I have tried for our hours to setup my DNS Resolution on a Ubuntu 18.04 with no success so far ....
I have an openvpn connection that is up and running and creating interface tun1. I do have some iptable rules defined that work as a killswitch as follows:
iptables -F
...
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 9365 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9365 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j ACCEPT -m owner --gid-owner openvpn
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun1
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
iptables -P OUTPUT DROP
iptables -P INPUT DROP
...
The main goal here is to allow traffic only trough the vpn tunnel --> tun1. This works well.
However, after applying these rules, DNS resolution is not working anymore. I suspect it is not working because the DNS requests are not tunneled through tun1 but rather using eth0. connection via IP are still successful, so there is no issue with the IPTables.
I executed systemd-resolve --status which shows me the following:
Link 5 (tun1)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlan0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (eth0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.1.1
192.168.1.1 is my router and is dissolving the DNS to 8.8.8.8. I do want to change the scope from tun1 from NONE to DNS and add the IP-address of the DNS server it should use. I have tried to make that happen for hours now and nothing worked ...:
- Ubuntu 18.04 systemd-resolve doesn't read the /etc/resolv.conf properly
- I tried the answer from Mark which says to modify the
/etc/systemd/resolved.confwhich added my DNS server as global DNS server and was shown insystemd-resolve --statusbut the DNS requests were still not performed over tun1 and were also not dissolved over the newly added DNS server but still forwarded to 192.168.1.1
- I tried the answer from Mark which says to modify the
- https://superuser.com/questions/1322045/how-to-persist-systemd-resolve-configuration-for-a-particular-network-interfac
- I tried the answer from Lubo Diakov which said to create a file in
/etc/systemd/network/with the configuration of the "link". I created the file but did however not follow his guide regarding the bridge as I do not understand what this is doing. Creating the file in/etc/systemd/network/had no effect at all:
- I tried the answer from Lubo Diakov which said to create a file in
[Match]
Name=tun0
[Resolve]
DNS=<IP>
- How do I list DNS server order in systemd-resolve?
- I figured I just change the priority of which DNS server is used. It seems not to be possible?!
As my ultimate goal is to tunnel my DNS traffic over my openvpn tunnel, I figured it might be an openvpn configuration issue:
- https://forums.openvpn.net/viewtopic.php?t=29461
- This also points to the
systemd-resolvedas the cause, but no solution available.
- This also points to the
- Ubuntu 18.04 no DNS resolution when connected to openvpn
- Unfortunately, I can not use the answer that is marked as a solution here as my VPN provider brings his own up/down scripts which I need to use. The solution is based on this blogpost: https://blog.syddel.uk/?p=253 . I would love to go with solution one that is provided in the blogpost, what is as stated before, modifying
/etc/systemd/resolved.confwhich is not working.
- Unfortunately, I can not use the answer that is marked as a solution here as my VPN provider brings his own up/down scripts which I need to use. The solution is based on this blogpost: https://blog.syddel.uk/?p=253 . I would love to go with solution one that is provided in the blogpost, what is as stated before, modifying
The main issue for me is to understand how all these parts work together. What do I need to do in order to achieve the goal that my DNS is eventually tunneled trough tun1? Has someone experience with this and have had similar issues while looking at the different "solutions" I have linked?
I hope that you can help, I feel quite exhausted about this ... .
PS: I do know that I could solve this by adding an IPTables rule in order to allow traffic to my DNS server via other interfaces but that's not what I want to do and also would be a DNS-Leak... .
