Bdtyktl

After booting the Ubuntu 18.10 I can't resolve domain names and my /etc/resolv.conf file is looking like this:

# Generated by NetworkManager

nameserver 127.0.0.53

The $ nslookup google.com - 127.0.0.53 command is not returning anything either.

This became an issue after installing this script for DNS support in OpenVPN: https://github.com/masterkorp/openvpn-update-resolv-conf

I think I've installed the openresolv package, but I'm not sure how to configure everything to work together.

Right now, I just have to manually update the /etc/resolv.conf with the Google DNS servers every time after boot. However, the VPN is working fine, so it looks like it's updating the DNS for this.

What could be done to make it work after rebooting the PC and after establishing a VPN tunnel with OpenVPN?

Any suggestions will be highly appreciated.

Commands requested by @heynnema:

I've run them just after reboot, before connecting to VPN.

$ cat /etc/issue

Ubuntu 18.10



$ uname -a

Linux destiny 4.18.0-13-generic #14-Ubuntu SMP Wed Dec 5 09:04:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux



$ ls -al /etc/resolv.conf

-rw-r--r-- 1 root root 52 янв 21 21:20 /etc/resolv.conf



$ ps auxc | grep -i dns



$ host 8.8.8.8

;; connection timed out; no servers could be reached



$ host www.ebay.com

;; connection timed out; no servers could be reached



$ ps auxc | grep -i resolv



$ cat /run/resolvconf/resolv.conf

cat: /run/resolvconf/resolv.conf: No such file or directory



$ cat /run/systemd/resolve/resolv.conf

cat: /run/systemd/resolve/resolv.conf: No such file or directory



$ ls -al /etc/openvpn

total 36

drwxr-xr-x   5 root root  4096 янв 15 14:54 .

drwxr-xr-x 139 root root 12288 янв 21 23:43 ..

drwxr-xr-x   2 root root  4096 сен  3 11:57 client

drwxr-xr-x   2 root root  4096 янв 15 14:25 scripts

drwxr-xr-x   2 root root  4096 сен  3 11:57 server

-rwxr-xr-x   1 root root  1468 сен  3 11:57 update-resolv-conf

-rwxr-xr-x   1 root root  2152 янв 15 14:54 update-resolv-conf.sh



# openvpn --version

OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  3 2018

library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.10

Originally developed by James Yonan

Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

$ systemctl status | head -n 6



● destiny

    State: running

     Jobs: 0 queued

   Failed: 0 units

    Since: Tue 2019-01-22 17:33:01 MSK; 1min 29s ago

   CGroup: /



$ systemctl status systemd-resolved

● systemd-resolved.service - Network Name Resolution

   Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

     Docs: man:systemd-resolved.service(8)

           https://www.freedesktop.org/wiki/Software/systemd/resolved

           https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers

           https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

Note: DNS is broken in 18.xx, with/without VPN.

Problems...

• your /etc/resolv.conf is a hard-wired file and should be a symlink


• your /run/resolvconf/resolv.conf and /run/systemd/resolve/resolv.conf are not getting populated


• you installed openresolv
  


• you followed a two-year-old script from github (+ for trying though)


• 
  systemd-resolved is disabled and not running


• you're missing some required network-manager packages

So... just to start...

• uninstall openresolv
  



• remove all mods based on the github link




• re-enable and restart systemd-resolved

sudo systemctl enable systemd-resolved # re-enable systemd-resolved

sudo systemctl start systemd-resolved # start systemd-resolved

sudo systemctl status systemd-resolved # check the status

• recreate the /etc/resolv.conf symlink

sudo rm -i /etc/resolv.conf # remove the hard-wired file

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf # recreate the symlink

sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf # recreate the symlink

reboot # reboot the system

after reboot...

cat /etc/resolv.conf # check the contents of /etc/resolv.conf

and confirm that it contains something like 192.168.x.1 or the IP address of a upstream DNS server.

We'll modify your .ovpn scripts, import them to NetworkManager, and test VPN later. One thing to note is that using sudo openvpn script_name.ovpn may produce different results than importing the .ovpn file into NetworkManager.

