DNS resolver using NetworkManager

Hi…
I’m recently install openSuse 15.6 Leap, and I found out can’t set custom DNS.
Let me explain first…
I just install clean openSuse 15.6 Leap and triple boot with Windows 10 and Kubuntu 24.04.1 LTS. After installation is finished, file /etc/resolv.conf contained

nameserver 118.98.115.69
nameserver 118.98.115.78

I believe these are my ISP’s DNS server. Then, I add “8.8.8.8,8.8.4.4,1.1.1.1” and “dns.google” in System Settings > Connections > wlan0 > IPv4 tab > Other DNS Servers & Search Domain, restart NetworkManager service, and file /etc/resolv.conf changed to:

search dns.google
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 1.1.1.1

The questions is:
Why those settings didn’t work? I can say it didn’t work because if I perform nslookup reddit.com, the Terminal replies with:

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
reddit.com      canonical name = internetpositif.id.
Name:   internetpositif.id
Address: 36.86.63.185

And, how to skip this internetpositif.id? I think this internetpositif.id is sites blocker or whatever the name is.

Sorry for bad English, and thank you in advanced

Sorry? Your /etc/resolv.conf contains exactly the settings you performed. You need to elaborate on “does not work”.

That isn’t how you post the command results. You copy and paste the entire command line, its output, and subsequent shell prompt. Anyway

This is the server you configured. If something hijacks DNS request and fakes the answer, it is something outside the scope of openSUSE.

And did you observe the same issue using these servers?

We do it the easy way (we use KDE Plasma). See the two screenshots that show the steps involved (graphically).

Right-click the Network icon in the System Tray.
Select Configure Network Connections.
… the Configure Network window will pop up.
Select the Connection (left side) that you use (if not already selected).
In the right-pane, select the IPv4 tab.
Enter the IPv4 DNS server dot names, separated by a comma.
Next, click the IPv6 tab.
Enter the IPv6 DNS server colon names, separated by a comma.
Finally, click on Apply button at lower-right.

Output here:

:~> nslookup reddit.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   reddit.com
Address: 151.101.1.140
Name:   reddit.com
Address: 151.101.65.140
Name:   reddit.com
Address: 151.101.129.140
Name:   reddit.com
Address: 151.101.193.140
Name:   reddit.com
Address: 2a04:4e42:600::396
Name:   reddit.com
Address: 2a04:4e42:400::396
Name:   reddit.com
Address: 2a04:4e42::396
Name:   reddit.com
Address: 2a04:4e42:200::396
:~> 

net-icon
.

OpenSUSE comes with dnsmasq installed by default. You can make a configuration for the NetworkManager dnsmasq plugin. I used a popular RPM-based distribution tutorial and it should work fine in both Tumbleweed & Slowroll, even with multiple VPN connections, which can make using several VPNs a breeze (for example tailscale + your favorite provider).

The package names (in case you need them) are: dnsmasq and NetworkManager-dns-dnsmasq

1 Like

Install dnsmasq and configure DNS forwarder with YAST2-modul “sysconfig” (rpm yast2-sysconfig).

# ls -alh /etc/resolv.conf
lrwxrwxrwx 1 root root 30 27. Aug 19:32 /etc/resolv.conf -> /var/run/netconfig/resolv.conf
# more /etc/resolv.conf 

### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
search invalid
# man resolv.conf

=> If no name server entries are present, the default is to use the 
     name server on the local machine.
# more /etc/dnsmasq.conf |grep -v ^# |sort

cache-size=10000
conf-file=/etc/dnsmasq.d/trust-anchors.conf
dnssec
dnssec-check-unsigned
domain-needed
listen-address=127.0.0.1,::1
resolv-file=/var/run/dnsmasq-forwarders.conf
# more /var/run/dnsmasq-forwarders.conf 

### /run/dnsmasq-forwarders.conf: global dns forwarders
### for use as dnsmasq --resolv-file, autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
nameserver 192.168.1.1
# more /etc/sysconfig/network/config |grep ^NETCONFIG_DNS |sort

NETCONFIG_DNS_FORWARDER="dnsmasq"
NETCONFIG_DNS_FORWARDER_FALLBACK="no"
NETCONFIG_DNS_POLICY="auto"
NETCONFIG_DNS_RANKING="auto"
NETCONFIG_DNS_RESOLVER_OPTIONS=""
NETCONFIG_DNS_RESOLVER_SORTLIST=""
NETCONFIG_DNS_STATIC_SEARCHLIST="invalid"
NETCONFIG_DNS_STATIC_SERVERS=""

That is exactly what I did, but without IPv6 (IPv6 is disabled).
You see “internetpositif.id” in nslookup? It’s a site blocker from my ISP.
I want to skip this “internetpositif” thing so I can see reddit. Other website loaded okay, well, except porn sites. Maybe, it’s called DNS over TLS?

Thanks for response.
I don’t know exactly how to explain this, but the “internetpositif” thing is a site blocker from my ISP. This blocks reddit, porn sites, etc etc. And I want to skip this “internetpositif” so I can see reddit again without enabling DNS over HTTPS in Firefox’s setting.

[SOLVED]
Solved using systemd-network
Instruction >> this link
I’m wondering why openSuse doesn’t include systemd-network package?

Screenshot_20241113_145039

Good you got it fixed.

Another potential fix would be to use /etc/hosts entry, such as:

# this is the /etc/hosts file

0.0.0.0  internetpositif.id

We use that file to block various websites, like ad sites, etc.

