[systemd-devel] systemd-resolved not working in a realistic scenario

Petr Menšík pemensik at redhat.com
Tue May 2 18:20:28 UTC 2023 

Hi Farkas,

I think you need more traditional dns cache like dnsmasq or unbound. I 
don't think there is a good syntax to configure per-domain nameservers, 
which would be implementation independent. I think the way to go would 
be to make forwarding declarations on VPN provided nameservers. It would 
work well with autoconfiguration, systemd-resolved would be able to 
configure it.

In other words, do not bring the complexity to clients with resolved. 
Instead, just list all domains with special nameservers in VPN 
dns.search. Prefix them with ~ to avoid using them to search. Just 
ensure VPN only domain names are sent to VPN provided DNS. Let proper 
DNS implementations handle forwarding internally, with possible caching.

That way, you will have on client just set of domains coming from the 
interface and set of servers handling them. Forwarding to specific 
nameservers for every domain would be handled only at dns resolvers of 
VPN, not client side.

Just configure both 1.2.3.4 and 5.6.7.8 to forward all names valid for 
the VPN. Domains not authoritative on them forward away. If not 
possible, create one cache instance with all forwards, which only would 
be offered by VPN connection. Even when dnsmasq or unbound would be able 
to configure those domains, there is no good auto-configuration protocol 
to make it working out of the box. You would need prepare manual 
configuration solution, which would be difficult to handle in all cases. 
Especially for mobile devices. I think it would be easier to manage, 
especially long term.

Just my 2 cents

Petr


On 27. 04. 23 14:46, Farkas Levente wrote:
> Hi,
>
> I already read many docs about systemd-resolved, but still to able to 
> solve my very simple use case for name resolution.
>
> Suppose we've two (not only one!) private/internal domain and both of 
> them have a separate dns server. eg:
> - domain: a.com dns: 1.2.3.4
> - domain: b.com dns: 5.6.7.8
>
> Assume we use a vpn and we only access to these domains and dns 
> servers only when we connect to the vpn. What's more we use some 
> wireguard vpn solutions like tailscale, netbird or netmaker. This is 
> important since these has it's own internal dns servers and domains. 
> The dns servers usually listen on the local ip address of the 
> wireguard interface eg:
> - domain: netbird.cloud dns: 100.76.1.2
>
> This means i've 2 interface:
> - enp6s0 (lan)
> - wt0 (wireguard)
>
> What I'd like to achieve:
> - if the vpn is not connected
>   - all dns query goes to 8.8.8.8
> - if vpn is connected:
>   - netbird.cloud goes to 100.76.1.2
>   - a.com goes through wt0 to 1.2.3.4
>   - b.com goes through wt0 to 5.6.7.8
>   - all other domain goes to 8.8.8.8
>   - and of course my search domains netbird.cloud a.com b.com
>
> as far as i see systemd-resolved assume all dns on the same interface 
> has the same role and serve the same domains (which is not true in 
> this case). if I start systemd-netword i've only one list for DNS and 
> one for domains. Even though I can define
> DNS=100.76.1.2%wt0#netbird.cloud 1.2.3.4%wt0#a.com 5.6.7.8%wt0#b.com
> but it's not working. And if I also add
> Domains=netbird.cloud a.com b.com
> that's not help either.
>
> So can I configure more domain to different dns server(s) on the same 
> interface or not? How can I configure more dns servers for one domain? 
> eg a.com can have 2 dns servers?
>
> What's more if it's as laptop and I can go to the office where the 
> a.com and b.com domain no longer required to route (since these are 
> the internal domains) BUT the vpn connection still required and the 
> netbird.cloud domain still should have to be resolved on the wt0 
> interface, than I can't put this into network interface specific 
> .network config file since the wt0 is up both at the office and at home.
>
> IMHO this is a very realistic setup where i've more than one domain 
> and more then one dns servers.
>
> Is it currently not possible or just way too complicated?
>
> Thanks in advance.
>
> Regards.
>
>
> ps. anyway this 1.2.3.4%wt0#a.com configuration reminds me to the old 
> sendmail config files. which was so cryptic that no one can configure.
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the systemd-devel mailing list