Ubuntu
network-manager-openconnect package

Missing default nameserver for dnsmasq after connecting with openconnect

Bug #1096326 reported by Sebastian Schweizer
82
This bug affects 18 people
Affects Status Importance Assigned to Milestone
network-manager-openconnect (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I configured my VPN account for my university (University of Kaiserslautern, Germany) with network-manager-gnome. I use openconnect to connect to the Cisco Anyconnect VPN.
It is a split setup, that is to say only the routes to my university's network are added. Default route is still my local router.
All routing works fine, but I have name resolution problems.

After establishing the connection dnsmasq (managed by network-manager) does not work. In the attached syslog you can see that dnsmasq gets nameservers through DBus. Nameservers for my universiy's domain and reverse lookup zones are configured (use university's resolver), but no default nameserver. So I can only resolve names in those zones:

sebastian@seb-laptop:~$ host 131.246.83.189
189.83.246.131.in-addr.arpa domain name pointer vpn-ipv4-0957.triple-a.uni-kl.de.
sebastian@seb-laptop:~$ host vpn-ipv4-0957.triple-a.uni-kl.de.
vpn-ipv4-0957.triple-a.uni-kl.de has address 131.246.83.189
vpn-ipv4-0957.triple-a.uni-kl.de mail is handled by 10 mailgate1.uni-kl.de.
vpn-ipv4-0957.triple-a.uni-kl.de mail is handled by 5 mailgate2.uni-kl.de.
sebastian@seb-laptop:~$ host google.de.
Host google.de not found: 5(REFUSED)

sebastian@seb-laptop:~$ cat /etc/resolv.conf | grep -v ^#
nameserver 127.0.1.1
search triple-a.uni-kl.de cbs239.de

sebastian@seb-laptop:~$ nm-tool
NetworkManager Tool
State: connected (global)
- Device: eth1 [cbs239.de] ----------------------------------------------------
  Type: 802.11 WiFi
  Driver: wl
  State: connected
  Default: yes
[...]
  IPv4 Settings:
    Address: 172.25.134.15
    Prefix: 21 (255.255.248.0)
    Gateway: 172.25.128.1
    DNS: 172.25.128.2
[...]

- VPN: [uni-kl.de] ------------------------------------------------------------
  State: connected
  Default: no

After disabling the VPN, everything works as expected again:
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: Withdrawing address record for 172.25.134.15 on eth1.
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: Leaving mDNS multicast group on interface eth1.IPv4 with address 172.25.134.15.
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: Interface eth1.IPv4 no longer relevant for mDNS.
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: Joining mDNS multicast group on interface eth1.IPv4 with address 172.25.134.15.
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: New relevant interface eth1.IPv4 for mDNS.
Jan 5 10:55:03 seb-laptop avahi-daemon[1147]: Registering new address record for 172.25.134.15 on eth1.IPv4.
Jan 5 10:55:05 seb-laptop NetworkManager[1165]: <info> Policy set 'cbs239.de' (eth1) as default for IPv4 routing and DNS.
Jan 5 10:55:05 seb-laptop NetworkManager[1165]: <info> Policy set 'cbs239.de' (eth1) as default for IPv6 routing and DNS.
Jan 5 10:55:05 seb-laptop NetworkManager[1165]: <info> ((null)): writing resolv.conf to /sbin/resolvconf
Jan 5 10:55:05 seb-laptop dnsmasq[1965]: setting upstream servers from DBus
Jan 5 10:55:05 seb-laptop dnsmasq[1965]: using nameserver 172.25.128.2#53
Jan 5 10:55:05 seb-laptop dbus[1100]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
Jan 5 10:55:05 seb-laptop openconnect[2767]: Send BYE packet: Client killed
Jan 5 10:55:05 seb-laptop dbus[1100]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jan 5 10:55:05 seb-laptop avahi-daemon[1147]: Withdrawing workstation service for vpn0.
Jan 5 10:55:05 seb-laptop NetworkManager[1165]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/vpn0, iface: vpn0)
Jan 5 10:55:08 seb-laptop NetworkManager[1165]: <info> VPN service 'openconnect' disappeared

sebastian@seb-laptop:~$ host google.de
[...many A, AAAA and MX records...]

