Discussion:
Strange VPN behaviour
Anca, Tibor
2021-05-19 21:52:25 UTC
Permalink
Hello,

I'm using Fedora 34. For some services I need to connect to my corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.

If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.

I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.

I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.

What could I try?

Regards,
Tibor

--
Dr. Tibor Attila Anca
Pastor

Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145

Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the
Samuel Sieb
2021-05-19 22:20:31 UTC
Permalink
Post by Anca, Tibor
I'm using Fedora 34. For some services I need to connect to my corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.
Is there any indication in logs that openconnect is getting DNS info?
If not, then if you edit the connection settings in the control panel,
you can add the DNS info. I think systemd-resolved is supposed to be
able to handle split DNS like that. Or otherwise, I guess the VPN DNS
should get all requests.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, r
Anca, Tibor
2021-05-19 23:22:12 UTC
Permalink
Post by Samuel Sieb
Is there any indication in logs that openconnect is getting DNS info?
you can add the DNS info.  I think systemd-resolved is supposed to be
should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved
than I see this:

vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y

Now, those two entries are added by the AnyConnect-Client to
/etc/resolv.conf.

I cant figure out, why NM is not doing that...
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infr
Ed Greshko
2021-05-20 00:46:43 UTC
Permalink
Post by Anca, Tibor
Post by Samuel Sieb
Is there any indication in logs that openconnect is getting DNS info?
you can add the DNS info.  I think systemd-resolved is supposed to be
should get all requests.
Where do I see those logs? If I run systemctl status systemd-resolved
vpn0: Bus client set DNS server list to: 192.168.x.x, 192.168.x,y
Now, those two entries are added by the AnyConnect-Client to
/etc/resolv.conf.
I cant figure out, why NM is not doing that...
First, when using NM and the openconnect plugin I'm assuming you've not disabled
systemd-resolved.

So, your /etc/resolv.conf is a symlink on the order of

lrwxrwxrwx. 1 root root 39 Oct 31  2020 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

If that is the case, then can you compare the output of "resolvectl" for dis-connected/connected?
I only use openvpn.  But it looks like so:

disconnected

[***@f34k ~]$ resolvectl
Global
       Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.122.1
       DNS Servers: 192.168.122.1
        DNS Domain: greshko.com

connected

Global
       Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.122.1
       DNS Servers: 192.168.122.1
        DNS Domain: greshko.com

Link 3 (tun0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 25.0.0.1
       DNS Servers: 25.0.0.1



--
Remind me to ignore comments which aren't germane to the thread.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:
Anca, Tibor
2021-05-20 10:49:06 UTC
Permalink
Hello,
Post by Ed Greshko
disconnected
My output on disconnected is:

Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp2s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
DNS Domain: fritz.box

Link 3 (wlp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1
DNS Domain: fritz.box

Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported

Link 5 (vpn0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
DNS Servers: 192.168.3.133
Post by Ed Greshko
connected
When connected:

Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp2s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
DNS Domain: fritz.box

Link 3 (wlp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.178.1
DNS Servers: fd00::e228:6dff:fec6:b89a 192.168.178.1
DNS Domain: fritz.box

Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported

Link 5 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.33
DNS Servers: 192.168.3.33 192.168.3.133
DNS Domain: vpn.domain.de

And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.

What do you read out of these outputs?

Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor

Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145

Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, r
Ed Greshko
2021-05-20 11:14:00 UTC
Permalink
Post by Anca, Tibor
Link 5 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.33
DNS Servers: 192.168.3.33 192.168.3.133
DNS Domain: vpn.domain.de
And yes, systemd-resolved is running, /etc/resolv.conf is a symlink.
What do you read out of these outputs?
How are you specifying the hostname you want to reach on the remote side?

If you are just using "Aname" then when the request is sent to 192.168.3.33 it will become
a request for an A (or AAAA) record for "Aname.vpn.domain.de"

If you the actual FQDN is different than that you'd need to spell it out or add the additional
"Search Domain" under the IPv4 Tab in the openconnect configuration of NM.

