DNS config on other interfaces vanish on other interfaces after connecting VPN, breaking split-DNS
After connecting a WireGuard VPN profile, DNS configuration on other interfaces is removed. This breaks split-DNS routing of search domains associated with those other interfaces (e.g., the internal .lan
domain maintained by my home gateway).
After starting out with only my wireless (wlp2s0
) connected, everything looks normal:
[:~] $ nmcli device show wlp2s0 | egrep 'DNS|DOMAIN'
IP4.DNS[1]: 192.168.1.1
IP4.DOMAIN[1]: lan
IP6.DNS[1]: fd55:60be:958c::1
[:~] $ resolvectl status wlp2s0
Link 4 (wlp2s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: fd55:60be:958c::1
DNS Servers: 192.168.1.1
fd55:60be:958c::1
DNS Domain: ~.
lan
However, after activating a WireGuard tunnel, the DNS configuration on the wireless interface is gone:
[:~] $ nmcli con up cloudops
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/33)
[:~] $ nmcli device show wlp2s0 | egrep 'DNS|DOMAIN'
IP4.DNS[1]: 192.168.1.1
IP4.DOMAIN[1]: lan
IP6.DNS[1]: fd55:60be:958c::1
[:~] $ nmcli device show cloudops | egrep 'DNS|DOMAIN'
IP4.DNS[1]: 87.238.33.1
IP6.DNS[1]: 2a02:c0::1
[:~] $ resolvectl status wlp2s0 cloudops
Link 4 (wlp2s0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: yes
DNSSEC supported: yes
Link 26 (cloudops)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 2a02:c0::1
DNS Servers: 87.238.33.1
2a02:c0::1
DNS Domain: ~.
While I do expect that the DNS server associated with the VPN tunnel to take over as the primary DNS server (i.e., the one owning the ~.
routing domain), I do not expect the DNS server associated with the wireless inteface to vanish. This breaks resolving of my internal *.lan
domains when the VPN is active.
This also happens with dns=dnsmasq
, so it does not appear to be systemd-resolved
's fault.
NM version: NetworkManager-1.26.4-1.fc33.x86_64