DNS in Ubuntu 12.04

Anyone who’s been using 12.04 over the past month or so may have noticed some pretty significant changes in the way we do DNS resolving in Ubuntu.

This is the result of the implementation of: foundations-p-dns-resolving

Here is a description of the two big changes that happened:

Switch to resolvconf for /etc/resolv.conf management

resolvconf is a set of script and hooks managing DNS resolution. The most notable difference for the user is that any change manually done to /etc/resolv.conf will be lost as it gets overwritten next time something triggers resolvconf. Instead, resolvconf uses DHCP client hooks, a Network Manager plugin and /etc/network/interfaces to generate a list of nameservers and domain to put in /etc/resolv.conf.

For more details, I’d highly encourage you to read resolvconf’s manpage but here are a few answers to common questions:

  • I use static IP configuration, where should I put my DNS configuration?
    The DNS configuration for a static interface should go as “dns-nameservers”, “dns-search” and “dns-domain” entries added to the interface in /etc/network/interfaces
  • How can I override resolvconf’s configuration or append some entries to it?
    Resolvconf has a /etc/resolvconf/resolv.conf.d/ directory that can contain “base”, “head”, “original” and “tail” files. All in resolv.conf format.
    • base: Used when no other data can be found
    • head: Used for the header of resolv.conf, can be used to ensure a DNS server is always the first one in the list
    • original: Just a backup of your resolv.conf at the time of resolvconf installation
    • tail: Any entry in tail is appended at the end of the resulting resolv.conf. In some cases, upgrading from a previous Ubuntu release, will make tail a symlink to original (when we think you manually modified resolv.conf in the past)
  • I really don’t want resolvconf, how can I disable it?
    I certainly wouldn’t recommend disabling resolvconf but you can do it by making /etc/resolv.conf a regular file instead of a symlink.
    Though please note that you may then be getting inconsistent /etc/resolv.conf when multiple software are fighting to change it.

This change affects all Ubuntu installs except for Ubuntu core.

Using dnsmasq as local resolver by default on desktop installations

That’s the second big change of this release. On a desktop install, your DNS server is going to be “127.0.0.1” which points to a NetworkManager-managed dnsmasq server.

This was done to better support split DNS for VPN users and to better handle DNS failures and fallbacks. This dnsmasq server isn’t a caching server for security reason to avoid risks related to local cache poisoning and users eavesdropping on other’s DNS queries on a multi-user system.

The big advantage is that if you connect to a VPN, instead of having all your DNS traffic be routed through the VPN like in the past, you’ll instead only send DNS queries related to the subnet and domains announced by that VPN. This is especially interesting for high latency VPN links where everything would be slowed down in the past.

As for dealing with DNS failures, dnsmasq often sends the DNS queries to more than one DNS servers (if you received multiple when establishing your connection) and will detect bogus/dead ones and simply ignore them until they start returning sensible information again. This is to compare against the libc’s way of doing DNS resolving where the state of the DNS servers can’t be saved (as it’s just a library) and so every single application has to go through the same, trying the first DNS, waiting for it to timeout, using the next one.

Now for the most common questions:

  • How to know what DNS servers I’m using (since I can’t just “cat /etc/resolv.conf”)?
    “nm-tool” can be used to get information about your existing connections in Network Manager. It’s roughly the same data you’d get in the GUI “connection information”.
    Alternatively, you can also read dnsmasq’s configuration from /run/nm-dns-dnsmasq.conf
  • I really don’t want a local resolver, how can I turn it off?
    To turn off dnsmasq in Network Manager, you need to edit /etc/NetworkManager/NetworkManager.conf and comment the “dns=dnsmasq” line (put a # in front of it) then do a “sudo restart network-manager”.

Bugs and feedback

Although we’ve been doing these changes more than a month ago and we’ve been looking pretty closely at bug reports, there may be some we haven’t found yet.

Issues related to resolvconf should be reported with:
ubuntu-bug resolvconf

Issues related to the dnsmasq configuration should be reported with:
ubuntu-bug network-manager

And finally, actual dnsmasq bugs and crashed should be reported with:
ubuntu-bug dnsmasq

In all cases, please try to include the following information:

  • How was your system installed (desktop, alternate, netinstall, …)?
  • Whether it’s a clean install or an upgrade?
  • Tarball of /etc/resolvconf and /run/resolvconf
  • Content of /run/nm-dns-dnsmasq.conf
  • Your /var/log/syslog
  • Your /etc/network/interfaces
  • And obviously a detailed description of your problem

About Stéphane Graber

Project leader of Linux Containers, Linux hacker, Ubuntu core developer, conference organizer and speaker.
This entry was posted in Canonical voices, Planet Ubuntu. Bookmark the permalink.

243 Responses to DNS in Ubuntu 12.04

  1. Rusty says:

    Does this in any way change the existing limitation of 256 characters and six domains in the Search keyword for resolv.conf?

    The ‘limitation’ of 6 domains is not really there, but the 256 characters seems to be pretty much hard coded into the resolver process for Ubuntu. It’s not a problem in Windows. It doesn’t seem to be a problem in RedHat, but I keep running into this as a limitation that causes me problems in Ubuntu. The company I work for has merged several times in the past couple of decades, but has not merged to a single domain. Additionally within several domains there are sub domains and having the sub domain listed in resolv.conf does not insure that a device in the domain will be resolved.

    I suspect that this will be a corner case for some time to come.

    1. resolvconf enforces the restriction of 3 dns servers when generating /etc/resolv.conf as that’s the maximum number of entries allowed by the libc resolver.
      A quick look at the same function for search domains doesn’t show an hardcoded limitation so I believe resolvconf will add as many search domains as it receives (though it makes sure the list doesn’t contain duplicates) and lets the libc deal with it. If it turns out to be a big problem, we could probably change the logic there to write something that’s more libc-compatible.

    2. Thomas Hood says:

      No, the glibc resolver still imposes the same limits: maximally six domain names totaling a maximally of 255 characters (where the space characters between the names also count).

      From resolv/resolv.h:

      # define MAXDNSRCH 6 /* max # domains in search path */


      char defdname[256];

  2. Mackenzie says:

    Finally! I made this change on my systems years ago, to make DNS & VPNs play more nicely together.

  3. When (in a few months) I upgrade an Ubuntu server from 10.04 to 12.04 using sudo do-release-upgrade, will I need to move my DNS configuration from /etc/resolv.conf to /etc/network/interfaces by hand (assuming I remember to do that), or will the upgrade script do that for me?

    1. There’s logic in place in resolvconf’s postinst to detect cases where the user manually modified /etc/resolv.conf and automatically make the “tail” file link to the “original” file which should give you working DNS resolution.

      It’s obviously not as good as having the right entries magically appear in /etc/network/interfaces but the result should be the same without the need for configuration file handling magic.

      1. Willie says:

        Just upgraded to 12.04 today and had manually nameservers in /etc/resolv.conf. I have a static IP. It did not put them automatically in the tail file, nor did it add it to /etc/network/interfaces.

        1. Duke says:

          I can’t connect via VPN anymore either. Any handholding instructions on how to add the relevant configurations to the interfaces file?

          1. Thomas Hood says:

            @Duke: You shouldn’t have to do any manual configuration of nameserver information for VPN connections since the local VPN client should transmit that information directly to resolvconf.

            If you have general questions about configuring VPN that aren’t answered in documentation, please find a VPN-related forum and ask your question there.

  4. Simon Davy says:

    Hey

    Will there be a way to enable caching in the default dnsmasq for those that want to?

    1. Thomas Hood says:

      You can do that in Ubuntu 12.10 but not in Ubuntu 12.04.

      You do it by adding a file to /etc/NetworkManager/dnsmasq.d/ containing dnsmasq options.

  5. Mika Suomalainen says:

    I don’t understand one thing about dnsmasq coming by default.

    Does the dnsmasq use same default config by default in Ubuntu 12.04, which you get by installing dnsmasq manually? I mean that by default dnsmasq allows everyone to use your dnsmasq instance DNS server. Or is ufw finally configured to block all incoming connections by default?

  6. Mathieu Trudel says:

    Simon; right now there isn’t really a way to enable the caching in dnsmasq as spawned by NetworkManager, since that appears to be using some hard-coded parameters in NetworkManager when starting dnsmasq. We might look into this; but there’s at least one bug open in Launchpad about it.

    Mika; no, it’s configuration that is generated by NetworkManager and really only meant to be used as a local resolver. As such, it also only listens on 127.0.0.1, which should make it impossible to access from external systems.

  7. BigWhale says:

    A question! 🙂 How is /etc/hosts affected by this?

    My /etc/hosts is changed quite often because of all the development work I do. Today I noticed that a certain domain was resolving to 127.0.0.1 because of /etc/hosts entry. After I changed my hosts entry it was still resolving to localhost, I was testing this with dig and different browsers. The relevant line in nsswitch.conf is as it should be, files is the first parameter for resolving hosts.

    After I disconnected from my wireless network and reconnected the domain in question was resolved correctly.

    Any hints and ideas are welcome. 🙂

    1. dnsmasq is trying to be clever and actually uses /etc/hosts as a source for the resolver…

      I think we should be using:
      -h, –no-hosts Do NOT load /etc/hosts file.

      To avoid that specific problem and let the standard nss stack do it’s job.

      1. Mathieu Trudel says:

        Agree, that’s probably best, especially since normally host files should be read before the libc resolver tries to speak to dnsmasq.

        1. Tweeks says:

          No. The order of what gets referenced is controlled by /etc/nsswitch.conf. You all need to RTFM before proposing system wide changes. You’re breaking decades worth of best practices with your assumptions.

  8. mathew says:

    If you haven’t already considered it, I’d strongly suggest looking at unbound as an alternative to dnsmasq. I would have problems with dnsmasq caching negative records and failing to notice VPN connections going up and down; unbound has worked much better for me under those circumstances, and requires far less configuration.

    1. I’m actually a huge unbound fan myself, using it for years on all my servers as a local resolver and cache.

      The decision to use dnsmasq instead of Ubuntu was the lack of unbound support in Network Manager and the fact that Ubuntu desktop was already shipping dnsmasq as dhcp server/dns server for internet connection sharing.
      As for the issues you mentioned, these won’t be a problem in our case as dnsmasq isn’t configured to do caching and Network Manager re-generates dnsmasq’s config and respawns it every time one of the connections changes.

      1. Phil Howard says:

        I’ve been using UNBOUND as my resolver for several months on by 11.04 based server. I’ve found ONE domain name that won’t resolve through it (BIND9 works). Looking more closely, queries are sent to that domain’s authoritative servers, but no answer is received. I have not tested dnsmasq, but I will have it there ready to test when I stabilize my 12.04 testing.

        The domain is ftc.gov, querying http://www.ftc.gov.

        1. http://www.ftc.gov works fine here on a 12.04 system with the local dnsmasq server talking to another 12.04 system running unbound.

          I’m using the following config on the unbound side:
          remote-control:
          control-enable: yes

          server:
          verbosity: 0
          num-threads: 3
          interface: 0.0.0.0
          interface: ::
          port: 53
          do-ip4: yes
          do-ip6: yes
          do-udp: yes
          do-tcp: yes
          do-daemonize: yes

          access-control: 0.0.0.0/0 allow
          access-control: ::/0 allow

          # Enable statistics for the munin plugin
          extended-statistics: yes
          statistics-interval: 0
          statistics-cumulative: no

          # DNSSEC
          auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
          dlv-anchor: "dlv.isc.org. DS 19297 5 1 7D480DBEF530374D8A4333FCB22106EB10013B46"

          and to keep the dnssec anchors up to date:
          #!/bin/sh
          mkdir -p /etc/unbound/dnssec
          chown unbound.unbound /etc/unbound/dnssec
          sudo -u unbound unbound-anchor -a /etc/unbound/dnssec/root.key

          Hope this helps!

  9. Alkis Georgopoulos says:

    If I’m already using dnsmasq as a caching DNS and as DHCP/TFTP server, what should I do to ‘merge’ the two configurations, the new one and mine?
    Wouldn’t that be easier if network-manager was using an /etc/dnsmasq.d/configuration.file instead of a hardcoded command line?

    If the only way to have dnsmasq running as a caching DNS+DHCP+TFTP server is to disable the new configuration, is there any way for a package.postinst to do that? Commenting out #dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf will cause prompts on conffile upgrades…

    1. Network Manager only binds 127.0.0.1, so you should be able to have yours bind either only an external IP or another 127.0.0.0/8 IP.
      There isn’t a programmatic way of disabling dnsmasq that I know of but Mathieu might know one, thankfully /etc/NetworkManager/NetworkManager.conf pretty much never changes so the risk of prompt on upgrades should be pretty low, at least during the lifetime of 12.04, upgrading to 12.10 might cause a prompt.