You can always use the "host" command to test/try different combination and direct the
request only to that one DNS server.

host Aname 192.168.3.33 for example



--
Remind me to ignore comments which aren't germane to the thread.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Anca, Tibor
2021-05-20 11:27:33 UTC
Permalink
Hi,
Post by Ed Greshko
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to
192.168.3.33 it will become
a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
Post by Ed Greshko
If you the actual FQDN is different than that you'd need to spell it
out or add the additional
"Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different
combination and direct the
request only to that one DNS server.
host Aname 192.168.3.33 for example
I added a few days ago in /etc/hosts a line:

ip.add.re.ss host.name.de

By doing this Firefox finds the target website, even if I only use the
url. Without this entry I must specify the ip of the website. The
difference is: anyconnect populates the nameservers, openconnect
doesn't.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: ht
Ed Greshko
2021-05-20 11:33:29 UTC
Permalink
Post by Anca, Tibor
Hi,
Post by Ed Greshko
How are you specifying the hostname you want to reach on the remote side?
If you are just using "Aname" then when the request is sent to
192.168.3.33 it will become
a request for an A (or AAAA) record for "Aname.vpn.domain.de"
I mus admit, I don't really get it...
Post by Ed Greshko
If you the actual FQDN is different than that you'd need to spell it
out or add the additional
"Search Domain" under the IPv4 Tab in the openconnect configuration of NM.
You can always use the "host" command to test/try different
combination and direct the
request only to that one DNS server.
host Aname 192.168.3.33 for example
ip.add.re.ss host.name.de
By doing this Firefox finds the target website, even if I only use the
url. Without this entry I must specify the ip of the website. The
difference is: anyconnect populates the nameservers, openconnect
doesn't.
Does

host host.name.de 192.168.3.33

Return the IP address you expect?




--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report
Anca, Tibor
2021-05-20 12:59:26 UTC
Permalink
Post by Ed Greshko
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
Yes. But it also returns:

Host xyz not found: 3(NXDOMAIN)
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:/
Ed Greshko
2021-05-20 13:46:13 UTC
Permalink
Post by Anca, Tibor
Post by Ed Greshko
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
Host xyz not found: 3(NXDOMAIN)
One of my problems is I can't find a way to give sound advice when the actual information
is obfuscated.

But, is the above with or without the /etc/hosts entry?

--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it:
Anca, Tibor
2021-05-20 14:19:02 UTC
Permalink
Hello,
Post by Ed Greshko
But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.

--
Dr. Tibor Attila Anca
Pastor

Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145

Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, repor
Ed Greshko
2021-05-20 14:24:51 UTC
Permalink
Post by Anca, Tibor
Hello,
Post by Ed Greshko
But, is the above with or without the /etc/hosts entry?
I just checked, it is with added entry, with established VPN-Connection.
How about with the entry removed?

--
Remind me to ignore comments which aren't germane to the thread.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-
Kevin Becker
2021-05-20 14:23:49 UTC
Permalink
Post by Anca, Tibor
Post by Ed Greshko
Does
host host.name.de 192.168.3.33
Return the IP address you expect?
Host xyz not found: 3(NXDOMAIN)
Are you trying to use just the hostname without the fully qualified
domain name?

systemd resolved won't modify the nameservers listed in
/etc/resolv.conf.  It uses different name servers based on the
interface.  It won't query your VPN name servers if you only specify a
hostname.  It will only use your VPN name servers if you specify a
domain name that matches the domain names of your VPN.

