network-manager refuses to forward "default" DNS queries when using OpenVPN

Asked by MikeyB on 2015-04-20

I'm trying to use NetworkManger with OpenVPN and whenever I connect it kills my ability to resolve any names *not* provided by the VPN connection. This is a NetworkManager policy error somehow as if it actually tried *any* nameserver it would work.

Prior to bringing up VPN:

Apr 20 16:24:24 challenger NetworkManager[2691]: <info> (wlan0): DHCPv4 state changed preinit -> reboot
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> address 192.168.1.24
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> prefix 24 (255.255.255.0)
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> gateway 192.168.1.1
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> nameserver '192.168.1.51'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> nameserver '192.168.1.52'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> domain name 'supermathie.net'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> domain search 'supermathie.net.'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> domain search 'ad.supermathie.net.'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> wins '192.168.1.51'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> wins '192.168.1.52'
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> Activation (wlan0) Stage 5 of 5 (IPv4 Configure Commit) scheduled...
Apr 20 16:24:24 challenger NetworkManager[2691]: <info> Activation (wlan0) Stage 5 of 5 (IPv4 Commit) started...
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> (wlan0): device state change: ip-config -> secondaries (reason 'none') [70 90 0]
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> Activation (wlan0) Stage 5 of 5 (IPv4 Commit) complete.
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> (wlan0): device state change: secondaries -> activated (reason 'none') [90 100 0]
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> NetworkManager state is now CONNECTED_GLOBAL
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> Policy set 'smnet' (wlan0) as default for IPv4 routing and DNS.
Apr 20 16:24:26 challenger NetworkManager[2691]: <info> Writing DNS information to /sbin/resolvconf

IP4.ADDRESS[1]: ip = 192.168.1.24/24, gw = 192.168.1.1
IP4.DNS[1]: 192.168.1.51
IP4.DNS[2]: 192.168.1.52
IP4.DOMAIN[1]: supermathie.net
IP4.WINS[1]: 192.168.1.51
IP4.WINS[2]: 192.168.1.52
IP6.ADDRESS[1]: ip = 2001:db8::6bdd/64, gw = fe80::5054:ff:fe84:cfcd
IP6.ADDRESS[2]: ip = 2001:db8::790c/64, gw = fe80::5054:ff:fe84:cfcd
IP6.ADDRESS[3]: ip = fe80::790c/64, gw = fe80::5054:ff:fe84:cfcd
IP6.DNS[1]: 2001:db8::51
IP6.DNS[2]: 2001:db8::52
IP6.DOMAIN[1]: supermathie.net

○ → host www.google.ca
www.google.ca has address 74.125.226.151
www.google.ca has address 74.125.226.152
www.google.ca has address 74.125.226.159
www.google.ca has address 74.125.226.143
www.google.ca has IPv6 address 2607:f8b0:400b:80b::1017

○ → host www.netdirect.ca
www.netdirect.ca is an alias for ajax.netdirect.ca.
ajax.netdirect.ca has address 216.16.235.90

○ → host www.supermathie.net
www.supermathie.net is an alias for baron.supermathie.net.
baron.supermathie.net has IPv6 address 2001:470:1d:165::1

Now I bring up the VPN:

Apr 20 16:30:32 challenger NetworkManager[2691]: <info> Starting VPN service 'openvpn'...
Apr 20 16:30:32 challenger NetworkManager[2691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 20739
Apr 20 16:30:32 challenger NetworkManager[2691]: <info> VPN service 'openvpn' appeared; activating connections
Apr 20 16:30:32 challenger NetworkManager[2691]: <info> VPN plugin state changed: starting (3)
Apr 20 16:30:32 challenger NetworkManager[2691]: <info> VPN connection 'Net Direct' (Connect) reply received.
Apr 20 16:30:32 challenger nm-openvpn[20742]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Apr 20 16:30:32 challenger nm-openvpn[20742]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 20 16:30:32 challenger nm-openvpn[20742]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 20 16:30:32 challenger nm-openvpn[20742]: UDPv4 link local: [undef]
Apr 20 16:30:32 challenger nm-openvpn[20742]: UDPv4 link remote: [AF_INET]216.16.230.2:1194
Apr 20 16:30:33 challenger nm-openvpn[20742]: [server] Peer Connection Initiated with [AF_INET]216.16.230.2:1194
Apr 20 16:30:35 challenger nm-openvpn[20742]: TUN/TAP device tun0 opened
Apr 20 16:30:35 challenger nm-openvpn[20742]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1542 10.0.0.14 10.0.0.13 init
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> VPN connection 'Net Direct' (IP Config Get) reply received.
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> VPN connection 'Net Direct' (IP4 Config Get) reply received.
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> VPN connection 'Net Direct' (IP6 Config Get) reply received.
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> VPN Gateway: 216.16.232.38
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Tunnel Device: tun0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> IPv4 configuration:
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Gateway: 10.0.0.13
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Address: 10.0.0.14
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Prefix: 32
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Point-to-Point Address: 10.0.0.13
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Maximum Segment Size (MSS): 0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Static Route: 192.168.0.0/24 Next Hop: 192.168.0.0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Static Route: 216.16.235.0/25 Next Hop: 216.16.235.0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Static Route: 10.0.0.0/24 Next Hop: 10.0.0.0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Forbid Default Route: no
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal DNS: 192.168.0.5
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal DNS: 192.168.0.6
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> DNS Domain: 'netdirect.ca'
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> IPv6 configuration:
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Address: 2001:470:b3f5:f001::1002
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Prefix: 64
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Internal Point-to-Point Address: 2001:470:b3f5:f001::1
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Maximum Segment Size (MSS): 0
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Static Route: 2001:470:b3f5::/48 Next Hop: 2001:470:b3f5::
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> Forbid Default Route: no
Apr 20 16:30:35 challenger NetworkManager[2691]: <info> DNS Domain: 'netdirect.ca'
Apr 20 16:30:35 challenger nm-openvpn[20742]: Initialization Sequence Completed
Apr 20 16:30:37 challenger NetworkManager[2691]: <info> VPN connection 'Net Direct' (IP Config Get) complete.
Apr 20 16:30:37 challenger NetworkManager[2691]: <info> Policy set 'Net Direct' (tun0) as default for IPv4 routing and DNS.
Apr 20 16:30:37 challenger NetworkManager[2691]: <info> Policy set 'Net Direct' (tun0) as default for IPv6 routing and DNS.
Apr 20 16:30:37 challenger NetworkManager[2691]: <info> Writing DNS information to /sbin/resolvconf
Apr 20 16:30:37 challenger dnsmasq[8136]: setting upstream servers from DBus
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.6#53 for domain 235.16.216.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.6#53 for domain 0.168.192.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.6#53 for domain 10.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.6#53 for domain netdirect.ca
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.5#53 for domain 235.16.216.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.5#53 for domain 0.168.192.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.5#53 for domain 10.in-addr.arpa
Apr 20 16:30:37 challenger dnsmasq[8136]: using nameserver 192.168.0.5#53 for domain netdirect.ca
Apr 20 16:30:37 challenger NetworkManager[2691]: <info> VPN plugin state changed: started (4)
Apr 20 16:30:37 challenger NetworkManager[2691]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Apr 20 16:30:37 challenger NetworkManager[2691]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Apr 20 16:30:37 challenger NetworkManager[2691]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
Apr 20 16:30:37 challenger dbus[2651]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
Apr 20 16:30:37 challenger dbus[2651]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Apr 20 16:30:37 challenger ntpd[20017]: ntpd exiting on signal 15
Apr 20 16:30:37 challenger ntpdate[20932]: Can't find host 0.ubuntu.pool.ntp.org: Name or service not known (-2)
Apr 20 16:30:37 challenger ntpdate[20932]: Can't find host 1.ubuntu.pool.ntp.org: Name or service not known (-2)
Apr 20 16:30:37 challenger ntpdate[20932]: Can't find host 2.ubuntu.pool.ntp.org: Name or service not known (-2)
Apr 20 16:30:37 challenger ntpdate[20932]: Can't find host 3.ubuntu.pool.ntp.org: Name or service not known (-2)
Apr 20 16:30:40 challenger dnsmasq[7973]: reading /etc/resolv.conf
Apr 20 16:30:40 challenger dnsmasq[7973]: using nameserver 127.0.1.1#53
Apr 20 16:30:40 challenger dnsmasq[3418]: reading /etc/resolv.conf
Apr 20 16:30:40 challenger dnsmasq[3418]: using nameserver 127.0.1.1#53
Apr 20 16:30:40 challenger dnsmasq[4818]: reading /etc/resolv.conf
Apr 20 16:30:40 challenger dnsmasq[4818]: using nameserver 127.0.1.1#53
Apr 20 16:30:40 challenger dnsmasq[4921]: reading /etc/resolv.conf
Apr 20 16:30:40 challenger dnsmasq[4921]: using nameserver 127.0.1.1#53

