When I connect to a VPN server, I want kresd to automatically resolve internal (vpn) domains using the vpn dns server (while keeping resolving other domains as before). The problem is that I enabled TLS DNS forwarding to Cloudflare using Foris, and it looks like in this mode it does not read /tmp/resolv.conf.auto.
I know how to hardcode that in configuration for a specific domain and dns server IP (Kresd configuration: how to forward a specific internal domain to another DNS), but can I make it work automatically as without TLS forwarding to cloudflare?
I am using kresd 3.2.1.
That is a good question…
Honestly I don’t know.
What script writes the contents of /tmp/resolv.conf.auto? It should definitely have the domain zone, since it adds “search domainzone” string to it:
I know very little about VPNs, so probably someone else can help, but I think the usual DNS setup is to send all requests through the VPN. (Assuming people want DNS-specific names to work.) That way the VPN’s DNS decides what names are special and when they get all requests anyway, it’s easiest (and fastest) to let them provide all answers as well, i.e. even those from public DNS.
Still, there are many ways of using a VPN. You may not need any special names (just route some IP ranges elsewhere), or all of them may be within a few known sub-trees which you forward to VPN and resolve the rest “normally”…
My use case is to access office resources from home. And I don’t want to forward other DNS requests to the VPN DNS server because it does not support TLS and DNSSEC. I am not sure if my use case is common or not, but currently I need to add a kresd policy to a custom configuration file, and monitor any (rare but possible) changes to the remote network configuration manually.
OpenVPN allows you to call a script if an OpenVPN interface goes up or down. I use this to change a custom kresd config file on VPN connect/disconnect, so that kresd forwards all dns traffic to my VPN DNS Server once connected to my VPN (it disables kresd forwarding configuration set in foris using uci and then sets up forwarding using the custom kresd config file). You can alter $kresdCustomConfig to your needs (e.g. so that kresd forwards only specific domains to your VPN DNS Server, as you described in your initial post). If you specified your VPN DNS Server in your VPN client config OpenVPN will pass it as an enviornment var to the script and the script will read it and save it into its var $dnsServer.
openconnect seems to have some “script-calling-feature”, too. I’m not familiar with openconnect at all but maybe you can use it to disable forwarding to Cloudflare on demand as I wrote.
If there’s a good way to recognize the office names, say they all end in office.ma-domena.cz, you don’t even need any script to switch – kresd will always try to forward it and it will work or it won’t.
EDIT: it can be a short-enough list of specific names that you maintain manually.