NetworkManager -dns issue after VPN connection DOWN

ngnix · 5 September 2020 17:34

Hey everyone,

i have one issue about Network Manager and VPN connection with remote DNS servers.
VPN type - L2TP+IPSEC, configured auto IPv4 settings.

My settings before i connected to VPN network:
cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 8.8.8.8

After i connected to VPN network, Network Manager reconfigure DNS settings, this is fine:
nmcli connection
NAME UUID TYPE DEVICE
VPN-Office 46d96c71-ba0b-4d3d-b6b1-0f29302ab453 vpn enp3s0 <- is UP state

cat /etc/resolv.conf
Generated by resolvconf
nameserver 10.134.7.11
nameserver 10.134.7.12

But after disconnecting from the VPN network, settings do not return to their original state:
nmcli connection
NAME UUID TYPE DEVICE
VPN-Office 46d96c71-ba0b-4d3d-b6b1-0f29302ab453 vpn – <- is DOWN state

cat /etc/resolv.conf
nameserver 10.134.7.11
nameserver 10.134.7.12
nameserver 1.1.1.1
“# NOTE: the libc resolver may not support more than 3 nameservers.”
“# The nameservers listed below may not be recognized.”
nameserver 8.8.8.8

And i have slow DNS resolution problem, because the DNS servers obtained when connecting to the VPN are no longer available.
How i can resolve this issue?

NetworkManager -V
1.26.2-1
NetworkManager --print-config
NetworkManager configuration: /etc/NetworkManager/NetworkManager.conf (lib: 20-connectivity.conf)

[main]
‘#plugins=keyfile’
‘# rc-manager=symlink’
‘# auth-polkit=true’
‘# dhcp=internal’

[connectivity]
uri=http://www.archlinux.org/check_network_status.txt

[logging]
‘# backend=journal’
‘# audit=true’

‘# no-auto-default file "/var/lib/NetworkManager/no-auto-default.state’

Plugin and tools version:
networkmanager-l2tp 1.8.2-1
xl2tpd version: xl2tpd-1.3.15
strongSwan 5.9.0

Thanks.

xabbu · 5 September 2020 18:30

Find out which programs update your /etc/resolv.conf and configure them properly.

One example is to not use any program and use a static /etc/resolv.conf . You should not make the resolve file immutable.

Program that might edit your /etc/resolv.conf NetworkManager, systemd-resolved with systemd-resolvconf or openresolv. All 3 programs can be configured to stop updating /etc/resolv.conf or always use the same name servers. But do not mix them, use only one!

ngnix · 5 September 2020 18:36

So i don’t mix anything:
systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-resolved.service(8)

And i don’t use dnsmask:

systemctl status dnsmasq.service
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:dnsmasq(8)

Only one software generate resolv.conf - it’s Network Manager, and i can’t use static DNS configurations simultaneously without VPN and with VPN.

xabbu · 5 September 2020 19:28

If NetworkManager creates the /etc/resolv.conf , it always add in the first line

# Generated by NetworkManager

no execptions. If this line is not present it was not create by NetworkManager.

Maybe you modified the cat output, but it is not present in your first post.

This is strong evidence that not NetworkManager changed the /etc/resolv.conf

Again do not mix tools to modify /etc/resolv.conf !

The static /etc/resolv.conf was just one example to fix it. Since you are using global DNS Server, there is no DNS leaking with it. But of cousre if you need to use the VPN provided DNS server, this will not help.

ngnix · 5 September 2020 19:36

cat listing after VPN connections is DOWN:
[ngnix-pc ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.134.7.11
nameserver 10.134.7.12
nameserver 1.1.1.1
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 8.8.8.8
Yes, you’re right, i need use remote DNS servers (VPN side) if i connected to VPN, and i don’t use them if i disconnected from VPN network.

chomsky · 5 September 2020 20:03

I had this same issue with expressvpn but it never happened after I switched to mullvad so I think the VPN is at fault.

ngnix · 6 September 2020 03:35

Сonfiguration of network settings (and DNS servers) takes place on our side.
the behavior of DNS settings does not depend on the remote VPN side, the main thing is that we got them at all.

The current above issue only depends on the behavior of the Network Manager.

xabbu · 6 September 2020 06:41

How sure are you that the /etc/resolv.conf file while connecting to the VPN is created by NM? By the way, if installed remove openresolv and systemd-resolvconf , just to be sure.

However it might be a bug in networkmanager-l2tp . You should create a bug report.

In the meantime, I would use a NM dispatcher script to simply copy a working resolv.conf file to /etc/resolv.conf . It can be executed at vpn-down .
https://developer.gnome.org/NetworkManager/stable/NetworkManager.html

ngnix · 7 October 2020 07:02

We need change NM mode, all original issue here - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/527

xabbu · 7 October 2020 15:48

So it is not a bug. Simply improper configuration of NM and resolvconf on your part.

Btw., you did not listen

F2CPP · 25 March 2021 20:02

In addition to xabbu’s advice, changes to /etc/resolv.conf are generally temporary: "If resolvconf is available DNS information will be sent to it, if not, then dhcpcd itself will write to /etc/resolv.conf. openresolv is a resolvconf implementation and "is most known for allowing multiple applications to modify /etc/resolv.conf"

To set DNS, add this to /etc/dhcpcd.conf:

static domain_name_servers=1.1.1.1 1.0.0.1

For more info, read this.