This article gives a good overview of how it works, including on vpns.

https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/
John Mellor
2021-05-20 00:10:37 UTC
Permalink
Post by Anca, Tibor
I'm using Fedora 34. For some services I need to connect to my corporate
VPN (Cysco). I use openconnect with NetworkManager, which connects fine
to the vpn server. But there is a weird problem and I can not figure
out, where to change something.
If I use the AnyConnect-Client, the client creates on connect a
resolv.conf and saves the simlink to a backup file which is restored
upon disconnect. After it connects it modifies the resolv.conf with
entries on domain, dns servers etc. So I can call urls only available
within the vpn network.
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
I already searched the internet, tried a lot with nmcli, systemd-
resolved, but nothing helped. It seems, that openconnect doesn't
populate some vital dns entries.
A good VPN does this on purpose - adding ip addresses to what is on the
corporate network is a very bad thing from a security standpoint.  If
you can do that, your admin guys should probably block you.  Yes, you
like your local printer, but is it secure like the one at work?  And how
about the fileserver under your desk?  Is it also regularly scanned and
updated by your work?  Adding ip addresses and spoofed hosts that were
thought to be secure just makes a mockery of the corporate security. 
Just don't.
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:
Anca, Tibor
2021-05-20 11:19:34 UTC
Permalink
Hi,
Post by John Mellor
A good VPN does this on purpose - adding ip addresses to what is on the
corporate network is a very bad thing from a security standpoint.  If
you can do that, your admin guys should probably block you.  Yes, you
like your local printer, but is it secure like the one at work?  And how
about the fileserver under your desk?  Is it also regularly scanned and
thought to be secure just makes a mockery of the corporate security. 
Just don't.
I work totally decentral, in fact I have three offices, which are
officially recognized by my employer as designated offices. Those
network printers are located in these offices, so I would like to use
the local network printers in my official offices.

Now, the VPN-Servers are located in a different city. There is only one
service, for what I need VPN. I could disable the connection, of course,
but that is annoying. I still suffer from previous experiences, when we
only had CheckPoint client ONLY FOR WINDOWS...

Concerning the fileserver under my desk: there is none. There is a LUKS
partitioned disk ON my desk, used by rsync twice a day for backups.

Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor

Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145

Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, repor
Kevin Becker
2021-05-20 01:24:31 UTC
Permalink
Post by Anca, Tibor
I i use openconnect (which I prefer, because it keeps my network printer
available), it doenst do almost anything with resolve.conf. It only adds
a search entry, no dns, nothing. In this case I have to enter the ip
address of the services I need within the vpn network. I can resolve
this by adding an entry into hosts.conf, but nevertheless this bugs me.
Is the search domain that is added to resolv.conf the correct domain for your work that you are trying to access? I have two domains at my workplace and only one of them gets pushed out by the VPN DHCP service so in order to resolve anything in the other domain I have to add it myself. I use nm-connection-editor to modify the IPV4 settings for my VPN adapter to add both desired search domains. Systemd-resolved has per-adapter DNS servers and will only query the VPN DNS servers for domains that are specified in the search domain for that adapter.

_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:
Anca, Tibor
2021-05-20 11:30:41 UTC
Permalink
Post by Kevin Becker
Is the search domain that is added to resolv.conf the correct domain
for your work that you are trying to access?
Yes, it is the same which is added by AnyConnect.
Post by Kevin Becker
I have two domains at my workplace and only one of them gets pushed
out by the VPN DHCP service so in order to resolve anything in the
other domain I have to add it myself.  I use nm-connection-editor to
modify the IPV4 settings for my VPN adapter to add both desired search
domains.  Systemd-resolved has per-adapter DNS servers and will only
query the VPN DNS servers for domains that are specified in the search
domain for that adapter.
I already tried to make those modifications in the connection editor
(DNS). However, as soon as I commented out the entry in /etc/hosts (ip
url), those changes were useless. Still got from Firefox: Not found.

Regards
Tibor
--
Dr. Tibor Attila Anca
Pastor

Ev.-luth. Kirchengemeinde Dollbergen-Schwüblingsen
Fuhsestr. 19,
31311 Uetze OT Dollbergen
Gemeindebüro Telefon: +49 (0)5177 922144
Gemeindebüro Telefax: +49 (0)5177 922145

Direkter Kontakt:
Telefon: +49 (0)5132 5045860
Telefax: +49 (0)5132 5045861
_______________________________________________
users mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report
Loading...