      I believe the reason we don’t use /etc/dnsmasq.d is that it’s part of the full dnsmasq server package that ships the init script. We just want dnsmasq running if Network Manager needs it, we definitely don’t want to end up shipping a full DNS server on all machines started even without network.
      However there’s definitely room for improvement there as we now have Network Manager, libvirt, LXC and probably others each running their own dnsmasq on their own network, causing me to have 10 of them running at the moment for example 😉

  10. marc says:

    I’m actually trying to be as wise as I can, but I am NOT able to find way to configure dnsmasq in Ubuntu 12.04. Where can I put dnsmasq settings, like “address=/somsedomain.com/127.0.0.2” ?

    I understand you want to make things SIMPLE, but it actually gets pretty tough now.

    1. Unless this domain comes from a VPN, I don’t think Network Manager can be told to add that line. I might be wrong though, Mathieu could confirm.
      In your case you could set 127.0.0.2 as DNS server in Network Manager or turn off dnsmasq in Network Manager and use your own manually configured dnsmasq server.

      1. marc says:

        Thank you for your response,

        I am actually using dnsmasq in a non-standard, “hackish” way to block some local domains/attackers – I simply tell dnsmasq to redirect every “bad” domain query to “localhost”. May I say I pretty much rely on this option and I would be quite dissapointed to lose it in upcoming 12.04 [which – BTW – I find very good].
        I suspect that additional dnsmasq options are beyond the scope of your work, but it would be nice if you could just pass dnsmasq options in a clear and simple way [hardcoding it makes my life much tougher as I’ve already said].

        I truly believe in your good intentions and I hope you’ll eventually come up with some simple, yet effective way of handling this problem

        Best regards!

        1. You could have these entry in /etc/hosts instead of in a local dnsmasq server, these would be used by nss when resolving the domain and so should work just fine for you use case.

          1. marc says:

            Well, that’s where my rant comes from, and that’s why I came up with this dnsmasq method eventually. You see. /etc/hosts doesn’t block the whole domains with subdomains AT ALL. It actually blocks only top domain, say – stgraber.org, but none of the subdomains, like – say – cdn.stgraber.org, anythingelse.stgraber.org. So you would actually end up filling /etc/hosts with literally ENDLESS list of always changing host list … while dnsmasq can make it work with JUST ONE line.
            So – /etc/hosts? been there, done that. This has definitely not prove itself good blocking mechanism. In fact, it is constantly showing it flows on the MAC/WIN/LIN lands.

            I am still hoping for you to understand and acknowledge the issue.

            Please feel free to contant me if you have any questions regarding this problem. I will happily explain this in details if that would be your wish.
            I really do care and hope for this to be solved on the arrival of 12.04 and I just don’t want to break the whole system and add some dirty little hacks to make it work as it should work.
            And I’ll be completely honest with you: while I understand why you came up with this shared DNS mechanism method in the first place, I also see how this would break other things eventually … And I do hope you too can realize this.

            Regards

  11. Neal Gamradt says:

    I have noticed over the weekend that any entry I put into /etc/hosts is immediately wiped out when I reboot. It sounds like this is probably related to the dnsmasq issue discussed in this article, is that correct? Someone pointed me to this article based on a question that I asked on LaunchPad:

    https://answers.launchpad.net/ubuntu/+source/network-manager/+question/191063

    If this is the same issue, is there any good work-around at the moment? I am happy with 12.04 overall, but this could end up being a big problem if there ends up being no good way to add these entries. I am currently not familiar with the dnsmasq tool. I thank you in advance for any advice or feedback.

  12. Tim says:

    @marc
    Just disable the dnsmasq instance started by NetworkManager (see ‘I really don’t want a local resolver, how can I turn it off?’ on this page) and continue using your custom dnsmasq config same as before.

  13. Phil Howard says:

    Some of our servers need to have X Windows running (blindly … no one is looking … a critical app just needs for it to be there for a window it wants to leave open, and other ways to use X (networked, VNC) cause the app to run slower). We also run our server network statically, but there is a DHCP server on that network for transient laptop usage. I need to prevent the servers from trying to get a DHCP address (because it can succeed and tends to mess up the existing network config of many IP addresses). The solution I use is to uninstall network-manager.

    Do you know how the absence of network-manager would affect this new dnsmasq setup? I’d rather avoid taking it out if it will work OK. The LAN has DNS servers, but without DHCP happening, I have to hard code those and have done so in /etc/resolv.conf. Should I add them somewhere else? It would be best to have dnsmasq forward to the main DNS cache servers.

    1. If the network card is configured in /etc/network/interfaces Network Manager won’t try to manage it. If it still does, then it’s a pretty serious bug we need to fix ASAP.

      Alternatively you can setup your static configuration directly in Network Manager, but it’s a bit less convenient to update from the command line.

      You probably could also run that specific software using xvfb and its “xvfb-run” wrapper, allowing the software to see and interact with an X server without actually starting X (and all its dependencies).

      The local dnsmasq is spawned by Network Manager, so if you uninstall it or disable it (by defining the interface in /etc/network/interfaces), the local dnsmasq server won’t start and your /etc/resolv.conf will point directly to your upstream DNS servers.

      1. Phil Howard says:

        It’s been a while since I set those servers up. I believe it was related to the fact that I was using alias interfaces for IPv4 (e.g. “eth0:1” and such), but referenced them outside of /etc/network/interfaces (e.g. I wrote my own script to add additional IP addresses). This was because if you configured multiple IP addresses as alias interfaces in /etc/network/interfaces all network daemons would be rapidly started, shutdown, and restarted, over and over and over, for each IP address. Many wouldn’t get back up after that (SSH was one that had trouble with it). For that reason, and for the reason if it being a pain to manage hard coded alias interface names, I wrote my own script to add all the IP addresses with dynamically numbered aliases.

        I suspect the creation of the interface may have tempted network manager to manage it. That’s confirmed by what you say, since these interface names were not literally in /etc/network/interfaces.

        Fortunately IPv6 doesn’t need that alias interface insanity. You can just do “ifconfig eth0 add fc00::1234/64” or whatever, and you’re done.

        I suspect xvfb-run might not work because we actually run about 12 instances of the app per machine, each with a window on X (we’re doing it now via one instance of tightvncserver).

  14. Ryan Brady says:

    Thanks for this post, it helps me understand why DNS name resolution is broken in 12.04 after connecting to a VPN (using 12.04 install, using gnome-shell 3.4 and VPNC or OpenConnect).

    What appears to be happening is after I successfully connect to my works VPN, what happens is the DNS servers and search domains are *appended* to the existing resolv.conf instead of *replacing* my local DNS and search domain information.

    Let me explain further:

    Here’s from my “normal” resolv.conf (I disabled dnsmasq) showing my local info:

    nameserver 192.168.1.10
    nameserver 75.75.75.75
    search bradynet.local

    Here it is after connecting to VPN:

    nameserver 192.168.1.10
    nameserver 75.75.75.75
    nameserver 10.150.8.1
    search bradynet.local, c-compsci.local, yosemite.cc.ca.us

    not only is it appending the information, but it’s limited to 3 nameservers, so it never adds the 2nd VPN nameserver.

    When I connect to VPN I want newly generated resolv.conf to *replace* the nameserver and search domains with the ones from the VPN. with it appending as it is currently, DNS name resolution is 100% broken. I can ping ip addresses just fine.

    Not sure if this is a bug or a setting that I am overlooking. Of course it worked beautifully in ubuntu 11.10.

    -Ryan
    bradyrtech@gmail.com

    1. In your case, I’d strongly recommend using Network Manager with the built-in dnsmasq. It’ll take care of configuring dnsmasq so that all queries to the domains/subnets provided by your VPN are sent to DNS servers from the VPN.

      When connecting without Network Manager, it’s vpnc/openconnect’s job to tell resolvconf to prepend the information instead of appending, if they fail to do so, then you get the result above. I’d suggest filing bug reports against these.

      As for the limit of 3 nameserver in /etc/resolv.conf, that’s the libc limit that has always been around. Any extra nameserver is simply ignored and always was.

      1. Ryan Brady says:

        Actually I was using network-manager, though without dnsmasq, for vpnc and openconnect and it was appending the DNS servers and search domains to resolv.conf instead of replacing it. this caused dns name lookup failure while connected to my vpn.

        i did just revert back and re-enabled dnsmasq so that all dns lookups would go through 127.0.0.1, connected to vpn (using network-manager) and it still fails hostname resolution. if i provide the fqdn (i.e. bradyr.yosemite.cc.ca.us instead of “bradyr”) it will resolve and will continue resolving the non fqdn host names (bradyr) for a few moments, then it will fail to do look-ups again.

        Honestly, for my scenario, I’ll probably have to scrap dnsmasq (I prefer to point to my ubuntu server running bind9 as a caching server, etc, anyways) and scrap resolvconf (remove the symlink) and see if I can basically make it work like it did in 11.10, where VPNC (managed by network manager) will actually replace the resolv.conf file instead of append to it and then subsequently cause DNS lookups to fail.

        oh well. I consider it a learning experience though.

        -ryan

        1. Ryan Brady says:

          Just one last comment. Is it correct behaviour that when connecting to a vpn using vpnc or openconnect (this is all while running “stock” 12.04, letting network-manager handle the connect/disconnect of vpnc/openconnect) that the DNS servers and search domains are appended to the resolv.conf instead of replacing the “local” dns/search domains?

          in every prior version of ubuntu that i’ve used (since 9.04) and connected to the same vpn in every release, I’ve always had my local dns servers/search domains replaced with the VPN’s dns servers/domains so that I can do proper name lookup and resolution of machines on the other side of the VPN tunnel. this is at the cost of being able to resolve local resources on my home network (not doing split-tunneling).

          just an observation. Maybe it’s just me, maybe it’s a bug. either way this is a big change in 12.04 and I simply cannot be the only person experiencing this issue.

  15. Thomas Hood says:

    @Ryan: Hi.

    Combining search paths is the default behavior of resolvconf. A common scenario is that the user is at site “foo” and makes a VPN connection with openvpn over the Internet to a remote site “bar”. It then makes sense to search for short host names in both the “foo” and the “bar” domains.

    Also in this typical case, and in the absence of dnsmasq running locally, the nameserver available via the VPN interface should be listed first in /etc/resolv.conf and should be able to resolve both names on the VPN and on the Internet.

    This is how resolvconf and openvpn work now. (Just checked.)

    I don’t have any experience with openconnect and vpnc. Should things work differently when they are used instead of openvpn? Please explain.

    When NM-driven dnsmasq is run locally the question about the order of nameserver addresses in resolv.conf is moot since there is only one, 127.0.0.1.

    Thomas

    1. Ryan Brady says:

      Thomas, thank you for replying, I almost forgot about this thread.

      Anyways, long story short, the behaviour that I was experiencing after turning off local dnsmasq (and when it was enabled, too) was that whenever I would establish a VPN connection to my work’s network (cisco vpn), what would happen is the DNS servers and search domains from the VPN network would be appended to resolv.conf *after* the existing entries (my local dns server and search domain entries).

      the correct behaviour in my opinion would be that after successfully connecting to the VPN, that the VPN network should take priority and resolv.conf should be modified such that the VPN dns servers and search domains are listed first.

      I havent reverted back to stock configuration lately to see if anything has changed, but my solution right now is to simply replace the resolv.conf (I removed the sym-link) after establishing the vpn connection with another one that I created, and when I disconnect the vpn connection, I restore the original.

      this is extra work, and while annoying, it 100% works correctly. Previous versions of ubuntu, unless I was not using NM, I didn’t have to resort to this type of trickery. With 12.04 and the change to resolvconf, it feels like a step backwards *in my opinion and for my situation* ..

      Of course if this all winds up being a bug in vpnc and/or openconnect or resolvconf, I will gladly accept the changes and pretend there was never a problem.

      -ryan

      1. Pat says:

        Ryan,

        I am running into this same exact situation. DNS resolution worked perfect for the VPNC pre-12.04.

        Did you ever find a better resolution, or are you still messing with sym-linking to your hand-built resolv.conf?

        Pat

        1. Ryan Brady says:

          Pat, believe it or not, after fighting with hand-building my resolv.conf every time I used VPNC to establish my vpn tunnel, i just reverted everything back to “stock” configuration with resolvconf.

          After going back to stock configuration, it magically started working again. I’m thinking there must’ve been a bugfix that I missed.

          The only thing i do differently with VPNC configuration is i have it set to do automatic address only, i manually set the DNS servers.

          I also have dnsmasq disabled.

          if you can manually set your dns servers in your vpnc configuration, see if it works properly. (after establishing the tunnel, the vpn dns servers should take priority in resolv.conf over your local dns servers… in my opinion)

          -ryan

  16. Tom says:

    Great change, should make NM more robust overall.

    How does this affect unqualified hostnames? For example, if I establish a VPN connection and perform a lookup of ‘machine’, will dnsmasq look on all my networks (appending the relevant search domains) or will it stop after the first one? If it is the latter, which network will be the first one it tries – the VPN or the local net?

    1. Hi,

      The way Network Manager configures dnsmasq, dnsmasq doesn’t know about the search domains. These instead get sent to resolvconf and can be found at the usual spot in /etc/resolv.conf.
      So when resolving, the libc will iterate through the search domains as it usually does and dnsmasq will only do the resolving.

