wireguard: connection dns servers are not pushed to systemd-resolved
When I import a WireGuard config file that contains DNS servers, those DNS servers make it fine into the NetworkManager connection:
[:~] $ grep DNS /tmp/msvpn.conf
DNS = 87.238.33.1, 2a02:c0::1
[:~] $ nmcli con import type wireguard file /tmp/msvpn.conf
Connection 'msvpn' (fb2e91d6-83b6-4698-bf79-d7725c52fd99) successfully added.
[:~] $ nmcli con show msvpn | grep dns
connection.mdns: -1 (default)
ipv4.dns: 87.238.33.1
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.ignore-auto-dns: no
ipv6.dns: 2a02:c0::1
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
ipv6.ignore-auto-dns: no
However, these DNS servers are for some reason not pushed to systemd-resolved:
[:~] 1 $ resolvectl status msvpn
Link 19 (msvpn)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
This in turn results in all DNS queries failing:
[:~] $ resolvectl query fud.no
fud.no: resolve call failed: All attempts to contact name servers or networks failed
Why? Because systemd-resolved falls back on using the ISP name servers through the tunnel. However, the ISP name servers refuse queries originating from outside their own network ranges, so that does not work:
[:~] 1 $ resolvectl status wwp0s20f0u3c3
Link 14 (wwp0s20f0u3c3)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 193.213.112.4
DNS Servers: 193.213.112.4
130.67.15.198
2001:4600:4:fff::52
2001:4600:4:1fff::52
DNS Domain: ~.
[:~] $ sudo tcpdump -ni msvpn port 53 -c 10
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on msvpn, link-type RAW (Raw IP), capture size 262144 bytes
22:52:17.764631 IP 100.64.255.1.48768 > 193.213.112.4.domain: 25374+% [1au] AAAA? push.services.mozilla.com.fud.no. (84)
22:52:17.818677 IP 193.213.112.4.domain > 100.64.255.1.33145: 45171 Refused- 0/0/1 (65)
22:52:17.819202 IP 100.64.255.1.53130 > 130.67.15.198.domain: 45171+% [1au] A? mattermost.redpill-linpro.com.fud.no. (88)
22:52:17.821672 IP6 2001:4600:4:1fff::52.domain > 2a02:c0:2:7::1.54603: 38306 Refused- 0/0/1 (65)
22:52:17.822093 IP6 2a02:c0:2:7::1.51177 > 2001:4600:4:fff::52.domain: 38306+% [1au] AAAA? mattermost.redpill-linpro.com.fud.no. (65)
22:52:17.850780 IP 130.67.15.198.domain > 100.64.255.1.60774: 29748 Refused- 0/0/1 (64)
22:52:17.851383 IP6 2a02:c0:2:7::1.42169 > 2001:4600:4:1fff::52.domain: 29748+% [1au] A? nextcloud.redpill-linpro.com.fud.no. (87)
22:52:17.864001 IP6 2001:4600:4:fff::52.domain > 2a02:c0:2:7::1.41029: 7609 Refused- 0/0/1 (64)
22:52:17.865206 IP 100.64.255.1.48384 > 193.213.112.4.domain: 7609+% [1au] AAAA? nextcloud.redpill-linpro.com.fud.no. (87)
22:52:17.872557 IP6 2001:4600:4:1fff::52.domain > 2a02:c0:2:7::1.48567: 11409 Refused- 0/0/1 (61)
10 packets captured
11 packets received by filter
0 packets dropped by kernel
I'm using Fedora 31; NetworkManager-1.20.10-1.fc31.x86_64.