[Dnsmasq-discuss] NXDOMAIN problems with open VPN

Tom Metro tmetro+dnsmasq at gmail.com
Tue Apr 21 07:33:11 BST 2009 

Eric S. Johansson wrote:
> When I query for a remote name, everything works fine.  But when I
> query for a local name, I get NXDOMAIN.
> 
> would it make sense to run a local dnsmasq and filter out the
> erroneous NXDOMAIN references from the  name servers pointed to by
> resolv.conf?

I ran into this as well. The solution was to set up a local instance of 
Dnsmasq on the workstation, and take advantage of the --server directive 
to declare domain specific DNS servers.

I was following an OpenVPN tutorial[1], which recommended installing 
resolvconf, but that did absolutely nothing to help the breakage of my 
split-horizon DNS setup. I later ran across openresolv[2], which 
includes scripting to update Dnsmasq's --server directives via DBus when 
the VPN goes up and down.

Though the "out of the box" setup still isn't quite there and needs some 
fixes to work correctly. I originally set up a machine using this in 
January, and got it working good enough to get a project done, but have 
been meaning to come back and fix the rough edges and contribute the 
fixes back to openresolv. As I recall, even with openresolv I ended up 
using a static --server entry pointing to my local server, even though 
in theory is should be possible to get that to work automatically.

1. http://ubuntuforums.org/showthread.php?t=1021592
2. http://roy.marples.name/projects/openresolv/


> I think this is an important problem because it's going to occur any
> time you use open VPN and have both local and remote DNS servers.

I think users unknowingly have their DNS resolution hijacked by VPN 
specified servers all the time, but just never realize it because both 
their normal and the VPN specified DNS servers are able to resolve 
public names. Most end-users running a VPN don't have a local resolver 
with private names, so they don't notice the problem.

Regardless of whether it ends up working OK most of the time, I think 
this behavior is flawed, and the /etc/resolv and resolvconf 
infrastructure should be fixed. Ideally, there should be one place to 
specify a pool of redundant servers for public names, and any other 
servers should be added with a domain scope.

One of the challenges is that Linux (assuming that's what you're using) 
doesn't have native support for domain-specific DNS servers. I've read 
that this is something built-in to OS X via their lookupd daemon[3]. You 
drop an /etc/resolv.conf style file into a location like 
/etc/resolver/domain.com and it specifies which server to use to resolve 
domain.com names.

I did run across a lookupd port[4] to Linux, but the project seemed 
dead. Might be a concept with adopting in Dnsmasq, seeing as it is 
becoming the favorite glue to fix the trickier resolver problems.

3. http://www.macosxhints.com/article.php?story=2004062902195410
4. http://savannah.nongnu.org/projects/lookupd


richardvoigt at gmail.com wrote:
> Set /etc/resolv.conf to the local dnsmasq (nameserver 127.0.0.1)
> Set openvpn to store its information to /etc/resolv.conf.vpn
> Tell dnsmasq to read the server list from /etc/resolv.conf.vpn

That won't cut it, as openvpn will overwrite your local DNS servers with 
the one provided by the remote network, and you'll again be cut off from 
the local domains. You need to also add the --server directive 
statically, or set dynamically via openresolv.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Dnsmasq-discuss mailing list