How to use different DNS servers for specific domains name resolution – VPN Use-Case

How to resolve selected domains over VPN on Linux

In today's world, more people than ever use VPN services to work from remote. However, in some cases it's not desirable to route all traffic and all domain name resolutions over the VPN connection. Even if the VPN-Server wants the client to configure itself to work like this, the client can be configured to ignore the request to route all traffic over the VPN connection.

For example, with Openvpn the option

pull-filter ignore redirect-gateway

can be used to tell the openvpn-client to ignore all "route all" requests from the server.

FRITZ!Box example

Recently I had to use a VPN-Connection to a FRITZ!Box. It's a very popular router in Germany that not only offers easy VPN-Connections but also adds all hosts on its network to its own dns. If you want to talk to a machine with the name workstation you can reach it using the "workstation.fritz.box" dns name. The fritz-box itself is also available on the dns name fritz.box.

In my case, I prefer to use my own DNS server for all queries because of speed and privacy reasons - that means, I only want the domains with the fritz.box suffix to resolve over the FRITZ!Box.

Solution using a local DNS server - dnsmasq

Dnsmasq is a lightweight DNS-Server that you can run on your machine to get control on how the name resolution works. A nice side effect is that it has its own dns cache, making recurring dns queries faster. Here is how I have set it up:

Before you start you need to find out which DNS server is used on the VPN. It's usually the default gateway that usually has a .1 at the end. You can watch the VPN logs closely to learn which DNS server gets pushed on connect.

There is a tool called dig which can do dns queries over specified dns servers, for example

dig @192.168.1.1 a fritz.box

will ask the dns server 192.168.1.1 for the ip of fritz.box. Dig is very handy when debugging dns problems and to test your setup. You may have to install it on your System. On debian, it lives in a package called dnsutils.

First install dnsmasq on your Linux and edit its configuration (usually lives in /etc/dnsmasq.conf). Add these lines here:

resolv-file=/etc/resolv.dnsmasq.conf
server=/fritz.box/192.168.1.1

fritz.box is the domain you want to resolve over the VPN-Dns-server, 192.168.1.1 in this example.

The Resolv-File will tell dnsmasq how it should resolve its dns queries in case there are no other rules, so let's create a /etc/resolv.dnsmasq.conf with content

nameserver 1.1.1.1

If you use a static network configuration, you now can just edit it to use 127.0.0.1 as its nameserver. If you use automatic ip configuration using dhcp, you need to configure your dhcp client use the new local dns server. On debian, the default is dhclient. In that case edit /etc/dhcp/dhclient.conf and add:

prepend domain-name-servers 127.0.0.1;

That's it. All you have to do now is to restart dnsmasq so it reloads its config and reconnect/restart dhclient (disconnecting and reconnecting the network may work, reboot the machine when in doubt).

Now you can check if the file /etc/resolv.conf has

nameserver 127.0.0.1

as first nameserver. If it has, the selected domain (fritz.box in my example) should now resolve.

On dnsmasq, you can add multiple server= lines, which comes in handy if you have multiple domains that need to be resolved over different DNS servers.