Network Manager, Dnssec and VPN

lhirlimannii · July 15, 2019, 2:00pm

I want dnssec resolution on my desktop fedora.
sudo dnf install unbound dnssec-trigger
sudo systemctl enable unbund
sudo systemctl start unbound dnssec-trigger

sudo vi /etc/NetworkManager/Networkmanager.conf
add dns=unbound
sudo systemctl restart NetworkManager

/etc/resolv.conf contains 127.0.0.1 so unbound is used to resolve cool !!!

Before that I would get resol.conf populated by dhcp.

I’m using opnevpn and it pushes somethinlike :
domaine.xxxx domain.yyyy
10.X.X.X
10.Y.X.X

When dnssec-trigger manages resolv.conf, I can’t resolve internal names anymore. Is there a way to configure unbound+networkmanager+dsnsec-trigger so that when the vpn is up I can resolve namees using the 10.X 10.Y dns entries ?

vgaetera · July 15, 2019, 2:09pm

You can either ignore DNS from the VPN connection:

nmcli connection modify VPN_CON ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes

Or use split-DNS and DNSSEC via systemd-resolved:

sudo systemctl --now enable systemd-resolved.service
sudo ln -r -s -f /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
sudo systemctl restart NetworkManager.service
resolvectl status

Topic		Replies	Views
Set DNSSEC for specific interface Ask Fedora server	3	583	July 4, 2023
Behavior of Fedora DNS and resolv.conf Ask Fedora	9	4792	October 13, 2021
DNS Options and Confusions Ask Fedora f37 , howto , dns	2	387	April 1, 2023
Unbound-anchor with VPN Ask Fedora wireguard , vpn , dns	6	304	April 18, 2024
Is this a bug or intentional change in Fedora /etc/resolv.conf state? Ask Fedora	5	679	December 30, 2020

Network Manager, Dnssec and VPN

Related topics