      For VPNs, I didn’t actually know if NM would do the right thing so I did a quick check.
      Network Manager asks resolvconf to add the VPN search domains first, then the local search domains to /etc/resolv.conf

      So the libc as usual will stop after the first valid DNS record but will start by trying the VPN network, which I think is the right thing to do here.

      1. Tom says:

        Makes sense, I would agree that the VPN is the best first choice for hostname lookups.

        Should an application (such as a VPN client) make manual changes to /etc/resolv.conf, would I be correct in assuming resolvconf will periodically overwrite these changes (assuming the changes end up being written to /run/resolvconf/resolv.conf)? If so, how often would it do this?

        Is there any way to intercept arbitrary changes to /etc/resolv.conf and incorporate them into /etc/resolvconf/resolv.conf.d/[head|tail] ?

        1. In theory, everything in the distro must be resolvconf aware and won’t touch /etc/resolv.conf directly if resolvconf is enabled.

          resolvconf will regenerate /etc/resolv.conf everytime something changes (interface goes up/down, dhcp changes, …) but won’t otherwise.

          As far as I know resolvconf doesn’t have any mechanism to extract manual changes happening while it’s running and I’m not sure we’d want that.
          It sounds like a much better idea to do the 2-3 lines change to write to /run/resolvconf/interface/ and then call resolvconf to have it propagate the changes.

  17. Thomas Hood says:

    @Ryan:

    Sorry for the delay in replying. I opted to receive e-mail notifications of replies but I didn’t get one for yours. From now on I’ll check back every day or two.

    If your problem is the order of entries in resolv.conf then this can be solved by editing /etc/resolvconf/interface-order. See interface-order(5).

    What are the names of your VPN-related network interfaces?

    1. Ryan Brady says:

      @Thomas, thanks again for the response, I’ll look at those settings after work today and see if I can make it work properly. To be honest, after my initial troubles with resolvconf and vpnc/openconnect, I (understandably) opted to disable resolvconf and just go with manually editing resolv.conf. Obviously I would like it working correctly.

      To answer your second question, the vpn interface would be tun0 (once established), assuming thats the answer you’re looking for.

  18. Peter says:

    “The DNS configuration for a static interface should go as “dns-nameservers”, “dns-search” and “dns-domain” entries added to the interface in /etc/network/interfaces”

    Could you give an example of this? I need to add two manual entries for dns name servers on eth0. I can’t make it work
    cheers
    Peter

    1. auto eth0
      iface eth0 inet static
      address 172.17.0.10
      netmask 255.255.255.0
      gateway 172.17.0.1
      dns-nameservers 8.8.8.8 8.8.4.4
      dns-search mydomain.com google.com

      1. Peter says:

        Thanks….

  19. Nishant says:

    I updated to Pangolin yesterday, and networking does not work. DNS lookup errors pop up all the time. I have a router connected to the college network that is configured with a static IP, DNS and gateway. It worked fine with Ocelot, and my Kindle Fire still works. Even the system works with limited connectivity. Both wired and wireless connections are facing the same issue. I am willing to concede that the college network is rubbish, it is on the unreliable side of things, so something somewhere in the OS does not agree with it. Is there anything that can be done about it?

    1. From what you describe, it sounds like your college network sends you multiple DNS servers (that’s a good thing) but some of them return invalid results.
      dnsmasq tries to figure out the best DNS server, based on how quickly it gets results (as far as I know, I’m not a dnsmasq expert), so it might be that one of your DNS servers is returning bogus records causing this.

      In the past, when we were only using the libc dns resolver, it’d take the servers sequentially from /etc/resolv.conf and so assuming the first DNS server you receive is a working one, it’d always hit that one. Trying each DNS server listed in /run/nm-dns-dnsmasq.conf individually with dig should let you find the problem. You may then either complain about it to whoever is in charge of the network or just hardcode the right one in NetworkManager’s configuration.

      1. Nishant says:

        Yeah, the thing is, I managed to find out that I could fix the problem by disabling resolvconf and giving a custom resolv.conf file with the correct DNS(my router’s IP). The only trouble is, it now waits for several minutes for network configuration.
        My network admin is useless. Complaining will not help.

        1. Thomas Hood says:

          Your problem may be bug #1003842.

  20. ijk says:

    >I really don’t want resolvconf, how can I disable it?
    >I certainly wouldn’t recommend disabling resolvconf but you can do it by >making /etc/resolv.conf a regular file instead of a symlink.
    >Though please note that you may then be getting inconsistent /etc/resolv.conf >when multiple software are fighting to change it.

    dpkg-divert –add –rename –divert /etc/resolv.conf.ubuntu-version /etc/resolv.conf

    1. That won’t work as /etc/resolv.conf isn’t actually a conffile shipped by the resolvconf package.

      Please follow the instructions in the blog post to turn off resolvconf (make the symlink a static file).

  21. sjoerd says:

    Thanks for the post! Weird that nothing is mentioned in the upgrade notes 🙁
    Anyway on a test server it seems to work to follow your first bullit point (putting it in /etc/network/interfaces)…
    Certainly something that should be mentioned for server upgrades (or systems with static configurations)..

    1. Hmm, where wasn’t it mentioned exactly?

      I made sure to reference this blog post in the official Ubuntu release notes under Desktop and CommonInfrastructure: https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuDesktop

      If there’s anywhere else I missed, I’ll be happy to look at updating it too.

  22. sjoerd says:

    Hi Stéphane,
    Hmm there’s the problem: you refer to the desktop version, where you normally not even mess with the /etc/resolv.conf, but the DNS change isn’t mentioned in the server release notes at :
    https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuServer

    1. What about the 4th bullet point in the Common Infrastructure section of that page?

      1. sjoerd says:

        Hmmmmissed that point indeed…searched for dns i.s.o. resolv….
        Ah well bottom line thanks thanks to your posting I new where to look and next time maybe look better in the release notes although I wouldn’t have expected this impact. For desktops it shouldn’t be a problem and with another server upgrade it still did work out fine. So beats me why the first server went faulty.

        1. nish says:

          That happens with me when i try to read after two beers down 🙂 jk

        2. Good point – I think others might just search for ‘dns’ after encountering a dns problem and miss that reference. Any chance of adding that helpful keyword to the release notes?

  23. Kevin Otte says:

    Any reason why we are staying with 127.0.0.1 and not moving to ::1 for the local resolver?

    1. No particular reason other than it was the default in Network Manager’s code.
      I think moving to ::1 would actually solve a few of our existing bugs where NM’s dnsmasq conflicts with an existing local resolver (unless that local resolver also binds ::1).
      Another thought was to use 127.0.1.1 or a similar non-127.0.0.1 loopback address to workaround the same problem.

      1. Kevin Otte says:

        I was reminded that using IPv6 only resolution could break a few apps with lingering legacy code. Most notable is mtr: https://bugs.launchpad.net/mtr/+bug/752583

      2. Thomas Hood says:

        See bug #959037 and in particular the comments starting with #60.

  24. murex says:

    Hello Stéphane,

    On previous Ubuntu releases I had local DNS with Bind9.
    On 12.04, it does not work because dnsmasq uses 192.168.1.1 (Box’s IP) as DNS resolver.
    I have succeed to use Bind9 by disabling dnsmasq in : /etc/NetworkManager/NetworkManager.conf
    Is there any other opportunity to configure in order to dnsmasq uses Bind9 as DNS resolver ?

    1. There’s indeed a way of doing it though I never tried it.

      Get bind9 to listen on 127.0.5.1 for example (any non-127.0.0.1 loopback address), then in Network Manager configure your dns server to be 127.0.5.1.

      This should make your system use 127.0.0.1 (dnsmasq) as a DNS dispatcher (for split-DNS) with 127.0.5.1 as its upstream (your bind9 server) which will then do the DNS resolving and caching.

      1. murex says:

        First of all, many thanks for your answer.
        Sorry to be late but until now I don’t succeed to implement it.
        One problem is dnsmasq and Bind9 are using together port53.

        So, I have added in /etc/bind/named.conf.options
        listen-on port 5353 { 127.0.5.1; };

        I have set Network-Manager with :
        Automatic Addresses only (DHCP) → 127.0.5.1

        Re-enabling dnsmasq in /etc/NetworkManager/NetworkManager.conf

        and reboot PC.

        I still looking for, and reading a lot of manpages…
        If you have any idea ???
        Thanks

        1. Thomas Hood says:

          Don’t use port 5353 which is intended for multicast DNS.

          Bug #959037 deals with the same issue with respect to standalone dnsmasq and NM-controlled dnsmasq.

          Comment #67 of that bug describes one way of solving the problem in the dnsmasq case. Might give you some ideas.

  25. These changes are nice and good, but there’s a huge argument to be made for manual hooks to add lines to the generated dnsmasq.conf. The VPN I use for work (in split-horizon configuration) announces one domain, which ends up in the generated config as:

    server/private.domain/private.dnsserver

    However, this is not the only DNS domain I need to look up through the private DNS. “Tell my employer to fix it” isn’t an acceptable option, as this worked previously thanks to the private DNS server previously (pre-12.04) coming *first* in the resolver list.

    So… where can I specify the extra domains that should go through that server?

    This is probably a trick question, as I’m fairly certain there is no such place. And that’s the problem: no override capabilities. 100% hardcoding of configuration is a Bad Thing.

    1. Network Manager could do with some more configuration around the DNS resolver features indeed.

      In your case, I’d expect that changing the VPN configuration from “Automatic (VPN)” to “Automatic (VPN) addresses only”, then fill the “DNS servers” and “Search domains” field with the right values.
      Connecting should then generate the righ dnsmasq configuration file.

  26. nish says:

    I am using proprietry VPN that uses tun kernel netdev.
    Question is that is it a good idea to just “echo “customeDNS” and “127.0.0.1” | resolvconf -a [name]” and “resolvconf -d” after connection is over?
    (commands used are not exact).

    Also whats the order in which domains are searched? That is when i add custom dns suffix as well along with customDNS.
    For example /etc/resolv.conf ( its a link as per resolvconf ) looks like this after changes made to it:
    search customDNSSuffix
    nameserver customDNS
    nameserver 127.0.0.1

    Also does the resolver library in libc continues to find the dns name if it couldnt be found with customDNSSuffix in customDNS server?

    1. Thomas Hood says:

      The VPN daemon should indeed register search domain names and nameserver addresses with resolvconf after connection and de-register them after connection.

      The record name used for the registration should have a higher priority than “eth0” as determined by /etc/resolvconf/interface-order.

  27. Tobias says:

    I have a similar problem as Nishant. Since I’ve changed to Precise, I experience massive DNS problems. This happens on an upgraded system (formerly Oneiric) as well as on a new installation (both are Desktop edition). I’ve tried a couple of angles and introduced additional nameservers to my wireless connection, but my resolv.conf still shows 127.0.0.1 as the only nameserver, and any lookup that doesn’t specifically use a different nameserver will almost always time out (at least 9 times out of 10). Something like “dig @8.8.8.8 stgraber.org” works, but I want DNS to work everytime and not only on special occasions. Any help is appreciated.

    1. We have a known race condition where in some rare cases (though on affected systems this is very reproducable), dnsmasq fails to bind 127.0.0.1 at boot time.

      To check if you’re affected, simply get Network Manager to reconnect on your network after boot. If that fixes DNS resolving, then that’s our bug.

      This bug is high on the priority list and we’re hoping to have a fix land in the next couple of weeks.
      https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/993379

      Until then, you can either use the trick I just described (re-select the network in the applet, causing a reconnection) or disable dnsmasq as described in the blog post. (All that assuming, you’re indeed hitting that bug).

      1. Tobias says:

        Thanks for the quick reply, Stéphane. Reconnecting didn’t change anything, DNS still worked on rare occasions but by far not as it should. But disabling dnsmasq did the trick, I now have working DNS again.
        I’m not sure if the bug you describe fits my situation, though. You made it clear that reconnecting should work as well, which it didn’t.

    2. Thomas Hood says:

      Could be bug #1003842.

  28. Dan says:

    A very stupid question. I am no programmer so no good at handling scripts etc and for a regular person who has nothing to do with programming the “To turn off dnsmasq in Network Manager, you need to edit /etc/NetworkManager/NetworkManager.conf and comment the “dns=dnsmasq” line then do a “sudo restart network-manager” leaves one major question: comment the “dns=dnsmasq”? how should it be commented? I mean what should be written and changed in the “dns=dnsmasq”?

    Thank you for your help!

    1. The configuration file is in “ini” format, so putting a # in front of dns=dnsmasq will comment it.

      1. Dan says:

        Thank you! 🙂

      2. Thomas Hood says:

        Stéphane: Shouldn’t there be a GUI way to disable dns=dnsmasq mode?

  29. Marcus Moeller says:

    I need to deploy a custom resolv.conf, as our dhcp server delivers the wrong settings for our requirements.

    Right now, I have added the necessary settings to the ‘head’ file, but this leads to duplicate entries.

    Is there a way to force pre-defined content?

