DNSs separados al conectar a VPN con systemd-resolved
Al conectarme a una VPN he observado que todas las queries DNS se mandaban a servidores internos de ésta. Por privacidad prefiero mantener mis DNS habituales, empleando los de la VPN sólo para sus dominios. Para ello he utilizado systemd-resolved.
Uso NetworkManager, y al conectar a la VPN se sobreescribe el fichero /etc/resolv.conf. En la wiki de Arch he encontrado este artículo, en el que se explica cómo cambiar a systemd-resolved. Básicamente:
sudo systemctl start systemd-resolved
j@bt ~ % sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf [0]
[sudo] password for j:
j@bt ~ % ls -l /etc/resolv.conf [0]
lrwxrwxrwx 1 root root 37 Sep 22 18:36 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
Con resolvectl podemos ver los DNSs configurados:
j@bt ~ % resolvectl [2]
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
Fallback DNS Servers: 1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
DNS Domain: hitronhub.home
Link 2 (wlan0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 3 (br-91ceae38b5f3)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 4 (docker0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 5 (enp7s0u2u4)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
DNS Domain: hitronhub.home
Link 18 (vpn0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
…y al conectar a la VPN, cambia para la interfaz vpn0:
Link 18 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.12.82
DNS Servers: 10.0.12.82 10.0.12.83
DNS Domain: ibmutua.inet
Activamos los logs de depuración
j@bt ~ % sudo resolvectl log-level debug
j@bt ~ % journalctl -u systemd-resolved -f
Al conectar a la VPN podemos observar cómo se actualizan los DNS y dominios (en mi caso ibmutua.inet):
Sep 22 18:50:12 bt systemd-resolved[507906]: vpn0: Bus client reset search domain list.
Sep 22 18:50:12 bt systemd-resolved[507906]: vpn0: Bus client reset DNS server list.
Hagamos una petición a un dominio fuera de la VPN y otro interno:
Sep 22 18:46:32 bt systemd-resolved[507906]: Looking up RR for danbooru.donmai.us IN AAAA.
Sep 22 18:46:32 bt systemd-resolved[507906]: Cache miss for danbooru.donmai.us IN AAAA
Sep 22 18:46:32 bt systemd-resolved[507906]: Firing regular transaction 63823 for <danbooru.donmai.us IN AAAA> scope dns on */* (validate=yes).
Sep 22 18:46:32 bt systemd-resolved[507906]: Using feature level UDP for transaction 63823.
Sep 22 18:46:32 bt systemd-resolved[507906]: Using DNS server 192.168.1.1 for transaction 63823.
Sep 22 18:48:48 bt systemd-resolved[507906]: Looking up RR for proxy3.ibmutua.inet IN A.
Sep 22 18:48:48 bt systemd-resolved[507906]: Cache miss for proxy3.ibmutua.inet IN A
Sep 22 18:48:48 bt systemd-resolved[507906]: Firing regular transaction 53391 for <proxy3.ibmutua.inet IN A> scope dns on vpn0/* (validate=yes).
Sep 22 18:48:48 bt systemd-resolved[507906]: Using feature level UDP+EDNS0 for transaction 53391.
Sep 22 18:48:48 bt systemd-resolved[507906]: Using DNS server 10.0.12.82 for transaction 53391.
Para danbooru.donmai.us se ha utilizado el DNS 192.168.1.1 (DNS por defecto, integrado en el router de mi operadora). Para proxy3.ibmutua.inet, se ha dirigido a 10.0.12.82.
Para dejar activado systemd-resolved al inicio:
j@bt ~ % sudo systemctl enable systemd-resolved
y no olvidemos desactivar la depuración en los logs para no llenar el disco:
j@bt ~ % sudo resolvectl log-level info