dnsane is a DNS proxy that filters responses from upstream DNS servers to provide clients with DNS responses that match IP protocol version(s) supported by NetworkManager's "Primary Connection."
In other words, if your primary connection in NetworkManager is a WiFi network that only supports IPv4, dnsane makes sure that no DNS responses will contain records for AAAA / IPv6. This sounds nuts, right? See the "Why?" section.
dnsane relies entirely on NetworkManager to provide it with DNS nameservers, and connection priority information. dnsane will use the DNS nameservers configured for the primary NetworkManager connection. Connection status changes in NetworkManager will cause dnsane to reload/refresh DNS nameserver info from NetworkManager, just in case the list of nameservers was modified by whatever caused the status change.
dnsane does not attempt to prioritize connections by type/interface or nameservers, these prioritizations can be set in NetworkManager.
This was made primarily to address a common problem for networked devices that are multi-homed, where DNS responses might "convince" certain apps to connect over a lower priority / non-preferred connection when they should be using something else.
A classic example of this is a phone connected to a mobile data network that supports both IPv4 and IPv6, and a (preferred) WiFi network that is IPv4-only. Some apps will query both A and AAAA records for a given domain, and then may choose (for whatever dumb reason) to use AAAA. Unfortunately this means the connection would go over the only connection with routable IPv6... the mobile data connection. Even if the app received a valid A record and could have used the preferred WiFi connection.
"dnsane" is a portmanteau of "DNS" and "insane", the "DNS" part comes from this being a DNS proxy filter thing, and "insane" is from how I feel after trying to find some way to resolve this multi-homed problem before settling on this silly app.
If you have a better name, send me a patch.
To install locally:
$ make install
There's an openrc runscript under the
openrc directory that can be used to
- NetworkManager - dbus (system session, for communication with NM)
dnsane binds to port
localhost. The preferred way to run it is to
configure NetworkManager to disable managing
# /etc/NetworkManager/conf.d/99-no-resolv.conf [main] dns=none
resolv.conf to use dnsane:
# /etc/resolv.conf nameserver 127.0.0.1
Now any DNS lookups (e.g. from libc) that use resolv.conf will have responses filtered by dnsane.
Send patches and questions to the dnsane mailing list: https://lists.sr.ht/~craftyguy/dnsane
All patches should complete
make test successfully.
New filters should come with benchmarks, and changes to existing filters should include some before/after benchmark data in the commits.