Post History
This is not a full answer, but my hypothesis is: Your system is configured to resolve domains exclusively through a single server running locally. Thereby, that local server can centrally control ...
Answer
#2: Post edited
by
matthewsnyder
·
2024-08-08T17:46:11Z (3 months ago)
- This is not a full answer, but my hypothesis is:
Your system is configured to resolve domains *exclusively* through a single server running locally. Thereby, that local server can centrally control how DNS is handled, while no lookups can escape the server. This is probably because you tried to use a VPN, so logically if domain lookups don't also go through the VPN, the domains will be seen by your ISP etc. (the so called "DNS leak"). The DNS server is part of the VPN. But now you've turned off the VPN, the DNS server is also gone, and your OS is not allowed to resolve domains any other ways (like Google at 8.8.8.8 or your router at 192.168.1.1). It tries the only permitted option, the local, which never responds because it's not running, the request times out and the lookup fails.- A heuristic for checking this is to enable your VPN and see if domains resolve again. If the hypothesis is correct, they will, but there are also alternative situations that would create that symptom which is why I call it a heuristic.
- The simplest DNS setup is of course when you don't use a VPN. The next simplest is if you use a VPN always - you just forbid DNS outside the VPN, and accept the caveat that your lookups won't work without the VPN. I think that normal people would want to be able to toggle back and forth. So your VPN must restore the clearnet DNS configuration when turned off. The Wireguard implementation in Network Manager seems to do this, but I am not sure about your particular VPN setup. If you are using your VPN's provider app, that could well be the source of your issue, and you'll have to ask their support how to fix it.
- It might be easier to install something like dnsmasq and use that as your resolver, then let dnsmasq delegate to your VPN or router as needed. Dnsmasq by itself won't automatically solve your problem, it just has a nicer configuration syntax that you might find more convenient, plus other nifty DNS features. You can likely fix your configuration without dnsmasq but I suspect it will be less convenient.
- Note that you cannot simply add your clearnet DNS resolver as a fallback for your VPN's resolver. If you do that, when you have VPN on, occasionally the DNS request through VPN will simply fail (the Internet inherently has a background failure rate for all traffic) and the domain will leak outside your VPN. This will significantly compromise your privacy and security, to almost negate the benefit of the VPN. You'll need something fancier. I won't go into detail here, I think there should be another question like "How to set up DNS to automatically use VPN when on but not when off, without leaks?"
- This is not a full answer, but my hypothesis is:
- Your system is configured to resolve domains *exclusively* through a single server running locally. Thereby, that local server can centrally control how DNS is handled, while no lookups can escape the server. This is probably because you tried to use a VPN, so logically if domain lookups don't also go through the VPN, the domains will be seen by your ISP etc. (the so called "DNS leak"). Your DNS server is part of the VPN. But now you've turned off the VPN, the DNS server is also gone, and your OS is not allowed to resolve domains any other ways (like Google at 8.8.8.8 or your router at 192.168.1.1). It tries the only permitted option, the local, which never responds because it's not running, the request times out and the lookup fails.
- A heuristic for checking this is to enable your VPN and see if domains resolve again. If the hypothesis is correct, they will, but there are also alternative situations that would create that symptom which is why I call it a heuristic.
- The simplest DNS setup is of course when you don't use a VPN. The next simplest is if you use a VPN always - you just forbid DNS outside the VPN, and accept the caveat that your lookups won't work without the VPN. I think that normal people would want to be able to toggle back and forth. So your VPN must restore the clearnet DNS configuration when turned off. The Wireguard implementation in Network Manager seems to do this, but I am not sure about your particular VPN setup. If you are using your VPN's provider app, that could well be the source of your issue, and you'll have to ask their support how to fix it.
- It might be easier to install something like dnsmasq and use that as your resolver, then let dnsmasq delegate to your VPN or router as needed. Dnsmasq by itself won't automatically solve your problem, it just has a nicer configuration syntax that you might find more convenient, plus other nifty DNS features. You can likely fix your configuration without dnsmasq but I suspect it will be less convenient.
- Note that you cannot simply add your clearnet DNS resolver as a fallback for your VPN's resolver. If you do that, when you have VPN on, occasionally the DNS request through VPN will simply fail (the Internet inherently has a background failure rate for all traffic) and the domain will leak outside your VPN. This will significantly compromise your privacy and security, to almost negate the benefit of the VPN. You'll need something fancier. I won't go into detail here, I think there should be another question like "How to set up DNS to automatically use VPN when on but not when off, without leaks?"
#1: Initial revision
by
matthewsnyder
·
2024-08-08T17:45:23Z (3 months ago)
This is not a full answer, but my hypothesis is: Your system is configured to resolve domains *exclusively* through a single server running locally. Thereby, that local server can centrally control how DNS is handled, while no lookups can escape the server. This is probably because you tried to use a VPN, so logically if domain lookups don't also go through the VPN, the domains will be seen by your ISP etc. (the so called "DNS leak"). The DNS server is part of the VPN. But now you've turned off the VPN, the DNS server is also gone, and your OS is not allowed to resolve domains any other ways (like Google at 8.8.8.8 or your router at 192.168.1.1). It tries the only permitted option, the local, which never responds because it's not running, the request times out and the lookup fails. A heuristic for checking this is to enable your VPN and see if domains resolve again. If the hypothesis is correct, they will, but there are also alternative situations that would create that symptom which is why I call it a heuristic. The simplest DNS setup is of course when you don't use a VPN. The next simplest is if you use a VPN always - you just forbid DNS outside the VPN, and accept the caveat that your lookups won't work without the VPN. I think that normal people would want to be able to toggle back and forth. So your VPN must restore the clearnet DNS configuration when turned off. The Wireguard implementation in Network Manager seems to do this, but I am not sure about your particular VPN setup. If you are using your VPN's provider app, that could well be the source of your issue, and you'll have to ask their support how to fix it. It might be easier to install something like dnsmasq and use that as your resolver, then let dnsmasq delegate to your VPN or router as needed. Dnsmasq by itself won't automatically solve your problem, it just has a nicer configuration syntax that you might find more convenient, plus other nifty DNS features. You can likely fix your configuration without dnsmasq but I suspect it will be less convenient. Note that you cannot simply add your clearnet DNS resolver as a fallback for your VPN's resolver. If you do that, when you have VPN on, occasionally the DNS request through VPN will simply fail (the Internet inherently has a background failure rate for all traffic) and the domain will leak outside your VPN. This will significantly compromise your privacy and security, to almost negate the benefit of the VPN. You'll need something fancier. I won't go into detail here, I think there should be another question like "How to set up DNS to automatically use VPN when on but not when off, without leaks?"