For your .ovpn files...

Add the following at the end of the file (try this with only one of your .ovpn files).

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

then try...

sudo openvpn script_name.ovpn # connect via cli

cat /etc/resolv.conf # recheck the contents and confirm changes

resolvectl # check that DNS servers are getting assigned to tap0

Check for DNS leaks at http://dnsleak.com

Update #1:

I've changed my mind (at least temporarily) and have decided to change the symlink in the step "recreate the /etc/resolv.conf symlink"...

• recreate the /etc/resolv.conf symlink

sudo rm -i /etc/resolv.conf # remove the symlink

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf # recreate the symlink

sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf # recreate the symlink

• 
  resolvectl may not show the expected result for device tap0 with VPN up

Update #2:

Now we'll import the modified .ovpn file into NetworkManager.

• open the Network settings panel


• locate the VPN section, and click the "+" icon to add a connection


• select Import from file
  


• locate your modified .ovpn and import it


• once imported, click the "ADD" button


• use the NetworkManager's VPN menu to connect to your VPN Server using the imported .ovpn



• check for DNS leaks at http://dnsleak.com




• resolvectl should show the expected result for device tap0 with VPN up

Update #3:

• installed missing packages...

network-manager-openvpn

network-manager-openvpn-gnome

network-manager-vpnc

• need to check for these (dpkg -l *resolv* | grep ii)...

resolvconf

libnss-resolve

Update #4:

Here's a screenshot of the "Wired Connection" NM script that I'm talking about... you can set DNS there (remember to set DNS AUTO to OFF, and then enter comma-separated DNS IP addresses)... or edit /etc/systemd/resolved.conf and edit the #DNS= line... however either of these might override the automatic handling of DNS with VPN that we're trying to get at 100%.

Remember that using sudo openvpn client.ovpn produces slightly different results than initiating a VPN connection from NetworkManager with an imported .ovpn script. In either case, you'll want to monitor the two resolv.conf that we have symlinked to /etc/resolv.conf and see which one appropriately shows the DNS servers from either your local network, or the VPN network, but normally not both... then adjust the symlink if required. (note: we may have to also edit /etc/nsswitch.conf... more on that later).

Remember that I said that DNS is kind of screwy in 18.xx :-) I finally got mine working pretty well, but it took some time.

Update #5:

Something to try... I have not played with this myself... so report back with your results.

Edit /etc/nsswitch.conf and temporarily comment out:

hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns

and put this in its place:

hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname

Update #6:

If this is confusing... remember I said it might be...

Here's a test for you to run... take careful notes, as it's easy to get it wrong from memory... I know I did...

Let's just purely look at the output of resolvectl. There are 3 different places that we have to look to see if it's actually working right.

Global

       LLMNR setting: no

MulticastDNS setting: no

  DNSOverTLS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

  Current DNS Server: 10.200.0.1 <--note

         DNS Servers: 10.200.0.1 <--note

and...

Link 5 (tun0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

  DNSOverTLS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

  Current DNS Server: 10.200.0.1 <--note

         DNS Servers: 10.200.0.1 <--note

          DNS Domain: ~.

and...

Link 2 (eth0)

      Current Scopes: DNS

       LLMNR setting: yes

MulticastDNS setting: no

  DNSOverTLS setting: no

      DNSSEC setting: no

    DNSSEC supported: no

  Current DNS Server: 192.168.0.1 <--note

         DNS Servers: 192.168.0.1 <--note

          DNS Domain: ~

Run two separate tests...

Test #1...

• use the CLI, sudo openvpn client.ovpn
  


• note, using the above 3 examples, if your VPN DNS shows up anywhere


• go to http://dnsleak.com and check for a VPN IP and for DNS leaks

Test #2...

• use the NM interface to connect using your imported .ovpn file


• note, using the above 3 examples, if your VPN DNS shows up anywhere


• go to http://dnsleak.com and check for a VPN IP and for DNS leaks