per-link DNS over TLS setting (NetworkManager + systemd-resolved)

Ubuntu 20.10. Attempts to fix DNS for a split connection (Wireguard VPN for work and a public link for everything else), have stranded in a NetworkManager+systemd-resolved setup.

A problem is that I need DNS-over-TLS to be disabled for any queries going over the wireguard link (limited to a single domain).

/etc/systemd/resolved.conf seems to only allow a global setting. So when I enable DNS over TLS there, it is also active for my wireguard link.

I can manually turn it off for the wireguard link with resolvectl dnsovertls wg0 no, but every time systemd-resolved is restarted, it turns back on.

If I understand it correctly, the per-link settings for systemd-resolved are managed by NetworkManager. But NetworkManager's key files (the ones in /etc/NetworkManager/system-connections/) do not seem to have a setting for dns over tls.

How can I get this setting to persist?


Solution 1:

I had the same issue and was able to workaround it by using NetworkManager-dispatcher, which allows to run scripts on connection events.

I'm not sure if will work on Ubuntu since I'm using Fedora, but here is what I've done:

  1. Enable NetworkManager-dispatcher.service
systemctl enable NetworkManager-dispatcher.service
  1. Create script in /etc/NetworkManager/dispatcher.d/ directory with following contents:
#!/bin/bash

readonly interface="$1"
readonly action="$2"

if [[ $action = vpn-up && $CONNECTION_ID = udp-other ]]; then
    resolvectl dnsovertls "$interface" no
fi

Replace udp-other with name of your VPN connection (or alternatively, you can use $CONNECTION_UUID) and make sure that script's owner and group is root and it is marked as executable.