    1. I see two options here:
      – Set the IP as a dhcp append or dhcp override in /etc/dhcp/dhclient.conf, this should do what you want without actually messing with resolvconf
      – Remove the /etc/resolv.conf symlink and replace it by a standard /etc/resolv.conf file with the usual content

    2. Thomas Hood says:

      If you put the entries in /etc/resolvconf/resolv.conf.d/base then they will be de-duplicated before they are included in the dynamic resolv.conf file. They will also be subjected to reordering according to interface-order(5).

  30. Chris says:

    I recently upgraded to 12.04, and now Ubuntu does not correctly read the domain/search/nameserver values from my brand-new Cisco/Linksys router, meaning I can’t resolve any internal domain names, although I still seem able to resolve external domain names.

    Everything had worked perfectly in 11.10/10.04.

    Is this a bug or does Ubuntu now need some sort of special configuration just to work with standard network routers?

    1. Thomas Hood says:

      Although the nameserver information no longer appears in /etc/resolv.conf it probably does appear in /var/run/nm-dns-dnsmasq.conf. Does it?

      If the information does appear in /var/run/nm-dns-dnsmasq.conf and you can’t resolve names then that’s a bug. As a workaround try commenting out “dns=dnsmasq” in /etc/NetworkManager/NetworkManager.conf.

      Could be bug #1003842.

  31. Daniele says:

    Hello there,

    I upgraded a few days ago to kubuntu 12.04. I need many different VPN connections: the connection works smoothly but resolution for internal names no, for none of those.

    I had a look to syslog and /run/nm-dns-dnsmasq.conf: the issue is VPN provider dosn’t properly publish the list of internal domain to resolve through VPN, probably becouse they rely on the fact CISCO vpn client always place internal VPN dns server as first so it doesn’t matter. But with new logic, it does matter: queries for internal names are sent to main DNS that of course doesn’t know about.

    The wka I found with kde-network-manager is to manually specify both DNS servers and domains. This worked fine! The issue here you need to have a look syslog to unerstand which DNS is provided by the VPN and then manually place it in VPN config.

    Will be nice to have the possibility to just add manually internal domains without having to specify DNS server names, but this maybe something that is more related to KDE enanchement.

    Daniele.

    1. Another suggestion we discussed at the Ubuntu Developer Summit last week was to add a checkbox in the Network Manager UI to force it to route all DNS queries over the VPN (but without requiring you to also route the actual trafic).

    2. Thomas Hood says:

      You have hit bug #1003842. The workaround is to comment out the line “dns=dnsmasq” in /etc/NetworkManager/NetworkManager.conf.

  32. sam says:

    I upgraded today from mint 12 to mint 13 RC. (based on ubuntu 12.04)
    Everyting went perfect, but… one new problem came up.

    I have installed virtualbox and run a windows xp inside.
    No way to get the internet running again. I think I need to downgrade back to mint 12.

  33. asb says:

    Updated today to “Precise” and immediately lost any capability for DNS resolution. Very simple setup – one network interface, static IP address, local nameserver, followed this article’s instructions – no luck.

    Ubuntu 12.04 = no networking. That’s real progress 🙁

    1. @asp you might have hit the rare race condition bug that
      Stéphane noted before: “Network Manager starts before the loopback device is ready, leading to dnsmasq not listening on any interface, breaking DNS resolutionion”
      https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/993379

      A fix was released on June 1 – can you check whether that resolved your problem? Thanks.

    2. Thomas Hood says:

      The local nameserver address probably has to be added to a “dns-nameservers” line in /etc/network/interfaces.

  34. TheOldFellow says:

    How do I turn Caching back on? I don’t use VPN, and the system has only one user, me. There are very good reasons for wanting a caching DNSmasq.
    Thanks.

    1. Thomas Hood says:

      What would you say to running the traditional dnsmasq server and having it forward queries to the NM-controlled dnsmasq process? (Currently not possible — see bug #959037.) The traditional standalone dnsmasq server does caching.

    1. Thomas Hood says:

      Looks like bug #694425.

    2. Thomas Hood says:

      I just posted an answer to the askubuntu question you referred to. HTH.

  35. Brian Marks says:

    Upgraded from 11.10 to 12.04. VPN hosts no longer resolve to IP addr when connected to VPN. I can use the linux ‘host’ command and specify the VPN dns server and resolution works. VPN hosts were always resolved correctly under 11.10.

    I have reviewed the resolv.conf file before and after connecting and the problem appears to be that the VPN DNS servers are not getting added to the file although search domains are getting added. The VPN settings are specified as automatic vpn addresses only through network manager ui. DNS servers and search domains are both entered as comma-delimited entries into the ui settings. If I add the nameserver entries manually to resolv.conf and test host command in term then it works. Of course resolv.conf is overwritten by network manager later.

    I can hard-code the entries in head of /etc/resolvconf/resolv.conf.d/ directory but this is probably not a good long-term solution. Is this a bug in dnsmasq or resolvconf or do I have a broken component in my system? dnsmasq v2.59-4 and resolvconf 1.63ubuntu14 shows installed via synaptic.

    The problem is also documented in https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/994575.

    1. Thomas Hood says:

      I have replied to your bug report at bug report #994575. We can continue to discuss your case there.

  36. Gonzalo says:

    I would like to turn on the local cache, where can i do that¡?

    1. Thomas Hood says:

      It is on by default in a fresh install of Ubuntu 12.04 Desktop.

      It is enabled if there is a line “dns=dnsmasq” in /etc/NetworkManager/NetworkManager.conf.

  37. Tim Riker says:

    If a command line vpn script wants to add dns servers and/or search paths to dnsmasq, how should it do this? passing arguments to resolvconf does NOT seem to effect dnsmasq. I would think that this should take effect. Can we get resolvconf updated such that it effects the network-manager dnsmasq if one is configured?

    1. Thomas Hood says:

      The command-line VPN configurer should call resolvconf to register and deregister nameserver information. See resolvconf(8). The registered information will be included in resolv.conf but will not affect NetworkManager or its slave dnsmasq process at all.

  38. shadab khan says:

    The “Using dnsmasq as local resolver by default on desktop installations” broke the whole internet usage functionality on my PC.

    In essence I could visit websites by typing in their IP addresses, but not their names.

    check this out: http://forums.linuxmint.com/viewtopic.php?f=61&t=106740
    also we have many similar problems: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/989900

    Do you think a new user would stick to Ubuntu after encountering such loss of functionality? (especially since the 11.10 worked flawlessly)

    1. Thomas Hood says:

      Issues with the local caching nameserver did emerge after 12.04 came out and it’s very regrettable that this has inconvenienced a number of users. We are working on solutions.

      Fortunately it is easy in the meantime to disable the local caching nameserver. Comment out the “dns=dnsmasq” line in /etc/NetworkManager/NetworkManager.conf.

  39. Pingback: Ubuntu 12.04 LTS
  40. Tom says:

    THANKS!! This post just solved my problem after a 3h long troubleshoot period!

  41. Hi Stéphane,

    great article… I found it yesterday ’cause I noticed the changes and had to document for a project of mine and for the Argentina LoCo Team.

    I just translated into Spanish in my own wiki at http://wiki.clueless.com.ar/Resoluci%C3%B3nDnsEnUbuntu1204

    Feel free to refer Spanish readers to it.


    https://launchpad.net/~el-baby

  42. Vaidy says:

    I am still trying to figure out how this works.

    I have everything working fine with my LenovoT520 without vpn.
    once i connect to my vpn i am unable to browse the internet. here are the details of my machine please do suggest me any workarounds i am really interested using Ubuntu, but only this issue is causing me not to.

    Before VPN:
    ——————-
    root@vaidy-pc:/home/vaidy# ifconfig -a
    eth0 Link encap:Ethernet HWaddr f0:de:f1:fe:d5:b6
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:20 Memory:f5200000-f5220000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:67 errors:0 dropped:0 overruns:0 frame:0
    TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:5983 (5.9 KB) TX bytes:5983 (5.9 KB)

    wlan0 Link encap:Ethernet HWaddr 8c:70:5a:88:2d:b8
    inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::8e70:5aff:fe88:2db8/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:53392 errors:0 dropped:0 overruns:0 frame:0
    TX packets:32998 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:74758806 (74.7 MB) TX bytes:3244266 (3.2 MB)

    root@vaidy-pc:/home/vaidy# cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 192.168.1.1
    root@vaidy-pc:/home/vaidy# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
    192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
    root@vaidy-pc:/home/vaidy#

    After Connecting to VPN:
    ————————————-
    root@vaidy-pc:/home/vaidy# ifconfig -a
    eth0 Link encap:Ethernet HWaddr f0:de:f1:fe:d5:b6
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:20 Memory:f5200000-f5220000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:67 errors:0 dropped:0 overruns:0 frame:0
    TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:5983 (5.9 KB) TX bytes:5983 (5.9 KB)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.74.229.181 P-t-P:10.74.229.181 Mask:255.255.252.0
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
    RX packets:71 errors:0 dropped:0 overruns:0 frame:0
    TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:15614 (15.6 KB) TX bytes:8956 (8.9 KB)

    wlan0 Link encap:Ethernet HWaddr 8c:70:5a:88:2d:b8
    inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::8e70:5aff:fe88:2db8/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:53530 errors:0 dropped:0 overruns:0 frame:0
    TX packets:33165 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:74795070 (74.7 MB) TX bytes:3275221 (3.2 MB)

    root@vaidy-pc:/home/vaidy# cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 10.73.158.106
    nameserver 10.73.158.107
    nameserver 192.168.1.1
    search hq.netapp.com
    root@vaidy-pc:/home/vaidy# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
    10.74.228.0 0.0.0.0 255.255.252.0 U 0 0 0 tun0
    169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
    192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
    202.3.120.38 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
    root@vaidy-pc:/home/vaidy#

    i am able to access my internal sites but not the external sites.
    please do guide me through if i am making any mistakes.

    1. So, one thing I see above is that you are using your VPN as the default gateway for all outgoing traffic, not just the internal subnets.
      Is that actually what you want? Does that VPN let you surf on the internet or is it restricted to just the company’s internal network?

      If the later, then you’ll want to change your VPN setting and tick “Use this connection only for resources on its network”, which will make Network Manager only route the subnets received over the VPN (and same thing for the DNS).

      1. Vaidy says:

        No I am unable to surf internet. It is restricted to the company’s internal network only.
        I will change the VPN Settings.
        What about DNS? i didn’t get what you meant on DNS Settings.

        1. Thomas Hood says:

          Routing is one issue, as Stéphane has already mentioned.

          DNS could also be an issue for you. Your configuration is correct only if the VPN nameservers 10.73.158.106 and 10.73.158.107 can resolve all domain names, i.e., not only private names but also names of machines on the Internet. Can they?

      2. Thomas Hood says:

        Stéphane wrote:
        > tick “Use this connection only for resources on
        > its network”, which will make Network Manager
        > only route the subnets received over the VPN
        > (and same thing for the DNS).

        I believe that, for DNS lookups to be routed, the
        NetworkManager-controlled dnsmasq process
        must be enabled: i.e., there must be a line

        dns=dnsmasq

        in /etc/NetworkManager/NetworkManager.conf.

        1. Vaidy says:

          I updated the VPN Settings by enabling the “Use this connection only for resources on its network” option. Also i have the dns=dnsmasq entry in /etc/NetworkManager/NetworkManager.conf. now i am able to access the internet but not the intranet sites.. :(. I am very bad at networking. Please excuse me.

          1. Thomas Hood says:

            Hi. This discussion really belongs in a bug report at launchpad.net.

            Did you reboot after reconfiguring? If not, please reboot and try again.

            When saying “access … network” please draw a distinction between being (un)able to resolve domain names and being (un)able to communicate with other machines. To test name resolution use tools like dig. To test communication with other machines use tools like ping with an IP address. See the man pages.

  43. Vaidy says:

    No I am unable to surf internet. It is restricted to the company’s internal network only.
    I will change the VPN Settings.
    What about DNS? i didn’t get what you meant on DNS Settings.

  44. Nidhi says:

    When I tried to make my site live and give it a External IP address, suddenly I lost internet connection. I don’t know where to start. Any help will be appreciated.

    Thanks,

  45. krazzy says:

    So after searching the web for a long long time now. I am asking this here because it seems there is more known about the strange way Ubuntu 12.4 dns works,

    I need a way to use a deferent port for all dns. this is becoming a massive problem now that all u.s isp’s are forced to strip certain dns records from there resolvers to be compliant with legal threats.

    there are dns resolvers that listen and respond on ports other then port 53. OpenDNS on port 5353 and
    the germane privacy foundation on port 110. but dew to the strangeness of 12.4 I cant seem to use any.

    being how most isp’s redirect all port 53 data to there servers there is no other way to get around the removal of these name entries from the u.s isp’s resolvers other then to use a port other then 53.

    how can I do this in Ubuntu 12.4?

    1. Thomas Hood says:

      Thanks, this is an interesting question.

      It is possible to change the port on which nameservers listen, in Ubuntu just as well as in other GNU/Linux distibutions. Just give named or dnsmasq the “-p” option.

