[opensuse] resolv.conf and VPNs
For $WORK, I have to use a vpn which writes its own version of /etc/resolv.conf, but as of 2 days ago, I'm on 15.2, which has the whole /var/run/netconfig/resolv.conf thing going on. I'm noticing VERY frequent DNS failures in web browser contexts. I wonder if the browsers are flapping back and forth between what the vpn put in /etc/resolv.conf and what is in /var/run/netconfig/resolv.conf. dig(1) seems to consistently use what is in /etc/resolv.conf, so that isn't helping me debug... Thoughts? Suggestions? Thanks. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2020 17:48, Michael Fischer wrote:
For $WORK, I have to use a vpn which writes its own version of /etc/resolv.conf, but as of 2 days ago, I'm on 15.2, which has the whole /var/run/netconfig/resolv.conf thing going on.
I'm noticing VERY frequent DNS failures in web browser contexts. I wonder if the browsers are flapping back and forth between what the vpn put in /etc/resolv.conf and what is in /var/run/netconfig/resolv.conf.
They are the same - resolv.conf is a symlink.
dig(1) seems to consistently use what is in /etc/resolv.conf, so that isn't helping me debug...
You can always point it to another name server, if that helps.
Thoughts? Suggestions?
I think we are missing some information - what sort of "VERY frequent DNS failures" are you seeing ? Does the resolv.conf as installed by the VPN setup otherwise work? dig or host will help you verify. Are you using wicked or networkmanager ? FWIW, right now I'm also on 15.2, connected over vpn to our office - works just fine. Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jul 28, Per Jessen wrote:
On 28/07/2020 17:48, Michael Fischer wrote:
For $WORK, I have to use a vpn which writes its own version of /etc/resolv.conf, but as of 2 days ago, I'm on 15.2, which has the whole /var/run/netconfig/resolv.conf thing going on.
I'm noticing VERY frequent DNS failures in web browser contexts. I wonder if the browsers are flapping back and forth between what the vpn put in /etc/resolv.conf and what is in /var/run/netconfig/resolv.conf.
They are the same - resolv.conf is a symlink.
Not after the VPN software does `mv /etc/resolv.conf /etc/resolv.conf.fp-save` and then writes out its own one....
dig(1) seems to consistently use what is in /etc/resolv.conf, so that isn't helping me debug...
You can always point it to another name server, if that helps.
That wouldn't help with work-only domains....
Thoughts? Suggestions?
I think we are missing some information - what sort of "VERY frequent DNS failures" are you seeing ? Does the resolv.conf as installed by the VPN setup otherwise work? dig or host will help you verify.
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
Are you using wicked or networkmanager ?
wicked
FWIW, right now I'm also on 15.2, connected over vpn to our office - works just fine.
F5 vpn with an rpm to install an external app for a webapp tied to our AD servers for the auth? (which in general has worked reasonably well for over a year) Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2020 18:22, Michael Fischer wrote:
On Tue, Jul 28, Per Jessen wrote:
On 28/07/2020 17:48, Michael Fischer wrote:
For $WORK, I have to use a vpn which writes its own version of /etc/resolv.conf, but as of 2 days ago, I'm on 15.2, which has the whole /var/run/netconfig/resolv.conf thing going on.
I'm noticing VERY frequent DNS failures in web browser contexts. I wonder if the browsers are flapping back and forth between what the vpn put in /etc/resolv.conf and what is in /var/run/netconfig/resolv.conf.
They are the same - resolv.conf is a symlink.
Not after the VPN software does `mv /etc/resolv.conf /etc/resolv.conf.fp-save` and then writes out its own one....
Hmmm. Yeah. Well, apps (ie. the resolver) are not aware of /var/run/netconfig/resolv.conf, they only work with /etc/resolv.conf, so no flapping.
Thoughts? Suggestions?
I think we are missing some information - what sort of "VERY frequent DNS failures" are you seeing ? Does the resolv.conf as installed by the VPN setup otherwise work? dig or host will help you verify.
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
FF uses the resolver by calling getaddrinfo() (unless it is setup for DNSoHTTPS) - dig talks directly to a nameserver. I guess the contents of /etc/resolv.conf are as expected? 'ping' will also use the standard resolver, you ought to see the same failure with ping.
FWIW, right now I'm also on 15.2, connected over vpn to our office - works just fine.
F5 vpn with an rpm to install an external app for a webapp tied to our AD servers for the auth? (which in general has worked reasonably well for over a year)
Just plain openvpn here, but I doubt if it matters a lot. Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/07/2020 18.22, Michael Fischer wrote:
On Tue, Jul 28, Per Jessen wrote:
On 28/07/2020 17:48, Michael Fischer wrote:
...
Thoughts? Suggestions?
I think we are missing some information - what sort of "VERY frequent DNS failures" are you seeing ? Does the resolv.conf as installed by the VPN setup otherwise work? dig or host will help you verify.
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
Firefox I understand can use its own resolver over http. I don't know how it works, only that it exists. Maybe this link: <https://wiki.mozilla.org/Trusted_Recursive_Resolver> It says it is set up in "the UI in the Network Settings section of about:preferences". So I go there and I see at the bottom "Enable DNS over HTTPS", so have a look in there. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On Tue, 28 Jul 2020 12:22:55 -0400 Michael Fischer <michael@visv.net> wrote:
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
You're aware that FF can use its own resolution mechanism, as others have said? And that it does so by default in the US since Feb this year? I don't know where you are.
F5 vpn with an rpm to install an external app for a webapp tied to our AD servers for the auth? (which in general has worked reasonably well for over a year)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jul 28, Dave Howorth wrote:
On Tue, 28 Jul 2020 12:22:55 -0400 Michael Fischer <michael@visv.net> wrote:
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
You're aware that FF can use its own resolution mechanism, as others have said?
And that it does so by default in the US since Feb this year? I don't know where you are.
USA, and yes, thanks to up-thread, I now know this. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 28.07.2020 23:16, schrieb Michael Fischer:
On Tue, Jul 28, Dave Howorth wrote:
On Tue, 28 Jul 2020 12:22:55 -0400 Michael Fischer <michael@visv.net> wrote:
It seems to work when I use dig(1) on something which just failed in the browser, and showed that the vpn's DNS server was used to get the answer. However, I've no idea if FF is using the path to get the resolver.
You're aware that FF can use its own resolution mechanism, as others have said?
And that it does so by default in the US since Feb this year? I don't know where you are.
USA, and yes, thanks to up-thread, I now know this.
Yes, but FF uses its own resolving lib, which is not system based. The mozilla-nss stuff. Might be that it does some caching on the settings. Tries the changed new file, has problems with lookups, falls back to the previous working settings. Just some possibilities what might go on. Do you run "nscd"? This would explain why FF works after dig because the stuff is in cache of nscd after you dig it. Have you tried to restart FF after the resolv.conf has changed? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jul 29, Markus Kolb wrote:
Yes, but FF uses its own resolving lib, which is not system based. The mozilla-nss stuff. Might be that it does some caching on the settings. Tries the changed new file, has problems with lookups, falls back to the previous working settings. Just some possibilities what might go on.
Do you run "nscd"? This would explain why FF works after dig because the stuff is in cache of nscd after you dig it.
Have you tried to restart FF after the resolv.conf has changed?
Hmm. I'll have to pay attention to both of those aspects "next time". Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Dave Howorth -
Markus Kolb -
Michael Fischer -
Per Jessen