per-interface manner, but that seems
hokey, and subject to issues if I use something (e.g., Bluetooth) to be
my conduit to the 'Net.
* /etc/resolv.conf shouldn't be manually modified as it'll just get
overwritten (and I don't want to make it immutable because I want it to
change depending on whether I'm using VPN or no)
* /etc/dhclient/dhclient.conf (apparently) doesn't matter any more if
you're running NetworkManager
So, my question: is there an elegant, global way to set/append to my DNS
domain search list? Or am I just gonna wind up writing a daemon to wham
an resolv.conf in-place depending on the current network config?
Thanks,
-Ken
_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnhlug-discuss@mail.gnhlug.org" rel="noreferrer">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" target="_blank" rel="noopener noreferrer">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<br /><br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br />gnhlug-discuss mailing list<br /><a href="mailto:gnhlug-discuss@mail.gnhlug.org" rel="noreferrer">gnhlug-discuss@mail.gnhlug.org</a><br /><a href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" target="_blank" rel="noopener noreferrer">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a></div>
</blockquote>
<p><br /></p>
</body></html>