DNS not working on VPN

Hi Suse.
I use OpenSuse Leap 15.6 and I use a FOSS VPN.
After I traveled, using the VPN made the DNS not working.
That is, I can ping an IP address, I can use Tor, but no website is found either by Firefox, ping or dig.

I solved that I don’t really know how (following instructions on the net, IIRC modifying the connections in Network-Manager).

Now I traveled again, and again the DNS doesn’t work (I still can use Tor, but even the VPN isn’t reachable).

I tried switching the connection to “Automatic Addresses only” and added quad9.net DNS server to the “DNS servers” list but to no avail.

resolv.conf is generated by netconfig, which I know nothing about.

What could have happened ?
How to solve that ?

So, show /etc/resolv.conf for a start.

cat /etc/resolv.conf 
### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.

How do you do it? What connection? What network management are you using? You do not really provide any information to even start guessing.

/etc/resolv.conf is empty which is normal if netconfig did not get any input on available DNS servers. Just remove symlink and create the regular file with the content you need.

I use the “Modify connection” option on the GUI (with a right-click on the Network icon on XFCE).
And then in the window opened by NetworkManager I select the Wifi connection I’m using (by double-clicking on it).

Then in the “IPv4 Parameters” tab I choose for the drop-down menu on “Method”, instead of “Automatic”, “Adresses automatiques uniquement (DHCP)”.

Then in the field “Serveurs DNS” I add 9.9.9.9

And in the “IPv6 Parameters” I choose “Automatiques, adresses uniquement” and in the field “Serveurs DNS” I add 2620:fe::fe

How do i do that ?
Won’t it have side effect ?

Now I’m back to my old wifi connection that used to work and the problem is still there, vpn or no vpn.
Which is sort of logical if netconfig wiped out the resolv.conf config.

But why did it do that ? How do I prevent it to do it again ?

I’d prefer to understand than to just hack…

Please, show the output of this: cat /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd: files usrfiles
group:  files usrfiles

hosts:  	files mdns_minimal [NOTFOUND=return] dns
networks:	files dns

services:	files
protocols:	files
rpc:		files
ethers:		files
netmasks:	files
netgroup:	files nis
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files

Somenone told me to just rewrite /etc/resolv.com and do a chattr on the file to prevent netconfig or whatever to touch it again, but I don’t understand the long-term consequences of this ?

netconfig modifies file in its own private location. As long as /etc/resolv.conf is not a link to this private file, it is not affected by netconfig.

OK, and what are the consequences of resolv.conf not being anymore a link to the netconfig private file ?

I don’t understand why it was, nor what is gonna happen when it isn’t anymore.

Nor do I really understand what netconfig is or does, and why it decided to wipe out the resolv.conf.

I remembered something I did that may have triggered the behavior : I changed the computer’s hostname.

But AFAIK, I restored the original hostname after that, but still have the same problem.

The problem you now have?

What is for sure not good is that the dump of resolv.conf says it is a symlink to /run/netconfig/resolv.conf but based on what you write that is (no longer) the case.

Can you show the output of cat /etc/sysconfig/network/config, the interesting key is NETCONFIG_DNS_POLICY.

NETCONFIG_DNS_POLICY=“auto”

(full output below)

at /etc/sysconfig/network/config
## Path:	Network/General
## Description:	Global network configuration
#
# Note: 
# Most of the options can and should be overridden by per-interface
# settings in the ifcfg-* files.
#
# Note: The ISC dhclient started by the NetworkManager is not using any
# of these options -- NetworkManager is not using any sysconfig settings.
#

## Type:        yesno
## Default:     yes
# If ifup should check if an IPv4 address is already in use, set this to yes.
#
# Make sure that packet sockets (CONFIG_PACKET) are supported in the kernel,
# since this feature uses arp, which depends on that.
# Also be aware that this takes one second per interface; consider that when
# setting up a lot of interfaces. 
CHECK_DUPLICATE_IP="yes"

## Type:        list(auto,yes,no)
## Default:     auto
# If ifup should send a gratuitous ARP to inform the receivers about its
# IPv4 addresses. Default is to send gratuitous ARP, when duplicate IPv4
# address check is enabled and the check were sucessful.
#
# Make sure that packet sockets (CONFIG_PACKET) are supported in the kernel,
# since this feature uses arp, which depends on that.
SEND_GRATUITOUS_ARP="auto"

## Type:        yesno
## Default:     no
# Switch on/off debug messages for all network configuration stuff. If set to no
# most scripts can enable it locally with "-o debug".
DEBUG="no"

## Type:	integer
## Default:	30
#
# Some interfaces need some time to come up or come asynchronously via hotplug.
# WAIT_FOR_INTERFACES is a global wait for all mandatory interfaces in
# seconds. If empty no wait occurs.
#
WAIT_FOR_INTERFACES="30"

## Type:	yesno
## Default:	yes
#
# With this variable you can determine if the SuSEfirewall when enabled
# should get started when network interfaces are started.
FIREWALL="yes"

