per-link DNS over TLS setting (NetworkManager + systemd-resolved)
Ubuntu 20.10. Attempts to fix DNS for a split connection (Wireguard VPN for work and a public link for everything else), have stranded in a NetworkManager+systemd-resolved setup.
A problem is that I need DNS-over-TLS to be disabled for any queries going over the wireguard link (limited to a single domain).
/etc/systemd/resolved.conf seems to only allow a global setting. So when I enable DNS over TLS there, it is also active for my wireguard link.
I can manually turn it off for the wireguard link with resolvectl dnsovertls wg0 no, but every time systemd-resolved is restarted, it turns back on.
If I understand it correctly, the per-link settings for systemd-resolved are managed by NetworkManager. But NetworkManager's key files (the ones in /etc/NetworkManager/system-connections/) do not seem to have a setting for dns over tls.
How can I get this setting to persist?
Solution 1:
I had the same issue and was able to workaround it by using NetworkManager-dispatcher, which allows to run scripts on connection events.
I'm not sure if will work on Ubuntu since I'm using Fedora, but here is what I've done:
- Enable NetworkManager-dispatcher.service
systemctl enable NetworkManager-dispatcher.service
- Create script in /etc/NetworkManager/dispatcher.d/ directory with following contents:
#!/bin/bash
readonly interface="$1"
readonly action="$2"
if [[ $action = vpn-up && $CONNECTION_ID = udp-other ]]; then
resolvectl dnsovertls "$interface" no
fi
Replace udp-other with name of your VPN connection (or alternatively, you can use $CONNECTION_UUID) and make sure that script's owner and group is root and it is marked as executable.