      Unfortunately, it is not possible to change the port that the GNU C Library (glibc) uses for DNS traffic. It is hard coded to use port 53. (OpenBSD is superior to GNU in this respect. The OpenBSD C library resolver allows the port to be specified in /etc/resolv.conf. Ditto for Mac OS X and some other operating systems.) The glibc resolver is used by much essential software in Ubuntu, just as in every other GNU/Linux distribution, so an Ubuntu machine must have a nameserver available that listens on port 53.

      The nameserver in question can be a local nameserver and this local nameserver can be configured to forward requests to other nameservers, local or remote, on ports other than 53.

      I don’t know whether or not NetworkManager and its slave dnsmasq instance have support for this, but you can certainly implement this using the standalone dnsmasq. Suppose the remote nameserver listens at 1.2.3.4:5353. Install the dnsmasq package locally and edit /etc/default/dnsmasq so that dnsmasq gets started with the “–server=1.2.3.4#5353” option. Start dnsmasq and you are done.

      This configuration is static and so perhaps less than ideal. But it’s the best we can do at the moment. Resolvconf wasn’t designed to handle nameserver port information. It could easily be adapted to handle this information but there are other obstacles; e.g., DHCP can’t carry nameserver port information either.

  46. Hi,

    I get my IP address from a dhcp server (using /etc/network/interfaces, not NM), however, I want to use my LOCAL resolver (a manually compiled unbound) and NOT the ones from my ISP.

    However, even when I have the following /etc/network/interfaces file, I still get my ISP’s resolvers in /etc/resolv.conf:

    #Contents of /etc/network/interfaces:
    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet dhcp
    dns-nameservers 127.0.0.1

    1. I also tried adding the dns-nameservers 127.0.0.1 to the loopback entry to no avail

      1. Thomas Hood says:

        1. You shouldn’t put “dns-nameservers 127.0.0.1″ in the “iface eth0″ stanza since 127.0.0.1 is associated with the loopback interface and not an external interface. If you want to put a “dns-nameservers 127.0.0.1″ line anywhere, put it in the “iface lo” stanza. Then reboot to activate it or, alternatively, down-up the lo interface.

        But ideally you don’t have to put a “dns-nameservers 127.0.0.1″ line anywhere; ideally the local caching nameserver (or the initscript that controls it) registers the address 127.0.0.1 with resolvconf when the nameserver starts and de-registers it when the nameserver stops. That’s what dnsmasq, pdnsd and others do. Ideally you would have your locally compiled nameserver do this too.

        But until you have implemented this it’s OK to add “dns-nameservers 127.0.0.1″ to the “iface lo” stanza in /etc/network/interfaces.

        2. Now, you say that when you put “dns-nameservers 127.0.0.1″ into the “iface lo” stanza, you don’t get “nameserver 127.0.0.1″ in resolv.conf but “nameserver” lines with addresses obtained by the DHCP client. Please make sure that after you add the “dns-nameservers 127.0.0.1″ line you reboot or else down-up the lo interface. If you still don’t get “nameserver 127.0.0.1″ in /etc/resolv.conf then file an Ubuntu bug report against the resolvconf package.

  47. Thomas Hood says:

    1. You shouldn’t put “dns-nameservers 127.0.0.1” in the “iface eth0” stanza since 127.0.0.1 is associated with the loopback interface and not an external interface. If you want to put a “dns-nameservers 127.0.0.1” line anywhere, put it in the “iface lo” stanza. Then reboot to activate it or, alternatively, down-up the lo interface.

    But ideally you don’t have to put a “dns-nameservers 127.0.0.1” line anywhere; ideally the local caching nameserver (or the initscript that controls it) registers the address 127.0.0.1 with resolvconf when the nameserver starts and de-registers it when the nameserver stops. That’s what dnsmasq, pdnsd and others do. Ideally you would have your locally compiled nameserver do this too.

    But until you have implemented this it’s OK to add “dns-nameservers 127.0.0.1” to the “iface lo” stanza in /etc/network/interfaces.

    2. Now, you say that when you put “dns-nameservers 127.0.0.1” into the “iface lo” stanza, you don’t get “nameserver 127.0.0.1” in resolv.conf but “nameserver” lines with addresses obtained by the DHCP client. Please make sure that after you add the “dns-nameservers 127.0.0.1” line you reboot or else down-up the lo interface. If you still don’t get “nameserver 127.0.0.1” in /etc/resolv.conf then file an Ubuntu bug report against the resolvconf package.

  48. Pingback: DigitalWebCare
  49. Ben Bucksch says:

    > any change manually done to /etc/resolv.conf will be lost

    Here you violate rule 1 of software development: NEVER override the user. The user has the last word. You also violate another base rule: NEVER lose data.

    One solution is: you put some special keyword in /etc/resolv.conf by default, and if resolvconf finds that keyword, it knows it can modify it. If the user modified the file, he can remove that keyword and the file will no longer be touched.
    Another, better solution that automatically detects any changes without requiring the user to remove the is: Save the file twice with 2 different filenames. If you detect a difference, you know it has been changed and you leave /etc/resolv.conf alone.

    This change has created a big problem for me and made a very simple thing very difficult: I just want to have one particular nameserver be used, no matter what. (In this case, it’s my own nameserver.) I have no simple way to do that anymore.

    Your solutions don’t work for me:

    dns-nameservers in /etc/network/interfaces doesn’t work, because I have several interfaces, and if any one of them is DHCP, it simply overrides the others. This is simply broken.
    /etc/resolvconf/resolv.conf.d/ doesn’t help me, because I don’t want resolvconf to write anything at all. I don’t want the DHCP DNS server at all.
    “I really don’t want resolvconf, how can I disable it?… making /etc/resolv.conf a regular” That’s my option, but it doesn’t work. It is a regular file here, and it is being overwritten.
    apt-get purge resolvconf doesn’t work either, the package exists, but Ubuntu tells me it’s not installed, although clearly resolvconf is there and overwriting my files.

    I still don’t know how to simply tell one single DNS nameserver and have that be used, no matter what.

    I, me and only me must be in full control, not some new software. I feel like dropping Ubuntu right now. Please, don’t let software like that to end users. It should be

    trivial and obvious to uninstall (apt-get purge resolvconf should remove it entirely, but it doesn’t),
    never overwrite user specifications, even if it is installed
    should consider the case of several interfaces (with DHCP)

    Please drop this until it’s working correctly. This is definitely nothing to put on a LTS.

    1. My guess is that, given your needs, you should uninstall resolvconf.

    2. Thomas Hood says:

      > Here you violate rule 1 of software development:
      > NEVER override the user. The user has the last word.
      > You also violate another base rule: NEVER lose data.

      What you seem to be saying is: Never change anything; in that case nothing ever gets broken and no data gets lost.

      That’s one view of the world. Our view is that something like resolvconf was needed, so we developed and introduced resolvconf. We have done our best to introduce it while respecting administrator choices and preserving configuration. So, for example, the resolvconf package saves the old static content of /etc/resolv.conf in a backup file (/etc/resolvconf/resolv.conf.d/original), makes it possible to include this forever in the new dynamically generated file, and restores the content on de-installation. And, for example, even when given permission via debconf to do so, the package only makes *one* attempt to create the needed symbolic link at /etc/resolv.conf. So if the administrator replaces that link by a file, the package will respect that.

      Before criticizing others you should at least learn enough about the subject matter to know what you are talking about.

      You suggest using a keyword in /etc/resolv.conf to control whether or not resolvconf touches that file. The same functionality is currently available by means of creating or deleting the symbolic link /etc/resolv.conf. The file generated by resolvconf resides on a tmpfs whose contents are lost on reboot, so it’s not possible to store a magic keyword there. If you work without a symlink and put a magic keyword in a file at /etc/resolv.conf then resolvconf can’t edit the file since editing files in /etc is contrary to Debian policy and interferes with mounting the root filesystem read-only.

      As for your suggestion of detecting changes made to resolv.conf, I think you have a good idea. It would be useful if resolvconf detected that something other than itself had futzed with the dynamic file it generated, so it could send out a warning.

      > I just want to have one particular nameserver be used,
      > no matter what. (In this case, it’s my own nameserver.)
      > I have no simple way to do that anymore.

      All you have to do is replace the symbolic link /etc/resolv.conf by a file /etc/resolv.conf containing whatever you want. Note to others than Ben Bucksch: This is almost never the best thing to do.

      1. Ben Bucksch says:

        package only makes *one* attempt to create the needed
        symbolic link at /etc/resolv.conf. So if the administrator replaces
        that link by a file, the package will respect that.

        All you have to do is replace the symbolic link /etc/resolv.conf by
        a file /etc/resolv.conf containing whatever you want.

        No, that’s wrong. That is *not* the case, and that’s what I am critizing! I specifically wrote that my file *keeps* getting overwritten, even after I use various tricks to make it stick. What you say might work on your system, but then you don’t have a default Ubuntu 12.04. It doesn’t work on Ubuntu 12.04. This is the whole bug!

        What you seem to be saying is: Never change anything

        No, I am not saying that at all. That’s a classic straw man. Progress is good. Progress implies change. But progress must be an improvement.

        I *am* saying that: If the users says “my nameserver is 1.2.3.4”, and puts that in the config file that we’ve been using since decades, and the software says “But I know better” and overwrites it with random values from the network (!), and even overwrites itself (!) by using whatever interface happened to be configured last, that’s simply *broken*.

        Please read my post carefully again, I describe the specific faults in detail.

        1. Thomas Hood says:

          Well, there are two philosophical issues here. One is the question of whether it’s ever OK to change the role of a file whose role stayed the same for “decades”. My answer is Yes. I guess we disagree on that. The second question is whether or not new features should work properly. My answer is Yes. Here we agree.

          Fortunately, name service works properly on many Ubuntu machines. We know of some bugs because they have been reported in Launchpad and sufficient additional information was provided to allow us to investigate them.

          I believe you when you say that name service does not work properly on your machine. You should report your issue at Launchpad so that it can be investigated in a systematic way.

          If you choose instead to continue posting complaints here then here is my reply. Insofar as they concern the correct functioning of your system, your complaints are based on the false belief that your machine is standard Ubuntu 12.04. We know from what you have said earlier that it is not.

    3. Thomas Hood says:

      Continuing with the reply to Ben Bucksch’s rant…

      > Your solutions don’t work for me:
      >
      > dns-nameservers in /etc/network/interfaces doesn’t work,
      > because I have several interfaces, and if any one of them
      > is DHCP, it simply overrides the others.
      > This is simply broken.
      > […]
      > I don’t want the DHCP DNS server at all.

      If a DHCP server is supplying faulty nameserver information then the solution is to fix the server. If your DHCP client is delivering faulty nameserver information then the solution is to fix or reconfigure the DHCP client.

      If resolvconf is prioritizing the namserver information incorrectly then the solution is to edit /etc/resolvconf/interface-order.

      But you probably don’t need to edit interface-order(5). If you have an Ubuntu-packaged local nameserver running then it registers itself with resolvconf and resolvconf lists its address first. If you have a self-compiled local nameserver running then you could include a “dns-nameservers” option in /etc/network/interfaces in the “iface lo” stanza. Nameserver information registered for the “lo” interface has top priority.

      > /etc/resolvconf/resolv.conf.d/ doesn’t help me, because
      > I don’t want resolvconf to write anything at all.
      > […]
      > I still don’t know how to simply tell one single DNS
      > nameserver and have that be used, no matter what.

      In that case, replace the symbolic link at /etc/resolv.conf by a file.

      > “I really don’t want resolvconf, how can I disable it?…
      > making /etc/resolv.conf a regular” That’s my option,
      > but it doesn’t work. It is a regular file here, and it is
      > being overwritten.

      Not by /sbin/resolvconf — it only writes to /run/resolvconf/resolv.conf.

      > apt-get purge resolvconf doesn’t work either, the
      > package exists, but Ubuntu tells me it’s not installed,
      > although clearly resolvconf is there and overwriting my files.

      Well, in that case there is either something very wrong with your machine, or something very wrong with your understanding of how your Ubuntu machine works. I’m guessing the latter.

      This is not the best place to address problems with individual systems. If you need help, ask a question on Launchpad Answers. Think there’s a bug? Read:
      https://help.ubuntu.com/community/ReportingBugs.

      > I, me and only me must be in full control, not some
      > new software. I feel like dropping Ubuntu right now.

      http://www.slackware.com/ Enjoy!

      1. Ben Bucksch says:

        If a DHCP server is supplying faulty nameserver information then the solution is to fix the server.

        The DHCP server is supplied by the ISP. I can’t fix the ISP. I only want the dynamic IP address from them, not the DNS server.

        In that case, replace the symbolic link at /etc/resolv.conf by a file.

        Doesn’t work, see above.

