[Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS

Dimitri John Ledkov launchpad at surgut.co.uk
Thu Jul 6 12:21:23 UTC 2017 

** No longer affects: systemd (Ubuntu)

** No longer affects: systemd (Ubuntu Artful)

** Project changed: systemd => network-manager

** Changed in: network-manager
   Importance: Undecided => Unknown

** Changed in: network-manager
       Status: New => Unknown

** Changed in: network-manager
 Remote watch: None => GNOME Bug Tracker #783569

** Also affects: network-manager (Ubuntu Zesty)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624317

Title:
  systemd-resolved breaks VPN with split-horizon DNS

Status in NetworkManager:
  Unknown
Status in network-manager package in Ubuntu:
  Confirmed
Status in network-manager source package in Zesty:
  Confirmed
Status in network-manager source package in Artful:
  Confirmed

Bug description:
  [Impact]

   * NetworkManager incorrectly handles dns-priority of the VPN-like
  connections, which leads to leaking DNS queries outside of the VPN
  into the general internet.

   * Upstream has resolved this issue in master and 1.8 to correctly
  configure any dns backends with negative dns-priority settings.

  [Test Case]

  #FIXME#

   * detailed instructions how to reproduce the bug

   * these should allow someone who is not familiar with the affected
     package to reproduce the bug and verify that the updated package fixes
     the problem.

  #FIXME#

  [Regression Potential]

   * If this issue is changed DNS resolution will change, for certain
  queries, to go via VPN rather than general internet. And therefore,
  one may get new/different results or even loose access to
  resolve/access certain parts of the interent depending on what the DNS
  server on VPN chooses to respond to.

  [Other Info]
   
   * Original bug report

  I use a VPN configured with network-manager-openconnect-gnome in which
  a split-horizon DNS setup assigns different addresses to some names
  inside the remote network than the addresses seen for those names from
  outside the remote network.  However, systemd-resolved often decides
  to ignore the VPN’s DNS servers and use the local network’s DNS
  servers to resolve names (whether in the remote domain or not),
  breaking the split-horizon DNS.

  This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
  https://bugzilla.redhat.com/show_bug.cgi?id=1151544

To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions

More information about the foundations-bugs mailing list