0

I'm connecting to a corporate VPN via network-manager-l2tp with a pre-shared key and user+pass. I'm getting a correct DNS server IP automatically, which resolves the companies URLs correctly.

However, public internet isn't resolved (I tested with www.google.com all the time), but this depends on the perspective: I can't get systemd-resolved to resolve from 2 DNS servers at the same time (1.1.1.1 and the corporate DNS). It's strictly either or and I've tried a lot of different configs...

Question: How do I configure systemd-resolved to use both a corporate VPN's DNS and the regular DNS servers at the same time?

I don't care if it's 'conditional forwarding' based on domain or using the 2nd DNS after the 1st fails. I couldn't get neither approach to work. My guess is this has something to do with l2tp, but I can't find any solutions that apply to my case.

I use: NetworkManager 1.30.0, systemd-resolved (systemd 247.3) and openresolv (instead of old resolvconf) on Pop OS. Both services are up and running.

resolv.conf -> /run/systemd/resolve/stub-resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit. [...] nameserver 127.0.0.53 options edns0 trust-ad search fritz.box

/etc/systemd/resolved.conf

[Resolve] FallbackDNS=1.1.1.1 corp.ip.add.ress

resolvectl status output after connecting to VPN

Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Fallback DNS Servers: 1.1.1.1 corp.ip.add.ress Link 2 (enp6s0) Current Scopes: DNS Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.178.1 DNS Servers: 192.168.178.1 DNS Domain: fritz.box Link 3 (ip_vti0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 23 (ppp0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: corp.ip.add.ress DNS Servers: 1.1.1.1 corp.ip.add.ress

I've tried a lot of different things, but what you see above is a good starting point to come up with a robust, final solution.

Improve this question

1 Answer 1

Reset to default
5

You may be able to achieve split DNS (conditional forwarding) with the following configuration (assuming ppp0 is your VPN interface and enp6s0 your regular LAN):

resolvectl dns ppp0 corp.ip.add.ress resolvectl domain ppp0 ~corp.domain.name resolvectl default-route ppp0 false resolvectl default-route enp6s0 true

This will use the default DNS for all queries except for those that have a domain ending with corp.domain.name. For those queries, it will use corp.ip.add.ress. Also note the default route has to be corrected, as connecting to the VPN might result in updating the default.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.