  50. Ben Bucksch says:

    FWIW, I have done this in /etc/network/interfaces:
    auto eth0
    iface eth0 inet static
    address 192.168.100.1
    netmask 255.255.255.0
    network 192.168.100.0
    broadcast 192.168.100.255
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 192.168.100.100
    dns-search foo.com
    auto eth2
    iface eth2 inet dhcp

    Then I do /etc/init.d/networking restart, but in /etc/resolv.conf, I get the nameserver from DHCP, and only that. No “search” mantra either. My own /etc/resolv.conf is being overwritten, and the dns-nameservers like for my eth0 is being ignored or overwritten.

    I consider that a security problem, and a functional one. The DNS server from one connection overwrites the one from entirely different interfaces. Now, my ISP can reroute my internal hostnames.

    NEVER overwrite files. THANK YOU.

    (Same is true for default routes, BTW. I get 2 default routes, one of them not working, because that line is dead, but it’s the route that ends up being used.)

    1. Here, I think, it’s in fact dhclient doing more than you want it to (not resolvconf).

      You should edit /etc/dhcp/dhclient.conf and edit the ‘request’ entry (see ‘man dhclient.conf’).

      Regards.

      1. Ben Bucksch says:

        Thanks! That did the trick.

        You should edit /etc/dhcp/dhclient.conf and edit the ‘request’ entry (see ‘man dhclient.conf’).

        However, on Ubuntu 12.04, it’s filename /etc/dhcp3/dhclient.conf . “man dhclient.conf” does not explain the each options in the “request” line, but I commented out the whole following line by prepending “#”:
        # domain-name, domain-name-servers, domain-search, host-name,
        and that worked fine.

        Thanks!

        1. Thomas Hood says:

          > However, on Ubuntu 12.04, it’s filename /etc/dhcp3/dhclient.conf .

          No it is not.

          $ dpkg -L isc-dhcp-client | grep /etc/dhcp
          /etc/dhcp
          […]
          /etc/dhcp/dhclient.conf

          Yet another indication that you system is slightly unusual.

        2. Ben Bucksch says:

          I am running a default installation of Ubuntu 12.04 server 64bit, and I definitely have /etc/dhcp3/, not /etc/dhcp/ on all such machines, and I don’t see the behavior you describe at all. I don’t know what you’re running, but it’s not the default server install.

          And, UPDATE:
          The above solution with commenting out the line
          # domain-name, domain-name-servers, domain-search, host-name,
          doesn’t work either. It got overwritten again. The following trick works:

          make /etc/network/if-up.d/resolvconf contain:

          #!/bin/sh
          cp /etc/resolv.conf.real /etc/resolv.conf

          chmod 755 /etc/network/if-up.d/resolvconf
          make /etc/resolv.conf.real contain what you want to have in /etc/resolv.conf.

        3. Ben Bucksch says:

          /etc/dhcp3/dhclient.conf … “request” line, … I commented out …:
          # domain-name, domain-name-servers, domain-search, host-name,
          and that worked fine.

          Actually, that didn’t work either.

          I’ve now tried like 3-4 different solutions proposed here by the very authors, and they all fail. How am I supposed to know what to do? You have to admit this is broken.

          I made several concrete and simple suggestions how to fix this, in a way that preserves the DHCP “feature”, but still allows editing resolv.conf by hand without extra steps. I’d like the Ubuntu team to take these suggestions, instead of defending a complete broken implementation.

    2. Thomas Hood says:

      As Mariano said: most probably the DHCP client being run to configure eth2 is overwriting /etc/resolv.conf. It should not do that. Which DHCP client are you using? Where did you get it? Did you customize it? If it comes from one of the Ubuntu repositories then you should file a bug report against that package in Launchpad. Otherwise complain to whoever is responsible for the software.

      By the way, next time you run “/etc/init.d/networking restart” please take note of the message that says “Running /etc/init.d/networking restart is deprecated….”

      1. Ben Bucksch says:

        Thomas, we’re talking about Ubuntu 12.04 here, see title. This was a default installation, even a server distribution (!), I didn’t install or modify any of the relevant packages. So, this affects *all* Ubuntu 12.04 systems.

        next time you run “/etc/init.d/networking restart” please take note of the message that says “Running /etc/init.d/networking restart is deprecated….”

        You know what? I am not going to relearn every 2-4 years. I am sick basic stuff like networking being broken. Progress is all good, but things should get monotonically better, not worse.

        1. Ben Bucksch says:

          FWIW, there is no warning here:
          # /etc/init.d/networking restart
          * Reconfiguring network interfaces…

          Internet Systems Consortium DHCP Client V3.1.3

          1. Thomas Hood says:

            /etc/init.d/networking contains:

            force-reload|restart)
            process_options
            log_warning_msg “Running $0 $1 is deprecated because it may not enable again some interfaces”

            If you aren’t seeing the warning message then that might indicate that you have an outdated version of the netbase package. What is the output of “dpkg -l netbase”?

          2. Antonio says:

            Rick,Thanks for the kind words. I did encounter the .ha rerdiect issues. See question 5 above.I guess I need to rephrase it better so it fits more situations.The solution is to clear the browsers’ caches.I also am not very happy with this modem/router. Had it worked flawlessly, I wouldn’t mind it being locked down. But given the bugs, I want to be able to say just bypass everything .At any rate, I’m happy you were able to get things to work out eventually. I’ll update question 5 with more details thanks for the comment! Ron

          3. Thomas Hood says:

            Update to prevent confusion should anyone read this discussion now.

            In Ubuntu 12.04 /etc/init.d/networking was still in the “netbase” package and, as I said earlier, printed a “deprecated” message.

            In Ubuntu 12.10 /etc/init.d/networking is included in the “ifupdown” package and is actually a symbolic link to the generic script /lib/init/upstart-job. So it won’t print a specific “deprecated” message any more.

  51. David Drake says:

    Thanks for this! dnsmasq was causing an awful connectivity experience for me on my Ubuntu 12.04 installation. After reading through your post, I realized I have absolutely no use for the new, local resolver. After disabling it, things are much more enjoyable for anything I do that requires DNS lookups.

    1. Thomas Hood says:

      The introduction of the NetworkManager-controlled local caching nameserver was, in my opinion, not sufficiently well thought through. Bug #1003842 is particularly serious.

      https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842

      Fortunately, the workaround is straightforward: just comment out the line

      dns=dnsmasq

      in /etc/NetworkManager/NetworkManager.conf.

      Implementing this workaround should be easier. It should at least be possible to disable the nameserver in System Settings. And in my opinion, the default should be “disabled” until bug #1003842 and a couple of others get fixed.

  52. Art Elsea, Jr. says:

    I agree with Ben. So far two of our admins have spent over a week attempting to “fix” a mission critical OpenVPN server that was broken by this change. Worked just fine on 10.04, completely dysfunctional on 12.04. What should have been a relatively painless upgrade turned into an admin nightmare. None of the suggestions in the list above have repaired the OpenVPN installation and we are currently rebuilding the server with 10.04.
    Your arrogant suggestion that our inability to deal with your user unfriendly design is a failing on our part, is further motivating us to move away from Ubuntu as the corporate platform of choice. The Ubuntu team seems to have lost track of its primary mission which is to provide a “peoples Linux”, not a O/S for arrogant nerds who are too insecure to accept the suggestions of well meaning users. The “RTFM” implication in your response is disgrace to the “Ubuntu” legacy.

    1. Thomas Hood says:

      Well, I think that there must have been some misunderstanding here. Someone told you that Ubuntu is the “people’s Linux” and you concluded that you would not have to hire nerds or read manuals, because everything would just work. So you upgraded a mission critical server without making a backup and ended up living a nightmare as your non-nerd admins spent weeks fruitlessly trying to figure out what went wrong. Now you know that you still need computer expertise to run a Linux system, but too late. Frustrating!

      Obviously you now have to do whatever it takes to get your business back up and running. Once you’re back on solid ground you should consider moving your services onto virtual machines; then you can easily make backup snapshots and perform experiments on clones of your production systems.

      Now suppose you upgrade a test system to a new Ubuntu release and find that some mission critical service doesn’t work. That can happen, despite everyone’s best efforts. What do you do then? Start reading documentation, e.g., release notes. Search the relevant bug tracking systems. Contact knowledgeable people in the appropriate fora. Ask questions. If you are confident you have found a bug, file a bug report. And so on. There is a lot you can do before you resort to complaining in blog comments.

      I will add that I don’t speak for Canonical… or for Ubuntu, whatever that would mean.

  53. Art Elsea, Jr. says:

    You continue in the same vein which generated my initial comments. Of course we have backups and of course we read manuals or whatever on-line documentation is available, bug reports, etc. Our sys admins have been supporting Ubuntu since version 5.xx on an array of some ~70 systems and doing a fine job. All of your assumptions are unfounded and still you continue in your condescending tone.
    Problem we have is specific to OpenVPN and I would invite anyone with specific experience with that VPN solution to comment including yourself if applicable. We are running 12.04.1 on a system with 32GB RAM and 4 AMD Quadcores, so there is plenty of horse power. The current connect is via single 1GB Ethernet. We have tried OpenVPN 2.1.3, 2.1.4, 2.2.1 & 2.2.2. All show the same symptoms. 2.1.X, etc., worked fine on 10.04. From the server side OpenVPN logs show healthy connections, but the client machines can’t see the server. Running ifconfig on both server and client shows a packet flow from the client to the server, but not from the server to the client. In other words, on the server side RX is large and TX is 0 whereas on the client side TX is large and RX is 0. So far we have stepped through all of the suggestions on this site w/o success. Firewalls have been tested both enabled and disabled. The matrix of test conditions fills pages. We’d like to be able to just replicate the 10.04 conditions that worked but replacing the /etc/resolv.conf symbolic link with a file does not work.
    BTW, local LAN connectivity is not affected. ssh works, samba, etc., no problem, just OpenVPN server is hosed. No other symptoms.
    Any and all constructive suggestions are appreciated. We don’t need addition suggestions to read the documentation unless you have some documentation that isn’t publicly available.

    1. Thomas Hood says:

      This helps me to interpret your earlier comment.

      You wrote:
      > So far two of our admins have spent over a week
      > attempting to “fix” a mission critical OpenVPN server
      > that was broken by this change. Worked just fine on 10.04,
      > completely dysfunctional on 12.04. What should have been
      > a relatively painless upgrade turned into an admin nightmare.
      > […] None of the suggestions in the list above have repaired
      > the OpenVPN installation and we are currently rebuilding
      > the server with 10.04. Your arrogant suggestion that our
      > inability to deal with your user unfriendly design is a failing
      > on our part, is further motivating us to move away from
      > Ubuntu as the corporate platform of choice.

      But now it turns out that you were able to revert to your pre-upgrade backup! It’s a relief to know that your earlier statement was hyperbole, but now I wonder why you think that exaggerating and insulting people will help you to solve your problem faster. (It’s also interesting how something I said to another person, Ben Bucksch, about a completely different problem, could be interpreted by you — not yet a party to the conversation — as impugning *your* abilities. Talk about insecure!)

      Turning to the technical information you have started to provide, I see nothing that indicates that the problem is with name resolution. Does OpenVPN work if you enter IP addresses everywhere instead of host names? The answer to that will help you to find a more appropriate forum in which to ask for further help.

  54. banavara says:

    I have used a hack to run dnsmasq without the cache-size flag, using a script which uses:

    exec $dnsmasq `echo $@ | sed -e s/–cache-size=0//`

    Now my system is working with DNS caching. Is this safe to use? Will there ve any security issues?

    1. Thomas Hood says:

      In the discussion that preceded the introduction of the NM-controlled dnsmasq process

      https://blueprints.launchpad.net/ubuntu/+spec/foundations-p-dns-resolving

      it was decided to disable the cache because with a cache (quoting:)

      – DNS cache poisoning is made easier on multiuser systems
      – any user on the system will be able to enumerate the domains other users have accessed

  55. Marco says:

    After upgrading to 12.04 and installing & using a VPN frequently my System 76 Lemur became extremely slow resolving hostnames in non-VPN mode (but they all eventually resolve). The only fix that worked (commenting out dnsmasq breaks it completely and no resolution takes place) is to maintain 2 copies of /etc/resolv.conf, the first one for VPN use which was the result of all automatic changes and which has the VPN nameservers followed by 127.0.0.1, and the second copy for non-VPN use – manually created – which has the local DNS cat 192.168.1.254 on top and no mention of 127.0.0.1 at all (?).

    1. Thomas Hood says:

      Hi Marco,

      Please go to https://bugs.launchpad.net/ubuntu/+source/resolvconf, click “Report a bug” and enter your description of the problem. Please also include in your report the following information.

      * The name and version number of the VPN client you are using
      * Whether you are using ifup or NetworkManager to manage connections
      * If you are using ifup, the contents of /etc/network/interfaces
      * If you are using NetworkManager, the contents of /etc/NetworkManager/NetworkManager.conf
      * A copy of the two resolv.conf files you mentioned

  56. Andries Inzé says:

    Thank you for this!

  57. John Hupp says:

    I’m trying to troubleshoot an LTSP-PNP client boot problem under Lubuntu Quantal. I installed with a single NIC per .

    The client gets DHCP assignments: it identifies my hardware router as the DHCP server and the default gateway. It identifies the LTSP server as proxy and boot server.