My guess is, even if you install it (or it’s installed by default), it’s still not enabled by default. (extra software clutter that most likely not used).

Sorry, It doesn’t work.

Thank you for response, if I try and worked I will report back to you.

Thanks for your response, but I can’t figure it out why nameserver is 192.168.1.1? Could you more explain it to me? Thanks.

This nameserver 192.168.1.1 is configured by NetworkManager (and in this example by DHCP). Please read the section “NETCONFIG_<set>_POLICY” from

# man 8 netconfig

about NETCONFIG_DNS_POLICY:

By default, the policy is set to the special value auto. This special policy value is resolved differently by netconfig when the NetworkManager is enabled or disabled:

                     NetworkManager is disabled
                            The auto policy value is resolved to a policy "STATIC *".

                     NetworkManager is enabled
                            The  auto  policy value is resolved to "STATIC_FALLBACK NetworkManager" 
                            causing to use the NetworkManager built-in merge policy with a fallback to the
                            static settings defined in netconfig variables when the NetworkManager does 
                            not provide any.

                            Note: NetworkManager is not using any of the statically defined netconfig 
                            settings.
                            Please use the (k)nm connection editor to define yout network settings for the
                            NetworkManager!

Important: Check content of:

/etc/resolv.conf
/run/dnsmasq-forwarders.conf

after execution of command:

# netconfig update -f

or 

# netconfig update -f -v

Example:

# netconfig update -f -v
<13>Nov 14 20:09:07 netconfig: Executing 'update -f -v' for pid 4187
debug: lockfile created (/run/netconfig.pid) for PID 4338
debug: lockfile created
debug: Module order: dns-resolver dns-bind dns-dnsmasq nis ntp-runtime
debug: dns-resolver module called
debug: Resolved dns-policy 'auto' for service 'NetworkManager' to 'STATIC_FALLBACK NetworkManager'
debug: Static Fallback
debug: Use NetworkManager policy merged settings
debug: exec get_dns_settings: /run/netconfig/NetworkManager.netconfig
debug:      get_dns_settings: service 'NetworkManager' => rank '1'
debug:      get_dns_settings: DNS_SEARCHLIST_1='invalid'
debug:      get_dns_settings: DNS_SERVERS_1='192.168.1.1'
debug: exit get_dns_settings: /run/netconfig/NetworkManager.netconfig
debug: write_resolv_conf: ' invalid ' '  '
debug: dns settings written to /run/netconfig/resolv.conf
debug: /etc/resolv.conf is already a link to /run/netconfig/resolv.conf
debug: dns-bind Module called
debug: dns-dnsmasq Module called
debug: Resolved dns-policy 'auto' for service 'NetworkManager' to 'STATIC_FALLBACK NetworkManager'
debug: Static Fallback
debug: Use NetworkManager policy merged settings
debug: exec get_dns_settings: /run/netconfig/NetworkManager.netconfig
debug:      get_dns_settings: service 'NetworkManager' => rank '1'
debug:      get_dns_settings: DNS_SERVERS_1='192.168.1.1'
debug: exit get_dns_settings: /run/netconfig/NetworkManager.netconfig
debug: write_dnsmasq_forwarders:  192.168.1.1  
debug: dns forwarders written to /run/dnsmasq-forwarders.conf
debug: nis Module called
debug: Resolved nis-policy 'auto' for service 'NetworkManager' to 'STATIC_FALLBACK NetworkManager'
debug: Static Fallback
debug: Use NetworkManager policy merged settings
debug: exec get_nis_settings: /run/netconfig/NetworkManager.netconfig
debug: exit get_nis_settings: /run/netconfig/NetworkManager.netconfig
debug: set_nisdomainname:  NetworkManager 12
debug: set_nisdomainname: => no
debug: format_yp_conf called with :
debug: Using static fallback
debug: format_static[0] called
debug: write_yp_conf
debug: nis settings written to /run/netconfig/yp.conf
debug: /etc/yp.conf is already a link to /run/netconfig/yp.conf
debug: ntp-runtime Module called
debug: Resolved ntp-policy '' for service 'NetworkManager' to ''
# ls -alh /var/ |grep -i run$
lrwxrwxrwx  1 root root    4 27. Aug 19:32 run -> /run

Tell me that you have systemd-resolved service is enable and running, because I can’t get it done without that service. openSuse 15.6 Leap clean install didn’t include that service which is part of systemd-network.
I’m so frustrated to configure netconfig, every values I have been tried, but none of them worked. The only that works is installing systemd-network package. It’s works too in Kubuntu 24.04.1 LTS. Kubuntu comes with systemd-network package.
But, thank you anyway and thank goodness it’s solved now.

openSUSE uses NetworkManager and installing systemd-networkd alongside it might be a potential point of conflict in the future. :warning:
If you’re just using systemd-resolved, make sure to disable/mask the networkd service. Another less invasive measure would have been to use dnscypt-proxy and use the existing NM config to point to the local dnscrypt resolver.

But I must admit, I’m partial to systemd-* components myself. Using networkd, resolved, and timesyncd on Debian servers.

I am following this discussion not too intensive, but I am curious about this:

What are you trying to achieve with it?

Thank you for your info.

My ISP blocks certain websites, like reddit, online gambling, porn sites etc etc. I want to bypass the blocker by using Google’s DNS (or others like Cloudflare, Quad9, etc).
Like in Android, I use Private DNS. Or, in Firefox I use DNS over HTTPS.
That’s I want to achieve.