I have latest clean Ubuntu 14.04.1 64-bit from official website installed in Virtualbox. I connect to a VPN network using vpnc that sets 2 DNS servers using DHCP:
user@virtual:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.88.94.1
nameserver 8.8.8.8
nameserver 10.40.0.1
Where 10.88.94.1 and 8.8.8.8 are returned by vpn dhcp and 10.40.0.1 is returned by lan dhcp. The first DNS server returned by vpn dhcp is configured as authoritative, non-recursive name server for some internal names.
The problem is - Ubuntu somehow ignores the authoritative flag and discard valid response becouse it's non-recursive:
user@virtual:~$ nslookup
> video.something.com
;; Got recursion not available from 10.88.94.1, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: video.something.com
Address: 180.112.94.1
As tcpdump clearly shows the answer from first DNS server have 'authoritative' flag set, but somehow it is ignored ('*' in second response is for "authoritative", '-' is for "non-recursive"):
13:23:44.505098 IP 10.40.130.209.44159 > 10.88.94.1.domain: 63790+ A? video.something.com. (32)
13:23:44.506285 IP 10.88.94.1.domain > 10.40.130.209.44159: 63790*- 1/0/0 A 10.88.94.12 (48)
13:23:44.506390 IP 10.40.130.209.45437 > 8.8.8.8.domain: 63790+ A? video.something.com. (32)
13:23:44.608414 IP 8.8.8.8.domain > 10.40.130.209.45437: 63790 1/0/0 A 180.112.94.1 (48)
Same setup works as expected (first DNS result is used) on both Windows and OSX. But not on Ubuntu. Is it something i can fix in Ubuntu in order for authoritative responses to be processed crrectly regardless of "non-recursive" flag or it is completely broken and where is nothing i can do?
The kind of fallback behavior you seem to expect is not part of how DNS is supposed to work. The second nameserver in resolv.conf should only be contacted in the event that the first does not respond or there is some other sort of network error.
Microsoft have apparently done their own thing, and it certainly is useful for what you are trying to do, but it should not be relied upon for setting up a VPN. Microsoft also has a notion of using different name resolution for different network interfaces.
If you can't influence the VPN configuration, your best bet on Linux might be to set up your own nameserver which decides where to forward requests to by domain.
In order for DNS recursion to work for an Ubuntu bind9 server, you would ensure the following lines are in /etc/bind/named.conf.options on the DNS server:
With that said, you claim that you do not have access to the DNS servers. In that case, have you considered changing the order of your DNS servers? For example, if you take you last DNS entry of...
and put it in a file at /etc/resolvconf/resolv.conf.d/head, then run the
resolvconf -ucommand, the entry would then be automatically added to the top of /etc/resolv.conf. What this does is make 10.40.0.1 the first DNS server to use, and then it checks the VPN records after that (assuming that 10.40.0.1 allows for DNS recursion).