    But it fails to download the pxelinux boot image, reporting “PXE-E32: TFTP open timeout.”

    I can also run this on the server itself to get a similar failure:
    $ tftp 192.168.1.102 -v -m binary -c get /ltsp/i386/pxelinux.0
    mode set to octet
    Connected to 192.168.1.102 (192.168.1.102), port 69
    getting from 192.168.1.102:/var/lib/tftpboot/ltsp/i386/pxelinux.0 to pxelinux.0 [octet]
    Transfer timed out.

    CRITICAL NOTE: I use the default network-manager to configure the network interface with the default DHCP configuration, and the connection is “Available to all users”. Apparently n-m also works with dnsmasq to provide DHCP and TFTP servers.

    When I had TFTP and DHCP errors booting the client under LTSP5 and Precise, I configured the network interface(s) via /etc/network/interfaces as a work-around. I think this solved some sort of a timing problem with the relevant services during bootup.

    But I understand that approach is now deprecated under Quantal. If I use it anyway, the client boots OK, but DNS resolution then fails on both client and server. I think this happens because a non-default /etc/network/interfaces causes ifup to configure network interfaces instead of n-m, but now n-m is being relied on to provide DNS resolution with dnsmasq.

    I can fix the DNS resolution problem by creating /etc/resolvconf/resolv.conf.d/tail with contents:
    nameserver (my nameserver 1)
    nameserver (my nameserver 2)

    But instead of patching up the old approach, I’d like to get the new approach working right.

        1. John Hupp says:

          Whoops, I hadn’t seen Thomas Hood’s reply above or his Launchpad reply to my comment there (I had not noticed that I had to manually subscribe to be notified of replies).

          His comment #120 at Launchpad provides an explanation for why my work-around (posted below) is effective.

          However, it also raised new questions for me, which I posted in a reply comment: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/959037/comments/121

    1. John Hupp says:

      I don’t know why it works, but removing /etc/dnsmasq.d/network-manager (which has just one line of configuration, issuing a directive to dnsmasq to bind to all the interfaces instead of listening on 0.0.0.0) and restarting the server allows the LTSP client to boot normally without error.

  58. shrikant says:

    Hello ,

    I am using utm for spam and mail relay on vmware and on vmware i have ubuntu 12.04.1 ,ubuntu is dmz to utm

    i have domain name with my isp i dont know much about domain ,i have staic ip from my isp and ip and domain with my isp register they have give me portal to manage domain setting

    now how do i configure my ip and domain with utbuntu
    i want to run web server and mail server
    thanks

    1. Thomas Hood says:

      Is your question “How do I configure networking on an Ubuntu server?” Or do you have some question relating to name resolving on Ubuntu 12.04 or 12.10?

      1. shrikant says:

        Sorry ,

        let me explain again step by step with background

        1) i am running ubuntu server 12.04.1 on vmware esxi hypervisior as a guest where i have web and mail server running (need to be configure /dns need to be configure to for this 2 services web and mail )and this is dmz also to utm

        2)i have utm software as a guest on vmware which help me to relay /spam and antivirus for system/network

        3) i have static ip and domain portal from isp where i have configure service

        for this senario i want dns on ubuntu server 12.04.1

        what i have to configure /etc/hosts or /etc/hostname or what
        when i run sudo su i am getting this message
        “sudo: unable to resolve host (none)”

        i have configure hostname as a ubuntu and my hosts is

        my ip address 192.168.3.125 ubuntu
        do i have to configure
        127.0.1.1 ubuntu http://www.mydomain.com ?
        127.0.1.1 ubuntu mail.mydomain.com ?
        or
        192.168.3.125 ubuntu http://www.mydomain.com

        do i have to use reverse dns ? when i should use reverse dns ?

        thanks

  59. William McVey says:

    So, on a remote server that needs an update to /etc/resolv.conf, I made the change to /etc/network/interfaces but I’m stumped on how to get the change propagated to running file. I’ve tried “ifup eth0”, which of course is already up so nothing but an error is generated. I tried adding the –force option to ifup, still no update. I tried “resolvconf -u” and nothing happened. I ran “–updates-are-enabled” and got a 0 return code. Do I truly have to ifdown just to add a new dns server?

    1. Thomas Hood says:

      The easiest thing to do is ifdown and ifup, but you can effect the same change by running resolvconf from the command line. Assume the desired nameserver address is 1.2.3.4 and that the dns-nameservers line is in the “iface eth0 inet static” stanza in /e/n/i. Run the command:

      echo “nameserver 1.2.3.4” | resolvconf -a eth0.inet

      After this, resolv.conf should be up to date.

      1. Thomas Hood says:

        If you have two nameserver addresses, do it as follows (with a newline in the content piped to resolvconf).

        echo “nameserver 1.2.3.4
        nameserver 5.6.7.8” | resolvconf -a eth0.inet

        In the present context the argument to resolvconf’s “-a” option should be of the form IFACENAME.ADDRESSFAMILY. See interfaces(5) for information about address families. Read /etc/network/if-up.d/000resolvconf to see how resolvconf gets called when ifup is run on an unconfigured interface.

        Considering that a lot of machines are administered remotely, it isn’t convenient to have to reboot or ifdownup interfaces in order to activate changes in /e/n/i. This problem isn’t confined to resolvconf, though.

        With this in mind I just tried doing “ifup –force eth0” on a machine where I had already ifupped eth0. This command *did indeed* update resolv.conf. So it’s a mystery why this didn’t happen in William McVey’s case.

  60. Nick says:

    Hi, this is a great article on how dnsmasq worked in 12.04, but the way it works in 12.10 has changed, and I can’t find out where dnsmasq stores what was once keep in /etc/resolv.conf, as the file /var/run/nm-dns-dnsmasq.conf is now empty.

    After a lot of Googling and research, I have found out it is being managed by dbus in some way, but I still can’t find out where the information is being kept.

    Any light anyone can shed on this would be gratefully received. A pointer to some documentation or blog or thread on the new functionality would be helpful.

    Thanks

    Nick

  61. anders larsson says:

    hi!

    just found out that when i using a vpn tunnel on the host and running virtualbox in NAT mode as i must becasue i got a static ip thats for my profile and restrictions in the company. I cant connect from my virtual comp now.. 🙁 the bridged mode is not an option.. i myst go out with my static ip from vpn. so any hints how i can use NAT mode

    // anders

    1. Thomas Hood says:

      That’s a question of properly configuring routing on the host. Off-topic for this blog post.

  62. d gilbert says:

    I use openvpn when on the road to send everything down a VPN pipe to my home network. One might think about doing this when in a very insecure environment, for example WiFi at an airport. This used to work fine as I would manually change /etc/resolv.conf to access the DNS servers on my home network (then restore them to the previous setting when I finished using openvpn). Well it doesn’t work in Ubuntu 12.10 (didn’t try this on Ubuntu 12.04 but I guess it was broken there too). The /etc/network/interfaces proposed hack doesn’t work because I may have a wired connection, or a wireless connection (and with udev bumping my wlan randomly (another bug?) named interface solutions are undesirable).
    So I just want a way to tell resolvconf: “use this (these) IP address(es) for DNS resolution until further notice” and then a way to countermand that when I am finished with openvpn. Simple, no?

    1. Thomas Hood says:

      As explained in the blog posting, Ubuntu 12.04 and 12.10 are designed correctly to handle nameserver addresses for VPNs.

      If you don’t trust the nameserver on the LAN then you should disable the forwarding nameserver and use the nameserver on the VPN for all lookups. Edit /etc/NetworkManager/NetworkManager.conf; comment out “dns=dnsmasq”; “sudo restart network-manager”.

      If you really want manually to override the automatically generated nameserver list with your own list then here’s a hack that will achieve what you want without your having to alter /etc/resolv.conf directly. Add a line “lo.override” to the top of /etc/resolvconf/interface-order, before other non-comment entries. Then, to activate the “override” nameserver address X, do

      echo “nameserver X” | resolvconf -a lo.override

      Now X should be the one and only nameserver address in resolv.conf.

      To de-activate it, do

      resolvconf -d lo.override

      1. Thomas Hood says:

        Hmm, wait. The hack I just described will introduce an address that will be prioritized before all others, but it won’t necessarily be the only address listed. Sorry about that.

        To get exactly the behavior you want you can customize the script /etc/resolvconf/update.d/libc which is what generates the dynamic resolv.conf file.

        But the most straightforward approach is temporarily to put a static file at /etc/resolv.conf.

        # Override resolv.conf
        mv /etc/resolv.conf /etc/resolv.conf_BACKUP
        echo “nameserver X” > /etc/resolv.conf

        # Restore normality
        mv -f /etc/resolv.conf_BACKUP /etc/resolv.conf

  63. Nobody of Consequence says:

    Unfortunately, your “solution” for things does NOT account for a crucial DNS configurations that’s VERY valid. The DNS in the VPN has **INTERNAL** to the network you’re attaching to resolutions for things. If you’re using *ANY* local DNS mappings this whole thing BREAKS completely because it won’t resolve them- period.

    1. Thomas Hood says:

      Interesting use of emphasis. But you are wrong: please read the original blog post which explains that the changes were made in order to improve support for DNS in VPN settings.

  64. Terry says:

    I had no idea about these changes, and we only have dial-up where we live.
    When I first ran kppp dial-up utility, (using Linux Mint Maya KDE) it warned about missing /etc/resolv.conf and something about asking the adminstrator to create this file.
    I created a blank resolv.conf under /etc and used kppp and was finally able to ping. When I cat /etc/resolv.conf it shows three dns nameservers filled in, provided by Mint. Our dial-up uses dynamic nameservers.
    I’ll have to study this further as I don’t want to use extra services or software if I don’t need it for the dial-up scenerio, not virtual.

    1. Thomas Hood says:

      Linux Mint 13 LTS (Maya) is known not to install the needed symbolic link at /etc/resolv.conf.

      https://bugs.launchpad.net/linuxmint/+bug/1004421

      This has apparently been fixed in Linux Mint 14.

      Kppp appears not to be correctly integrated with resolvconf: it writes directly to /etc/resolv.conf.
      https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/1086336

      I have not heard that this has been fixed. It would be helpful if you would contact the kppp maintainers and find out the status of this, and report back here.

  65. Thomas Hood says:

    I just noticed that Stéphane originally blogged:

    “[Q:] I really don’t want resolvconf, how can I disable it?
    [A:] I certainly wouldn’t recommend disabling resolvconf but you can do it by making /etc/resolv.conf a regular file instead of a symlink. Though please note that you may then be getting inconsistent /etc/resolv.conf when multiple software are fighting to change it.”

    Having been following AskUbuntu and Ubuntu forums for a while I see people “disabling” resolvconf in two different ways: (1) removing the symlink; (2) uninstalling the package.

    These methods of disabling resolvconf have different consequences. Other Ubuntu software mostly refrains from touching /etc/resolv.conf so long as resolvconf is installed, as evidenced by the presence of the executable /sbin/resolvconf. Few, if any, programs condition their behavior on whether or not /etc/resolv.conf is a symlink. (NetworkManager used to do so, but it was an exception.)

    So if resolvconf is disabled by removing the symlink at /etc/resolv.conf as Stéphane (rightly) suggests, this generally doesn’t lead to other packages altering /etc/resolv.conf. Whereas removing the resolvconf package can lead to that, and thus to fighting over it.

    Lesson: if you want a static /etc/resolv.conf you are better off leaving the resolvconf package installed.

    Third-party software is another story. Often it’s not resolvconf-aware and stomps on /etc/resolv.conf no matter what you do.

  66. Basavaraj says:

    Dear Sir,

    I have statically configured the IP Address in /etc/network/interfaces… of ubuntu 12.04

    auto eth0
    iface eth0 inet static
    address 10.10.80.180
    netmask 255.255.0.0
    network 10.10.80.0
    broadcast 10.10.80.255
    gateway 10.10.1.2

    after that, I have configured /etc/resolv.conf file as well…

    nameserver 10.10.1.2
    nameserver 208.67.222.222
    nameserver 208.67.220.220

    lastly, I restarted service by this following command…..

    sudo /etc/init.d/networking restart….. ENTER

    then I got successfully..

    The Problem is when I restart the computer, then there /etc/resolv.conf file does not show the mentioned nameservers.

    but /etc/network/interfaces does not get changed. it remains same.

    Please help me in this regard…. how to fix it nameservers permanently In /etc/resolv.conf file.

    Heartily Thank you one and all.

    1. Thomas Hood says:

      Please scroll to the top of the page and read the original blog posting.

  67. Basavaraj says:

    Dear Sir,

    I did as per the above said comment
    “To turn off dnsmasq in Network Manager, you need to edit /etc/NetworkManager/NetworkManager.conf and comment the “dns=dnsmasq” line (put a # in front of it) then do a “sudo restart network-manager”.”

    But Again Not getting saved in /etc/resolv.conf file. nothing is there in that file.

    Could you help me Sir, It would be great helpful for me.

