Browser - not working alongside dnsmask

Yes:

[root@xperia ~]# netstat -anup | grep 53
udp        0      0 127.0.0.1:53   0.0.0.0:*  4418/connmand

Just add ‘-r’ to connmand’s command line:

[root@xperia connman]# connmand --help
...
-r, --nodnsproxy            Don't enable DNS Proxy

If that’s a good idea is an entirely different topic. In walled gardens that block DNS queries to outside servers, only connman will know the working server’s IP.

In what file shall I add (or uncomment) this line?
edit: Is it /etc/connman/main.conf? There are also other config files like firewall.conf, connman-vpn.conf and vpn-dbus-access.conf. What file is the right one?

Walled garden… yes, a little, to have my peace from unwanted data traffic to and from some unwanted tracking + advertising servers and so on. This makes browser slow, maybe leads sometimes or often to the Sailfish Browsers OOM problem, and last but not least, privacy…

systemctl status connman shows you the location of its service configuration. On my Jolla it’s /usr/lib/systemd/system/connman.service.

The line starting with ExecStart contains the command used to start connmand and there are two environment variables at the end that might hold additional parameters. There are two lines defining possible locations:

EnvironmentFile=-/etc/sysconfig/connman
EnvironmentFile=-/var/lib/environment/connman/*.conf

So you can e.g. define SYSCONF_ARGS=-r in /etc/sysconfig/connman or in a file like /var/lib/environment/connman/no_dns_proxy.conf. Or you edit the unit file itself, but that won’t survive an update.

I’m doing something similar but use a DNS server hosted at home. A small service on my phone waits on the system bus for connection changes and reconfigures connman to use my DNS server instead of the default provided by an operator. You just have to be aware, that that will break connectivity in some networks, that want to avoid DNS tunneling.

The file
sftp://defaultuser@gateway/usr/lib/systemd/system/connman.service.d/01-prevent-start.conf
looks suitable, shall I try to insert a line

-r, --nodnsproxy            Don't enable DNS Proxy

there? And can this break the VPN? If this is a risk then I should better deny myself this experiment…

Let’s briefly run to a full sequence of commands, all executed as user root. The output is often truncated.

# netstat -nplu | grep 53
udp   0 0 127.0.0.1:53  0.0.0.0:*     1234/connmand 

i.e. connman is listening on the DNS port.

# zypper in dnsmasq
# systemctl restart dnsmasq
# systemctl status dnsmasq
...
dnsmasq[32559]: failed to create listening socket for port 53: Address already in use
...

dnsmasq didn’t start since connmand already claimed port 53.

# echo "SYSCONF_ARGS=-r" > /var/lib/environment/connman/no_dns_proxy.conf
# systemctl restart connman
# netstat -nplu | grep 53

No listening server any more on port 53 …

# systemctl restart dnsmasq
# systemctl status dnsmasq
...
 Active: active (running)
...

Now dnsmasq is up and running.

To revert the whole transaction, stop and disable dnsmasq, remove /var/lib/environment/connman/no_dns_proxy.conf, and restart connman.

That’s hard to answer from here. DNS and VPN is always a pain. If everything is routed through the VPN and the parent DNS is reachable, you should be fine. For cases with multiple company networks with their own DNS servers responsible for different domains and connected via different VPNs I’ve even extended my dnsmock.

With developer mode enabled the changes are easily rolled back though.

Two ways:

systemctl edit --full connman.service (as root)
and edit the ExecStart line

This will create a systemd service override in /etc/systemd/system/connman.service.

Or:

mkdir -p /var/lib/environment/connman/
echo 'CONNMAN_ARGS="$CONNMAN_ARGS --nodnsproxy"' > /var/lib/environment/connman/no-dns.conf

Not tested either variant, but reading the .service file that is how that should work.

Thank you @nephros ! Network is back again and it works now fine!

I checked if there are entries in /etc/resolv.conf and there were 3 ‘nameserver x.x.x.x’ entries.

Then I added the ‘-r’ using the systemctl edit --full connman.service command and executed a
systemctl restart connman and a
systemctl restart dnsmasq

Now everything works as expected, some content in various websites is no more displayed, that shows me that some outgoing requests are successfully blocked. The rest is much faster now.

Thank you so much @nephros , @martinh and @phklrz !

edit: Now I checked /etc/systemd/system/connman.service again and there was no -r visible. So I inserted it manually by vi editor to be sure that the effect of the command systemctl edit --full connman.service will really remain permanently. Then I had to restart ‘connman’ by systemctl restart connman and turn ‘Mobile access point’ on again. I hope the change will now remain permanently.

Where can I find the DNS addresses, that connman originally uses? I searched for hours and can’t find it any more.

Connman creates a symlink /etc/resolv.conf instead of text file that points to connman resolv.conf files.

This is what I want to know, what connman resolv.conf file it is, where the DNS server addresses are. In a lot of connman conf files I found, I couldn’t find any DNS server address. But some time ago I saw somewhere that this entry exists, but have no idea where this was.

This thread is more appropriate.
It looks interesting and like dnsmasq is taking control over DNS from DHCP. Stop dnsmasq and then restart connman, you should see DNS’s from router then.