I have configured a split tunnel VPN to connect my home computer to my corporate network. I can simultaneously ping internet hosts (by name) and corporate servers (but only by address, not name).
tracepath confirms the traffic is using the appropriate interface, too. But I cannot resolve any hosts on the corp net by DNS. However, I can ping the corp net DNS server (at 192.168.0.253, for example), and
nslookup sample.corp.local 192.168.0.253 resolves:
Server: 192.168.0.253 Address: 192.168.0.253#53 Name: sample.corp.local Address: 192.168.0.228
Digging into this, I see that network name resolution doesn’t change when I activate the VPN connection, although the PPP link does receive the names of the corp net DNS servers (and an IP address from the corp net) (below).
This is apparently already a known issue with network-manager package.
I have tried the workaround described in the thread of installing
dnscrypt-proxy, but that is not working for me and I don’t know how to even start debugging it. Suggestions on that would be appreciated.
The thread also mentioned the possibility of killing
dnsmasq process and letting it restart, but I do not see any such process running on 19.04.
I have also tried hard-coding the DNS info in a .network file, but that broke DNS resolution on both links. Advice on what I did wrong there would be appreciated.
[Match] Name=ppp* [Network] Description=VPN to corp net DNS=192.168.0.254 Domains=corp.local
Ideally, I’d have names in corp.local domain be resolved by corp net DNS servers while lookups for names in internet domains would be set out the internet link and resolved directly by global DNS servers, but I’ll settle for sending all requests to the corporate network DNS servers. This is not a censorship scenario.
I’m running Ubuntu 19.04,
network-manager-l2tp-gnome from the Canonical repository and connecting to a Cisco Meraki client VPN using this recommended VPN config.
With VPN active on PPP0,
$ resolvectl status shows:
Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 6 (ppp0) Current Scopes: none DefaultRoute setting: no LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Link 2 (enp30s0) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 2600:1700:2d61:ca0::1 DNS Servers: 127.0.0.2 2600:1700:2d61:ca0::1 DNS Domain: ~. attlocal.net
$ cat /etc/ppp/resolv.conf shows:
nameserver 192.168.0.253 nameserver 192.168.1.253