    1. Thomas Hood says:

      If you find nothing in /etc/resolv.conf then the symbolic link /etc/resolv.conf is probably missing. See: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1000244

  68. Basavarajn says:

    Dear Sir,

    I used the commands from the given link ” https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1000244

    This is my output of my computer……… tell me sir what to do next OR whether given outputs are sufficient for finding out the Problem

    comp41@cookeng:~$ sudo ls -l /etc/resolv.conf
    [sudo] password for comp41:
    lrwxrwxrwx 1 root root 29 Dec 9 20:11 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
    comp41@cookeng:~$ sudo lsattr /etc/resolv.conf
    lsattr: Operation not supported While reading flags on /etc/resolv.conf
    comp41@cookeng:~$ sudo ls -l /run/resolvconf
    total 4
    -rw-r–r– 1 root root 0 Mar 8 15:50 enable-updates
    drwxr-xr-x 2 root root 60 Mar 8 15:50 interface
    -rw-r–r– 1 root root 231 Mar 8 15:50 resolv.conf
    comp41@cookeng:~$ sudo ls -l /run/resolvconf/interface
    total 4
    -rw-r–r– 1 root root 87 Mar 8 15:50 eth0.inet
    comp41@cookeng:~$

  69. Basavarajn says:

    Dear Sir,

    Please see the output of my computer when I used the Following Command…..

    comp41@cookeng:~$ sudo dpkg -reconfiguring resolvconf
    dpkg: error: conflicting actions -e (–control) and -r (–remove)

    Type dpkg –help for help about installing and deinstalling packages [*];
    Use `dselect’ or `aptitude’ for user-friendly package management;
    Type dpkg -Dhelp for a list of dpkg debug flag values;
    Type dpkg –force-help for a list of forcing options;
    Type dpkg-deb –help for help about manipulating *.deb files;

    Options marked [*] produce a lot of output – pipe it through `less’ or `more’ !
    comp41@cookeng:~$

    1. Thomas Hood says:

      The command is `dns-reconfigure`, not `dns-reconfiguring`.

  70. Basavaraj says:

    Dear Sir,

    Next What to do ?
    is there any solution to keep permanently DNS IP ADDRESSES in resolv.conf.

    Because every moment When I start Computer DNS IP addresses gets erased from the resolv.conf.

    Please help me in this regard as soon as possible.

    1. Thomas Hood says:

      Assuming you are using NetworkManager, add nameserver addresses using the Connection Editor. Right-click on the network indicator and select Edit Connections | | Edit… | IPv4 Settings. Enter the desired nameserver address(es) in the “Additional DNS servers” field.

      If you wish to avoid using nameserver addresses obtained via DHCP, change the Method from “Automatic (DHCP)” to “Automatic (DHCP) addresses only”. Only do this if you can’t fix the DHCP server so that it supplies correct nameserver addresses to clients.

  71. John says:

    Yet again … another gratuitous change that assume we are all happy clicking and auto’ing everything … dhcp, dns, hell give me anything usable … My client is a just that, and
    The concept that every user wants a happy-go-lucky configuration of DNS servers by clicking on possible random networks is not only laughable, the implementation is a joke (local resolver by default … seriously?), it is yet another .d directory, absolutely retarded, counter-intuitive, goes against years of Unix practices, and the best documentation for it is a blog post, of which it’s own author admits he does not personally use the solution ….
    If upstream is serious about pushing this kinds of stuff, the best it could do for adoption is to create at least a /etc/default/interfaces template on the fs showing how /etc/network/interfaces needs to be written … particularly when Network-Manager does NOT use /etc/network/interfaces … So how /where am I suppose to write my static configuration, while keeping the options to have dhcp on the same interface when roaming? I thought this is what network-manager and user-land networking provided? Thanks
    J

  72. forsetiboston says:

    Ubuntu, because standards work too well. What a joke this is, the bigger joke being that developers love to click, click, click, done but those of us running VDI and xen/kvm desktops for builds get to deal with the fall out. Even on server it’s a darned run-around to sort out what’s going where, even ‘when’ the entries e.g. dns-nameservers x.x.x.x are in the right spot.

    Sweet, the sooner someone clips Ubuntu’s wings the better..

    1. Thomas Hood says:

      Reading a manual page or two might be more effective than trolling.

  73. Allen Ford says:

    We didnt have to read a manual before this update lol.
    Irc channels always wonder why i shut off updates, i troubleshoot for a living.. but with every update on ubuntu i end up troubleshooting for free. I just want a system that works and left alone so i can focus on other systems.

    My ubuntu doesnt hold the static dns server in gui, to me this is a bug,
    also when i add 2 dns servers it loadbalances them instead of using primary and secondary… i waste an hour playing with it on every reboot, and when it speraticly decides to change on its own. cause when it changed my vpn stops, then i can not even access private dns ip..
    i been complaining for about 6 months in irc and was just pointed to this now.

    i can not believe this change was forced… I feel ubuntu took a big step backwards, and if i wasnt to scared of what else may not work if i downgrade i would..

    I think ubuntu needs fix this crap fast or take it back to the way it was, or at least give an option in gui…

  74. Nino Ortner says:

    Hey. I know this is an old thread.
    I am not nearly as knowledgable as most others here. Never the less I would be grateful to know more about fixing this issue. Since the aforementioned changes in DNS resolving took place I have 2 problems, which I have mentioned in Linux Mint Forum and in launchpad to no avail.
    The minor: For work i use a F5 Big ip VPN tunnel which is built up by a Firefox Plugin. I connect to the tunnel via a website which takes my credentials and sends an OTP. This still works, but DNS lookup inside the tunnel does not. I would usually connect to a win xp Virtual desktop with Vmware View, but the hostname of the view server cannot be resolved. I can work around that by typing the ip address instead. Since the View client remembers the Ip address this is not to bothersome. Once i start up the virtual desktop, everything works as usual.
    The major problem: With my Virtual Box I cannot use NAT for internet connectivity, only network bridging, which seems somewhat unstable. The problem here is also DNS resolving as I can connect to websites in IE by IP address.
    I have tried disabling the dnsmasq as described, but this breaks DNS lookup altogether (ie. outside the VB and the VPN).
    Any possibility for fixing this without reading hours of manuals?
    Best regards
    Nino

    1. Thomas Hood says:

      The first problem arises from the fact that you are using a third-party networking tool which apparently does not integrate properly with Ubuntu networking interfaces including resolvconf. Interface configurers including VPN clients should register their nameserver information with resolvconf on connect and de-register on disconnect. If necessary we can discuss this in more detail.

      The second problem may be https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1048783 for which the workaround is to run the following command in a terminal.

      VBoxManage modifyvm VMNAME –natdnshostresolver1 on

      1. Nino Ortner says:

        Hello Thomas!

        Somehow, I must have missed your answer. Very interesting.

        I do not feel the need for solving the F5 plugin problem for now as it works good enougt.

        However, your fix for the Virtual Box came extremely handy. Works like a charm.

        Thanks a lot!

  75. Viper says:

    Hi Stephane,
    out of the blue my Ubuntu laptop stopped finding youtube, google maps and other google sites. For all other sites dns worked perfectly (including google search).

    I tried manipulating resolv.conf etc. but to no avail.
    The only way to circumvent the problem was to use google’s own dns service at 8.8.8.8.

    Do you know what might be wrong with my laptop?
    All other PCs (windows based) in my place do not have this problem.

  76. Paul says:

    Hi,
    First of all I’m not a programmer so be patient with me. I’ve started to learn Ubuntu some time ago.
    Regarding DNS service as I understand like all the network services work on a client-server model where the client is a library implemented in the operating system. As I understand from man resolvconf:
    “SUPPLIERS OF NAMESERVER INFORMATION
    Normally the resolvconf program is run only by network interface configuration pro‐grams such as ifup(8), ifdown, NetworkManager(8), dhclient(8), and pppd(8); and by local nameservers such as dnsmasq(8).These programs obtain nameserver information from some source and push it to resolvconf.

    So if I understand right resolvconf take DNS information from these programs (ifup, NetworkManager, etc.) and put them in /etc/resolv.conf from where they are used by other programs like libc resolver which based on this information send requests to the specified name servers. Is this right??

    If this is right what the hell happens when dnsmasq is used by NetworkManager? This part is very confusing for me. First of all what is the function of dnsmasq? It is a resolver which replace libc resolver or is a name server which is used by libc for queries?
    For example If I configure in NetworkManager a name server 2001:db8::1 this will be put in resolv.conf and will be used by libc for queries. But when dnsmasq is used in resolv.conf is just 127.0.1.1.

    SO could someone explain the flow events in the case of dnsmasq?
    It’s something like :
    1. dnsmasq put his server adress 127.0.1.1 in /etc/resolv.conf
    2. when libc resolver make a query it send that query to 127.0.1.1.
    3. dnsmasq send the query further to 2001:db8::1 and after the name is resolved it returns the answer to libc.

    If this is right where and how store dnsmasq the 2001:db8::1??? Where can be checked the use of this address??
    And what is the advantages of using dnsmasq? is for caching or what (I suppose that libc can’t cache the resolved addresses).

  77. Paul says:

    Hi,
    First of all I’m not a programmer so be patient with me. I’ve started to learn Ubuntu some time ago.
    Regarding DNS service as I understand like all the network services work on a client-server model where the client is a library implemented in the operating system. As I understand from ubuntu 15.04 man resolvconf:
    “SUPPLIERS OF NAMESERVER INFORMATION
    Normally the resolvconf program is run only by network interface configuration pro‐grams such as ifup(8), ifdown, NetworkManager(8), dhclient(8), and pppd(8); and by local nameservers such as dnsmasq(8).These programs obtain nameserver information from some source and push it to resolvconf.

    So if I understand right resolvconf take DNS information from these programs (ifup, NetworkManager, etc.) and put them in /etc/resolv.conf from where they are used by other programs like libc resolver which based on this information send requests to the specified name servers. Is this right??

    If this is right what the hell happens when dnsmasq is used by NetworkManager? This part is very confusing for me. First of all what is the function of dnsmasq? It is a resolver which replace libc resolver or is a name server which is used by libc for queries?
    For example If I configure in NetworkManager a name server 2001:db8::1 this will be put in resolv.conf and will be used by libc for queries. But when dnsmasq is used in resolv.conf is just 127.0.1.1.

    SO could someone explain the flow events in the case of dnsmasq?
    It’s something like :
    1. dnsmasq put his server adress 127.0.1.1 in /etc/resolv.conf
    2. when libc resolver make a query it send that query to 127.0.1.1.
    3. dnsmasq send the query further to 2001:db8::1 and after the name is resolved it returns the answer to libc.

    If this is right where and how store dnsmasq the 2001:db8::1??? Where can be checked the use of this address??
    And what is the advantages of using dnsmasq? is for caching or what (I suppose that libc can’t cache the resolved addresses).

  78. Cat says:

    I run ubuntu 12.04 on guest virtual machine but can’t access internet via domain, if I access from IP work fine.

  79. Claudio Rivea says:

    Hello, this is a really good page, we would be very grateful if you could help us with this problem
    We have two interfaces, eth0 and eht1, we want to create a local network in eth1, and eth0 belongs to other network interface
    ————————————–
    iface eth0 inet static
    addres 192.168.x.xxx
    netmask 255.255.fff.f
    gateway 192.168.x.xxy
    dns-nameservers 10.10.c.ccc

    iface eth1 inet static
    addres 192.168.zzz.z
    netmask 255.255.fff.f
    ————————————————
    We can’t changes the file /etc/resolv.conf, because this is automatic. Our dnsmasq have the configurations of the CASPER page
    —————————————————–
    # Configuration file for dnsmasq
    # Edited for ROACH boot server

    # We don’t want dnsmasq to read /etc/resolv.conf or anything else
    no-resolv

    # Assign the ROACH an IP address manually, based on its MAC
    dhcp-host=02:00:01:02:02:08,192.168.100.2

    # Have a DHCP address range for other things
    dhcp-range=192.168.100.128,192.168.100.254,12h

    # Set the location of the ROACH’s root filesystem on the NFS server.
    dhcp-option=17,192.168.100.1:/srv/roach_boot/etch

    # Set the boot filename for BOOTP, which is what the ROACH boots over
    dhcp-boot=uImage

    # Enable dnsmasq’s built-in TFTP server. Required for BOOTP.
    enable-tftp

    # Set the root directory for files availble via FTP.
    tftp-root=/srv/roach_boot/boot

    # Set the DHCP server to authoritative mode (then keep away from other networks!)
    dhcp-authoritative

    #Specify which ethernet interface you use to connect to the ROACH (eth0, eth1, eth2 …)
    interface=eth1

    #May be useful if you have several ethernet interfaces
    bind-interfaces
    ——————————————————
    But, the only difference is that we comment the last line, i.e “#bind-interfaces”, because we do not want to interlace the two interfaces.

    Then when we run the file, the dnsmasq changes to 127.0.0.1; it would be great if you could tell us how we can have two independent networks without changing the dnsmasq.

    1. Thomas Hood says:

      Add “lo” to DNSMASQ_EXCEPT?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.