No, I suggest you stop using resolv.conf mode: foreign.
Ah, well that is the default configuration at least for my system. I have experimented with different settings but I have reverted back to the default configuration.
Here is the output of resolvectl status before I connect to the VPN:
$ resolvectl status
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
Link 3 (wlp3s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 6 (virbr0-nic)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
And here it is after connecting to the VPN:
$ resolvectl status
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Current DNS Server: 192.168.100.1
DNS Servers: 192.168.100.1 192.168.110.5
DNS Domain: work.com
Link 2 (enp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
Link 3 (wlp3s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 6 (virbr0-nic)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 17 (cscotun0)
Current Scopes: LLMNR/IPv4
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Another strange behavior is that after I disconnect from the VPN. I still cannot connect to work.com public servers (mail, www, etc.). In order to restore this connectivity, I have to restart systemd-resolved.
Here is resolvectl status before I restart systemd-resolved and after disconnecting from the VPN (only showing pertinent interfaces):
$ resolvectl status
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 192.168.110.5
DNS Servers: 192.168.100.1 192.168.110.5
DNS Domain: work.com
Link 2 (enp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.0.1
More information: when I am connected to the VPN. Anyconnect overwrites /etc/resolv.conf to be this:
$ cat /etc/resolv.conf
domain work.com
nameserver 192.168.100.1
nameserver 192.168.110.5
search work.com
And I cannot change it because it appears to be constantly overwritten by Anyconnect. After I disconnect from the VPN, the link to /run/systemd/resolve/stub-resolv.conf is restored.
Finally, one other bit of odd/new behavior with Fedora 33. With Fedora 32 I was able to connect to the VPN and also connect to the VPN with my work provided Windows laptop. Since upgrading to Fedora 33, if I am connected to the VPN with my work laptop and I attempt to connect to the VPN with my home Fedora 33 computer, it kills the laptop’s connection to the VPN.
Please let me know if you want to see any of my configuration files.
Thanks for all the help,
Mike