[systemd-devel] Can not reslove DNS per interface

Lejia Chen monsoon.cl at gmail.com
Fri Mar 22 13:32:33 UTC 2019 

Environment: Fedora 29, Systemd version: 241. (My NetworkManager use
systemd-resolved as a DNS resolver)

I setup a VPN, and my VPN created a virtual interface (named tun0). I use
iptables to mark some processes packets and let these packets go through
this virtual interface.

I add a DNS in this tun0 device, and want those marked processes to use
this DNS to resolve domain. Also I want other processes to use my default
network interface's (name enp7s0) DNS to resolve domain. The marked
processes don't use enp7s0 interface DNS, and other process don't use tun0
interface DNS.

I try to configure my interface DNS settings many times, but I still can't
solve my problem. systemd-resolved always sends DNS resolve requests to
each of my interface's DNS (my tun0 DNS and my default network device DNS)
in parallel. I checked this PR (
https://github.com/systemd/systemd/pull/11050) and upgrade my systemd to
241 and try to use default route settings, but I still failed.

My current resolvectl status:
Global
       LLMNR setting: yes
MulticastDNS setting: yes
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
Fallback DNS Servers: 8.8.8.8
                      ...
          DNSSEC NTA: 10.in-addr.arpa
                      ...

Link 13 (tun0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 9.9.9.9
         DNS Servers: 9.9.9.9
          DNS Domain: ~.

Link 7 (enp7s0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1
          DNS Domain: ~.

I also try to remove all DNS domain and set default route settings yes per
interface, but I still failed.

The command I use to mark some processes for my tun0 interface:
# iptables -A OUTPUT -t mangle -m owner --gid-owner 1001 -j MARK --set-mark
1
# ip rule add fwmark 1 table 100
# ip route add table 100 default dev tun0
# iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

Is any way to let my marked processes's DNS resolve requests only go
through my tun0 interface DNS, and others go through enp7s0 interface DNS?
Thank you in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190322/3223a336/attachment.html>

More information about the systemd-devel mailing list