[Dnsmasq-discuss] DBus API

[Dan Williams]

On Thu, 2015-05-21 at 13:17 -0400, Tom Metro wrote:
> I'm attempting to use DBus to set up DNS for a split-tunnel VPN using an
> environment similar to the one described in this posting:
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008541.html
> 
> with Ubuntu 14.10 and NetworkManager wrapped around Dnsmasq. I've ran
> into some similar issues as that poster had.
> 
> The main one seems to be that the Dnsmasq's SetDomainServers (and
> similar) DBus methods seem to be designed with he assumption that with
> any given installation you will have only one VPN active, or a base
> configuration using non-DBus methods and one split-tunnel VPN.
> 
> I'm inferring this because SetServers and SetServersEx (and although not
> explicitly documented as such, in practice it seems SetDomainServers as
> well) are documented as "Each call to SetServers [or SetServersEx]
> completely replaces the set of servers specified by via the DBus, but it
> leaves any servers specified via the command line or /etc/dnsmasq.conf
> or /etc/resolv.conf alone."
> 
> The problem with the NetworkManager usage is that it doesn't use
> /etc/resolv.conf to store upstream servers nor use a Dnsmasq config
> file. It obtains the upstream servers from dhclient, then tells Dnsmasq
> about them via DBus.
> 
> Consequently, if you bring up a split-tunnel VPN, and set a DNS server
> for it via DBus, it wipes out the base configuration.
> 
> The above referenced thread mentions that NetworkManager has built-in
> support for split-tunnels, but that presumes NetworkManager supports the
> type of VPN connection you are using. (I'm connecting to a Juniper VPN
> that is only supported by a bleeding edge version of OpenConnect.)
> 
> I'm sure thee are ways around this on the NetworkManager side. Perhaps
> some way to tell NetworkManager the additional DNS servers, and then let
> it manage Dnsmasq by sending all the servers in one batch. (I'm open to
> pointers if anyone knows how to do that.) But I'm posting to 1. confirm
> my that my understanding of Dnsmasq's DBus API is correct, and 2. to
> ask: does it makes sense that the API assumes there will never be a use
> case for incremental additions (and removal) of DNS servers? What if the
> user has multiple split-tunnel VPNs?
> 
> My expectation is that a DBus caller ought to be able to set upstream
> servers one at a time, choosing whether to incrementally add them or
> supplant existing servers. (And ideally, there should be a documented
> mechanism for removing those entries.)

NM spawns a private dnsmasq though, so it is going to be under NM's
control and isn't really intended to be a "system wide" dnsmasq that
anything can talk to.  In this case, since NM is not able to effectively
manage resolv.conf itself (since there are some external programs that
need to adjust DNS information) you'll probably need something like
resolvconf.  Unfortunately, I don't think resolvconf can do split DNS
either.

The longer term solution here for NM is to enhance its DNS plugin
interface so that it can dump the whole set of split DNS to plugins or
scripts and let them do whatever they want, instead of having only a C
API.  Then you'd set dns=none in NM's config and manage resolv.conf and
dnsmasq on your own, by combining information from all sources (where NM
is simply one) and pushing that to your own dnsmasq.

For the short term, NM does have an /etc/NetworkManager/dnsmasq.d
directory where you can toss dnsmasq config files, which NM will pass to
dnsmasq when it spawns it.  Unfortunately, because D-Bus gets used on
Ubuntu and dnsmasq isn't respawned on changes, that won't work for you.
Ideally, dnsmasq would get some kind of SIGHUP-like signal that *would*
re-read config files too, and then you could dump your info there and
SIGxxx it and everything would be fine.

Dan