1

I'm trying to add split DNS to a wireguard tunnel (not really a wireguard question).

I have a PostUp command: resolvectl dns %i 10.160.20.15 Which translates to: resolvectl dns wg0 10.160.20.15 and it does not work.

When I just run that command as root, nothing appears to change. There is no DNS server added to the resolvectl status. If I enable DEBUG level of logging I get a LOT of messages in journalctl but I can see no explanation of the failure.

It's too long to post here; but the only error-message field in all of the logs which is not populated with n/a is Link lan0 is managed and it has another field error-name with the value org.freedesktop.resolve1.LinkBusy

lan0 is the name of my primary Ethernet (renamed in netplan) and, as far as I can tell, shouldn't actually be involved with this command?

If I'm naive and somehow lan0 is involved, how do I make it un-busy (unmanaged); so I can set DNS on a different interface?

EDIT: Found the following on org.freedesktop.resolve1:

org.freedesktop.resolve1.LinkBusy

The requested configuration change could not be made because systemd-networkd(8), already took possession of the interface and supplied configuration data for it.

So I guess I need to know what it means when networkd takes possession? And how to take possession back?

ericx
  • 496

1 Answers1

0

After a lot of hair-pulling, I've discovered that adding custom DNS to (at least) a wireguard interface is order dependent.

i.e: You have to specify the search domain before you can specify a server.

No idea why, and I suspect it's an ephemeral bug; but if you specify:

[Interface]
PostUp = resolvectl dns %i 10.100.100.5
PostUp = resolvectl domain %i ~example.com

(and/or simply execute those commands once the wg0 is up). Nothing actually happens. There are no error messages but there is utterly no change in the output of resolvectl.

However, if you reverse the order and specify the domain before the DNS server, it works beautifully.

So the correct snippet for the wireguard config file should be:

[Interface]
PostUp = resolvectl domain %i ~example.com
PostUp = resolvectl dns %i 10.100.100.5

Note also (out of scope for this question) that the wireguard built-in technique:

[Interface]
DNS = 10.100.100.5, ~example.com

also fails because it attempts to use ye olde resolvconf which really doesn't work with systemd (yes, there is an emulation mode).

Versions info:

  • Debian: bookworm
  • resolvectl: systemd 252 (252.30-1~deb12u2) +PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
ericx
  • 496