sebastian@seb-laptop:~$ cat /etc/resolv.conf | grep -v ^#
nameserver 127.0.1.1
search cbs239.de

I tried to change the VPN configuration from "Automatisch (VPN)" to "Automatisch (VPN), nur Adressen" and give a custom DNS server. The effect is, that this DNS server is used for the reverse zones announced by the VPN server, but dnsmasq has still no default nameservers. And the triple-a.uni-kl.de entry is not added to resolv.conf, but that makes no difference to me.

The expected behaviour would be something like this:
using nameserver 172.25.128.2#53 <-- this line is missing!
using nameserver 131.246.9.116#53 for Domain 165.68.192.in-addr.arpa
using nameserver 131.246.9.116#53 for Domain 166.68.192.in-addr.arpa
using nameserver 131.246.9.116#53 for Domain 168.68.192.in-addr.arpa
using nameserver 131.246.9.116#53 for Domain 246.131.in-addr.arpa
using nameserver 131.246.9.116#53 for Domain triple-a.uni-kl.de

I hope apport has attached all my system information. If you need more information just ask. I can provide everything from client side, but I have no influence on my university's servers.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: network-manager-openconnect 0.9.6.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-21.32-generic 3.5.7.1
Uname: Linux 3.5.0-21-generic x86_64
NonfreeKernelModules: fglrx wl
ApportVersion: 2.6.1-0ubuntu9
Architecture: amd64
Date: Sat Jan 5 10:16:20 2013
InstallationDate: Installed on 2012-11-07 (59 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
MarkForUpload: True
SourcePackage: network-manager-openconnect
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Sebastian Schweizer (sebastians) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openconnect (Ubuntu):
status: New → Confirmed
Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote :

Is anybody working on this? This bug is really annoyingly, it hits me on 12.04 LTS since a long time.

Revision history for this message
Ondrej Balaz (blami) wrote :

This issue is also present on 15.10 where dnsmasq-base is default behavior. Even when connection clearly sets default route and DNS servers are correctly displayed in Connection Information dialog they are always added only for given zones (is that split DNS?).

As a workaround following command can be used to send default DNS server(s) to dnsmasq using DBus:

sudo dbus-send --print-reply --system --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:<ip>

where <ip> is integer representation of name server IP address (network byte order).

Revision history for this message
aldebx (aldebx) wrote :

I confirm exactly the same issue on Ubuntu 15.10

A workaround is commenting out "dns=dnsmasq" in /etc/NetworkManager/NetworkManager.conf

then restarting NetworkManager: sudo service NetworkManager restart

Revision history for this message
Mauro (mauromol) wrote :

I think I have the same problem (please advise if not) in Kubuntu 20.04.

When I connect to my company with the official Cisco AnyConnect client, my DNS is automatically switched to 192.168.240.250, which is the company one and allows me to resolve the company internal names, which are in the form "hostname.foobar".

When I use the openconnect Network Manager plugin this does not work "out-of-the-box".
I see that if I add "foobar" in the "search domains" in the IPv4 settings of this openconnect VPN connection using the Network Manager GUI, and reconnect, it seems to work and I can resolve both "hostname" and "hostname.foobar" names (the former is mapped to "hostname.foobar" too). However, randomly, when I disconnect and reconnect, it stops working again: I was not able to determine what makes it fail and what should I do to make it work reliably.

What I noticed is that if I use the official Cisco AnyConnect client, nslookup will resolve names through 192.168.240.250. If I use the openconnect Network Manager plugin it will resolve names with localhost.

I tried to manually add the DNS server name in the IPv4 settings of this openconnect VPN connection using the Network Manager GUI, but it seems to make no difference at all.

I didn't try the workaround in #5: it sounds like an invasive change, what could be the consequences?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.