{"id":1058,"date":"2023-02-13T18:31:59","date_gmt":"2023-02-13T23:31:59","guid":{"rendered":"https:\/\/sunapi386.ca\/wordpress\/?p=1058"},"modified":"2023-02-13T22:19:47","modified_gmt":"2023-02-14T03:19:47","slug":"ubuntu-split-dns-with-systemd-resolved-resolvectl","status":"publish","type":"post","link":"https:\/\/sunapi386.ca\/wordpress\/ubuntu-split-dns-with-systemd-resolved-resolvectl\/","title":{"rendered":"ubuntu 22.04 split dns with systemd-resolved (resolvectl)"},"content":{"rendered":"\n

Let’s say we have our own dns server (e.g. with dnsmasq<\/code>) 10.7.0.1<\/code> – and we have some internal domains, such as something ending in sf<\/code> that we aim to resolve at that machine, we can edit vi \/etc\/systemd\/resolved.conf<\/code> to add <\/p>\n\n\n\n

DNS=8.8.8.8\nFallbackDNS=10.7.0.1<\/code><\/pre>\n\n\n\n
This way we can resolve by default with 8.8.8.8 and use the fallback if it cannot resolve. After modifying this file, systemctl restart systemd-resolved<\/code> to restart the service.<\/p>\n\n\n\n
root@host # resolvectl\nGlobal\n           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no\/unsupported\n    resolv.conf mode: foreign\n         DNS Servers: 1.1.1.1 8.8.8.8\nFallback DNS Servers: 10.7.0.1<\/code><\/pre>\n\n\n\n
Also <\/p>\n\n\n\n
resolvectl dns interface 10.7.0.1\nresolvectl domain interface ds<\/code><\/pre>\n\n\n\n
to add the dns for your vpn device. Where interface is the vpn interface such as wireguard. E.g. <\/p>\n\n\n\n
root@henderson \/h\/jason# resolvectl\nGlobal\n           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no\/unsupported\n    resolv.conf mode: foreign\n  Current DNS Server: 192.168.2.1\n         DNS Servers: 192.168.2.1\nFallback DNS Servers: 10.7.0.1\n\n[...omitted...]\n\nLink 8 (interface)\nCurrent Scopes: DNS\n     Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no\/unsupported\n   DNS Servers: 10.7.0.1\n    DNS Domain: ds\n\n<\/code><\/pre>\n\n\n\n
Now you can ping something that resolves internal corporate VPN only, such as <\/p>\n\n\n\n
root@host # ping google.com\nPING google.com (172.217.13.142) 56(84) bytes of data.\n64 bytes from yul02s05-in-f14.1e100.net (172.217.13.142): icmp_seq=1 ttl=117 time=14.0 ms\n\nroot@host # ping glassbox.ds\nPING glassbox.ds (10.7.0.1) 56(84) bytes of data.\n64 bytes from 10.7.0.1 (10.7.0.1): icmp_seq=1 ttl=64 time=84.3 ms<\/code><\/pre>\n\n\n\n
This shows that the internal address works as well as public address. Note that the google DNS resolves to the closest server.<\/p>\n\n\n\n
Be aware<\/h2>\n\n\n\n
In vi<\/strong> \/etc\/resolv.conf<\/code><\/h2>\n\n\n\n
This file may override your config. Verify that nameserver 127.0.0.53<\/code> is listed in this file.<\/p>\n\n\n\n
Sometimes after reboot I find this file has been modified. I am still investigating the cause. Edit: ah found the cause. https:\/\/rakhesh.com\/linux-bsd\/wireguard-search-domain\/<\/a> This seems to indicate Wireguard config file can specify the DNS search domains. From the man-page:<\/p>\n\n\n\n
\n
DNS \u2014 a comma-separated list of IP (v4 or v6) addresses to be set as the interface\u2019s DNS servers, or non-IP hostnames to be set as the interface\u2019s DNS search domains. May be specified multiple times. Upon bringing the interface up, this runs \u2018resolvconf -a tun.INTERFACE<\/em> -m 0 -x\u2018 and upon bringing it down, this runs \u2018resolvconf -d tun.INTERFACE<\/em>\u2018. If these particular invocations of resolvconf<\/strong>(8) are undesirable, the PostUp and PostDown keys below may be used instead.<\/p>\n<\/blockquote>\n\n\n\n
Thus you could have the following line:<\/p>\n\n\n\n
DNS = 10.7.0.1, ds<\/code><\/pre>\n\n\n\n
And it is wireguard that is modifying \/etc\/resolv.conf<\/p>\n\n\n\n
After modifying this line, <\/p>\n\n\n\n
root@host # cat \/etc\/resolv.conf\n# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)\n#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN\n# 127.0.0.53 is the systemd-resolved stub resolver.\n# run \"systemd-resolve --status\" to see details about the actual nameservers.\n\nnameserver 10.7.0.1\nnameserver 127.0.0.53\nsearch ds home<\/code><\/pre>\n\n\n\n
Persist<\/h1>\n\n\n\n
Remember this? <\/p>\n\n\n\n
resolvectl dns interface 10.7.0.1\nresolvectl domain interface ds<\/code><\/pre>\n\n\n\n
In order to persist this, it seems we need to make the .network file and specify the domain to resolve there. Then I want to make my main interface resolve the rest of the domains.<\/p>\n\n\n\n