NetworkManager DNS handling
Each connection contains static IPv4 and IPv6 DNS parameters in the ipv{4,6}.dns, ipv{4,6}.dns-search options. When the connection is activated, such parameters are merged together, as well as parameters received dynamically through DHCP or pushed by VPNs. Dynamic parameters are ignored if the ipv{4,6}.ignore-auto-dns property is set.
When there are multiple active connections, the resulting DNS configuration is the union of all connections' configurations. How they are merged together depends on the dns mode, selected by the dns option in NetworkManager.conf.
Default DNS backend
For dns=default, i.e. when NetworkManager updates resolv.conf, name servers from all connections are added to resolv.conf ordered by the value of ipv{4,6}.dns-priority. All search domains are also added to resolv.conf as 'search domain1 domain2 ...", as well as options from ipv{4,6}.dns-options. If there is a connection with a negative DNS priority in the ipv{4,6} configuration, that configuration is used and all other configurations are ignored.
dnsmasq and systemd-resolved backends
For dns=dnsmasq and dns=systemd-resolved NetworkManager configures split DNS, i.e. uses name servers provided by a connection only for search domains associated to that connection. For example, if a connection provides name server 1.2.3.4 and domain 'foo.com', and another connection provides name server 5.6.7.8 and domain 'bar.com', queries for all names ending in 'foo.com' will go only to the first name server, while queries for the 'bar.com' domain only to the second one.
Queries for names not matching any search domain are directed by default through connections that have the default search domain ~. Such domain is assigned automatically to all connections with the default route, or can be added explicitly by users to the ipv4.dns-search and ipv6.dns-search connection properties.
In cases where no connection has a default route, the default DNS domain is automatically added to all non-VPN connections that define a name server.
It is possible to tweak the precedence of name servers using the ipvx.dns-priority property of a connection's IP configuration. The priority is evaluated according to these rules:
- when two IP configurations provide the same domain with different priorities, the one from the IP configuration with lower priority (higher value) is ignored;
- if an IP configuration specifies a domain and a negative priority, any subdomain of that domain from other IP configurations is ignored.
By default VPN have a DNS priority of 50 and other connections 100.