## Type:	int
## Default:	30
#
# When using NetworkManager you may define a timeout to wait for NetworkManager
# to connect in NetworkManager-wait-online.service.  Other network services
# may require the system to have a valid network setup in order to succeed.
#
# This variable has no effect if NetworkManager is disabled.
#
NM_ONLINE_TIMEOUT="30"

## Type:        string
## Default:     "dns-resolver dns-bind ntp-runtime nis"
#
# This variable defines the start order of netconfig modules installed
# in the /etc/netconfig.d/ directory.
#
# To disable the execution of a module, don't remove it from the list
# but prepend it with a minus sign, "-ntp-runtime".
#
NETCONFIG_MODULES_ORDER="dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"

## Type:        yesno
## Default:     no
#
# Enable netconfig verbose reporting.
#
NETCONFIG_VERBOSE="no"

## Type:	yesno
## Default:	no
#
# This variable enables netconfig to always force a replace of modified
# files and automatically enables the -f | --force-replace parameter.
#
# The purpose is to use it as workaround, when some other tool trashes
# the files, e.g. /etc/resolv.conf and you observe messages like this
# in your logs on in "netconfig update" output:
# ATTENTION: You have modified /etc/resolv.conf. Leaving it untouched.
#
# Please do not forget to also report a bug as we have a system policy
# to use netconfig.
#
NETCONFIG_FORCE_REPLACE="no"

## Type:        string
## Default:     "auto"
#
# Defines the DNS merge policy as documented in netconfig(8) manual page.
# Set to "" to disable DNS configuration.
#
NETCONFIG_DNS_POLICY="auto"

## Type:        string(resolver,bind,dnsmasq,)
## Default:     "resolver"
#
# Defines the name of the DNS forwarder that has to be configured.
# Currently implemented are "bind", "dnsmasq" and "resolver", that
# causes to write the name server IP addresses to /etc/resolv.conf
# only (no forwarder). Empty string defaults to "resolver".
#
NETCONFIG_DNS_FORWARDER="resolver"

## Type:        yesno
## Default:     yes
#
# When enabled (default) in forwarder mode ("bind", "dnsmasq"),
# netconfig writes an explicit localhost nameserver address to the
# /etc/resolv.conf, followed by the policy resolved name server list
# as fallback for the moments, when the local forwarder is stopped.
#
NETCONFIG_DNS_FORWARDER_FALLBACK="yes"

## Type:        string
## Default:     ""
#
# List of DNS domain names used for host-name lookup.
# It is written as search list into the /etc/resolv.conf file.
#
NETCONFIG_DNS_STATIC_SEARCHLIST=""

## Type:        string
## Default:     ""
#
# List of DNS nameserver IP addresses to use for host-name lookup.
# When the NETCONFIG_DNS_FORWARDER variable is set to "resolver",
# the name servers are written directly to /etc/resolv.conf.
# Otherwise, the nameserver are written into a forwarder specific
# configuration file and the /etc/resolv.conf does not contain any
# nameservers causing the glibc to use the name server on the local
# machine (the forwarder). See also netconfig(8) manual page.
#
NETCONFIG_DNS_STATIC_SERVERS=""

## Type:        string
## Default:     "auto"
#
# Allows to specify a custom DNS service ranking list, that is which
# services provide preferred (e.g. vpn services), and which services
# fallback settings (e.g. avahi).
# Preferred service names have to be prepended with a "+", fallback
# service names with a "-" character. The special default value
# "auto" enables the current build-in service ranking list -- see the
# netconfig(8) manual page -- "none" or "" disables the ranking.
#
NETCONFIG_DNS_RANKING="auto"

## Type:        string
## Default:     ""
#
# Allows to specify options to use when writting the /etc/resolv.conf,
# for example:
# 	"debug attempts:1 timeout:10"
# See resolv.conf(5) manual page for details.
#
NETCONFIG_DNS_RESOLVER_OPTIONS=""

## Type:        string
## Default:     ""
#
# Allows to specify a sortlist to use when writting the /etc/resolv.conf,
# for example:
# 	130.155.160.0/255.255.240.0 130.155.0.0"
# See resolv.conf(5) manual page for details.
#
NETCONFIG_DNS_RESOLVER_SORTLIST=""

## Type:        string
## Default:     "auto"
#
# Defines the NTP merge policy as documented in netconfig(8) manual page.
# Set to "" to disable NTP configuration.
#
NETCONFIG_NTP_POLICY="auto"

## Type:        string
## Default:     ""
#
# List of NTP servers.
#
NETCONFIG_NTP_STATIC_SERVERS=""

## Type:        string
## Default:     "auto"
#
# Defines the NIS merge policy as documented in netconfig(8) manual page.
# Set to "" to disable NIS configuration.
#
NETCONFIG_NIS_POLICY="auto"

