I must have hit this bug on the upgrade from 16.10 to 17.04.
Result: DNS queries not working if not using FQDNs for my VPNs.
Time to find a workaround and so here’s my new configuration (note: see the update part at the end of the post).
Before you go on: if you try this, you will lose DNS resolution before you finish this setup. This will break your connections. So, ensure that you are able to roll-back all the changes or don’t do this.
First, I got rid of the systemd-resolved service:
sudo systemctl disable systemd-resolved.service
And resolvconf along with it:
sudo systemctl disable resolvconf.service
Then I installed openresolv:
sudo apt install openresolv
At this point /etc/resolv.conf should not anymore be a link, but a real file. Remove the link so that NetworkManager will recreate a file at /etc/resolv.conf:
sudo unlink /etc/resolv.conf
I then ensured that NetworkManager was using dnsmasq for dns, that is, this line must be uncommented and present in /etc/NetworkManager/NetworkManager.conf:
Using NetworkManager itself for DNS resolution will also work (dns=default), but then you will hit the limit of resolv.conf (i.e. max. 3 nameservers will work).
Then, restart NetworkManager:
sudo systemctl restart NetworkManager
With this configuration search domains and nameservers work as expected and they can be configured in the NetworkManager GUI.
For more details about NetworkManager: https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html.
UPDATE: 09 Aug 2017
Since one of the VPNs was misconfigured and it was sending wrong nameserver information, I took this even more drastically and decided to manually manage the DNS setup via dnsmaq.
In addition to the above, I then uninstalled openresolve, and set
in /etc/NetworkManager/NetworkManager.conf to get full control over /etc/resolv.conf.
I installed dnsmasq and configured the nameservers for the domains there, e.g.:
with a plain and simple resolv.conf:
search example.domain nameserver 127.0.0.1
This setup requires some maintenance if I have to add new VPNs or change the nameservers for the existing ones, but at least it should be stable!