Local DNS, VPN, and Libvirt Deathmatch

Monday, February 2, 2015 Posted by

This is more of a note to self, for the next time my machine eats itself.

First, I should say that I’ve run into this problem on Fedora 20 and now CentOS 7. I have libvirtd installed, a VPN configured for accessing work, and a local DNS nameserver configuration for accessing my local network here at home. This last part is important, since I have a beefy machine here I use as a lab for working out server/network configurations I intend to use at work.

With my latest install (CentOS 7), libvirt and the VPN seem to play together okay, though I have to say I haven’t really used a virtual machine yet. At least, the VPN seems to work in the presence of the dnsmasq daemon that libvirt manages. However, I’ve been unable to resolve any of my local network hostnames, in spite of having the local nameservers given by dhclient appended to the list the VPN injects.

Here’s how I have solved it so far. It’s a bit inelegant, for sure.

Disable libvirt

I disabled libvirt on this machine, opting instead to use a lab server I have built for the purpose on my local network. This may bite me in the ass later, but I still think the dnsmasq part of libvirt isn’t useful for the things I normally do, and I should be able to disable it if I look hard enough. Remembering back to the last incarnation of my laptop, it seems to me this was an issue last time too, and I had to disable libvirt then too.

$ sudo systemctl stop libvirtd
$ sudo systemctl disable libvirtd

Take control over DNS in the VPNC configuration

In the [ipv4] section of the VPN configuration file (under /etc/NetworkManager/system-connections), I had to add:

[ipv4]
...
ignore-auto-dns=true
dns=127.0.0.1
...

This will allow me to force which DNS server gets used for what network. I had started by just trying to divert the DNS lookups for my local network using dnsmasq, but in this scenario, I’m diverting the lookups for my WORK HOSTNAMES and letting everything else resolve as it would normally. This should result in faster DNS resolution for most things, and has the added benefit of not blocking my local network DNS.

Manage my own DNS via dnsmasq

Now, to supply a DNS server at 127.0.0.1 (as I referenced in the VPN config file, I configured dnsmasq with the following in /etc/dnsmasq.d/vpn.conf:

server=/myco.com/xxx.xxx.xxx.xxx
server=/myco.com/yyy.yyy.yyy.yyy

Obviously, substituting the correct company domain and IP addresses for DNS that I grabbed from my /etc/resolv.conf BEFORE I started taking this corrective action.

Finally, start (and enable for next boot) dnsmasq:

$ sudo systemctl start dnsmasq
$ sudo systemctl enable dnsmasq

Cleaning up

I found that I had some trouble reloading the VPN configuration from file, even using systemctl restart NetworkManager. I probably didn’t need to, but just to ensure I had a clean start, I rebooted the machine. Then, I started the VPN connection and checked that I could resolve both corporate hosts and hosts on my local network. This seems to have done the trick!