## Type:        string(yes,no,)
## Default:     "yes"
#
# Defines whether to set the default NIS domain. When enabled and no domain
# is provided dynamically or in static settings, /etc/defaultdomain is used.
# Valid values are:
#  - "no" or ""         netconfig does not set the domainname
#  - "yes"              netconfig sets the domainname according to the
#                       NIS policy using settings provided by the first
#                       iterface and service that provided it.
#  - "<interface name>" as yes, but only using settings from interface.
#
NETCONFIG_NIS_SETDOMAINNAME="yes"

## Type:        string
## Default:     ""
#
# Defines a default NIS domain.
#
# Further domain can be specified by adding a "_<number>" suffix to
# the NETCONFIG_NIS_STATIC_DOMAIN and NETCONFIG_NIS_STATIC_SERVERS
# variables, e.g.: NETCONFIG_NIS_STATIC_DOMAIN_1="second".
#
NETCONFIG_NIS_STATIC_DOMAIN=""

## Type:        string
## Default:     ""
#
# Defines a list of NIS servers for the default NIS domain or the
# domain specified with same "_<number>" suffix.
#
NETCONFIG_NIS_STATIC_SERVERS=""

## Type:	string
## Default:	''
#
# Set this variable global variable to the ISO / IEC 3166 alpha2
# country code specifying the wireless regulatory domain to set.
# When not empty, ifup-wireless will be set in the wpa_supplicant
# config or via 'iw reg set' command.
#
# Note: This option requires a wpa driver supporting it, like
# the 'nl80211' driver used by default since openSUSE 11.3.
# When you notice problems with your hardware, please file a
# bug report and set e.g. WIRELESS_WPA_DRIVER='wext' (the old
# default driver) in the ifcfg file.
# See also "/usr/sbin/wpa_supplicant --help" for the list of
# available wpa drivers.
#
WIRELESS_REGULATORY_DOMAIN=''
## Type:        integer
## Default:     ""
#
# How log to wait for IPv6 autoconfig in ifup when requested with
# the auto6 or +auto6 tag in BOOTPROTO variable.
# When unset, a wicked built-in default defer time (10sec) is used.
#
AUTO6_WAIT_AT_BOOT=""

## Type:        list(all,dns,none,"")
## Default:     ""
#
# Whether to update system (DNS) settings from IPv6 RA when requested
# with the auto6 or +auto6 tag in BOOTPROTO variable.
# Defaults to update if autoconf sysctl (address autoconf) is enabled.
#
AUTO6_UPDATE=""

## Type:        list(auto,yes,no)
## Default:     "auto"
#
# Permits to specify/modify a global ifcfg default. Use with care!
#
# This settings breaks rules for many things, which require carrier
# before they can start, e.g. L2 link protocols, link authentication,
# ipv4 duplicate address detection, ipv6 duplicate detection will
# happen "post-mortem" and maybe even cause to disable ipv6 at all.
# See also "man ifcfg" for further informations.
#
LINK_REQUIRED="auto"

## Type:        string
## Default:     ""
#
# Allows to specify a comma separated list of debug facilities used
# by wicked. Negated facility names can be prepended by a "-", e.g.:
#   "all,-events,-socket,-objectmodel,xpath,xml,dbus"
#
# When set, wicked debug level is automatically enabled.
# For a complete list of facility names, see: "wicked --debug help".
#
WICKED_DEBUG=""

## Type:        list("",error,warning,notice,info,debug,debug1,debug2,debug3)
## Default:     ""
#
# Allows to specify wicked debug level. Default level is "notice".
#
WICKED_LOG_LEVEL=""

I encountered a similar problem. Solution was to hardcode the DNS servers in network connection (using gnome here), both for VPN and wireless access point.

Thanks for sharing the content of /etc/sysconfig/network/config, NETCONFIG_DNS_POLICY=“auto” indicates that netconfig is configured to update /run/netconfig/resolv.conf. Can you check if that file is present and contains sane information, it should give what normally is in resolv.conf

Normally you get DNS information from DHCP if you have an “automatic” IP address. For a VPN the DNS gets also pushed. You can all override that and it seems you did do that partly but I doubt if that is what you want.

cat /run/netconfig/resolv.conf
### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.

So, everything there is commented.
What could have done that ?

We do not know your system nor what has been done on it so that is an almost impossible question to answer.

Did you read the last line of the commented out text? If the sysconfig-netconfig package is installed (check using sudo zypper search netconfig) I would follow that.

sysconfig-netconfig seems to be installed, yes :

Chargement des données du dépôt...
Lecture des paquets installés...

S  | Name                | Summary                                         | Type
---+---------------------+-------------------------------------------------+-------
i+ | libtirpc-netconfig  | Netconfig configuration file for TI-RPC Library | paquet
i+ | sysconfig-netconfig | Script to apply network provided settings       | paquet

I did sudo netconfig update -f but from what I understand it updates /etc/resolv.conf from /run/netconfig/resolv.conf which is not the problem I have (the problem is that there’s nothing - except commented text - in /run/netconfig/resolv.conf).

The problem is how to have netconfig autogenerate the correct config file, and I don’t know how to do that.

could you please better explain what is hardcode the DNS ??