All of a sudden dnsmasq refuses to forward queries for ANY domain other than netdirect.ca to ANY nameserver:

○ → host www.supermathie.net
Host www.supermathie.net not found: 5(REFUSED)

○ → host www.google.ca
Host www.google.ca not found: 5(REFUSED)

○ → host www.netdirect.ca
www.netdirect.ca has address 192.168.103.52

But I can ask any nameserver and they work as expected:

○ → host www.google.ca 192.168.0.6
Using domain server:
Name: 192.168.0.6
Address: 192.168.0.6#53
Aliases:

www.google.ca has address 173.194.43.95
www.google.ca has address 173.194.43.79
www.google.ca has address 173.194.43.87
www.google.ca has address 173.194.43.88
www.google.ca has IPv6 address 2607:f8b0:400b:806::1017

○ → host www.google.ca 2001:470:b0e2::51
Using domain server:
Name: 2001:470:b0e2::51
Address: 2001:470:b0e2::51#53
Aliases:

www.google.ca has address 74.125.226.143
www.google.ca has address 74.125.226.152
www.google.ca has address 74.125.226.159
www.google.ca has address 74.125.226.151
www.google.ca has IPv6 address 2607:f8b0:400b:80b::1017

○ → host www.google.ca 192.168.1.51
Using domain server:
Name: 192.168.1.51
Address: 192.168.1.51#53
Aliases:

www.google.ca has address 74.125.226.143
www.google.ca has address 74.125.226.152
www.google.ca has address 74.125.226.151
www.google.ca has address 74.125.226.159
www.google.ca has IPv6 address 2607:f8b0:400b:80b::1017

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu network-manager Edit question
Assignee:
No assignee Edit question
Last query:
2015-04-20
Last reply:
2015-04-20

If you add an extra nameserver in /etc/resolv.conf do you get the issue resolved?

ChrisH (tipichris) said : #2

I've recently seen what appears to be the same issue (on 14.04), but only after changing my OpenVPN server config to include IPv6. Without IPv6 DNS resolution on the client is fine. With it, all queries are refused. However, directly querying the upstream resolvers is no problem. The problem appears to lie with dnsmasq. A work around is to disable dnsmasq by editing /etc/NetworkManager/NetworkManager.conf and commenting out the line dns=dnsmasq.

Other than the presence of an IPv6 on the tun0 interface on the client I can see no obvious difference between the two configurations, but one works and the other doesn't. I have seen somewhere that dnsmasq sometimes struggles with new interfaces appearing and I wonder if there is something about the IPv6 enabled tun interface that is problematic.

Can you help with this problem?

Provide an answer of your own, or ask MikeyB for more information if necessary.

To post a message you must log in.