[Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS

Thu Jun 22 00:50:51 UTC 2017

I have successfully backported Thomas Haller's excellent upstream
solution as detailed in
https://bugzilla.gnome.org/show_bug.cgi?id=783569 This took some time as
things have changed quite a bit upstream, but the patch works on the
current zesty 17.04 1.4.4-1ubuntu3.1 network-manager! This is a much
better fix than the stopgap SetLinkDomains "." bus call based on link
type I included in the  previous patch. It should be reviewed for
current application/submission to the package maintainers as it is
basically a direct backport of Haller's fix merged upstream.

NOTE: You MUST set the ipv4.dns-priority to a negative number for the
network-manager to unseat DNS configurations for other non-VPN
interfaces. This patch allows for correct behavior with negative ipv4
.dns-priority: "Negative values have the special effect of excluding
other configurations with a greater priority value; so in presence of at
least a negative priority, only DNS servers from connections with the
lowest priority value will be used." Usage of a negative dns-priority
disables DNS configuration for all other interfaces, ensuring there are
no DNS leaks over a VPN connection using systemd-resolved. Before
Haller's bugfix, this feature did not work with systemd-resolved.

To set the ipv4.dns-priority, open the VPN connection profile you have configured through NM like so: 
sudo nano /etc/NetworkManager/system-connections/<VPN-con-profile-name-here>
and adding the line (value of -42 recommended by Haller) "dns-priority=-42" so that the file contains something like:

[ipv4]
dns-priority=-42
dns-search=
method=auto

Alternatively, use the command
sudo nmcli connection modify "<VPN-con-profile-name-here>" ipv4.dns-priority -42
And you should see that the config file for that connection contains the same line as shown above. After doing so and patching/installing the patched network manager, you should not experience DNS leaks.

When I am connected to PIA's servers through network-manager-openvpn
using the patched network manager and a negative ipv4.dns-priority set
for my VPN connection, the output of systemd-resolved looks like this
(notice that the Verizon ISP DNS server was 'unseated' and is absent for
the primary wireless link wlo1):

Global
          DNSSEC NTA: 10.in-addr.arpa               
                      ...(long list of NTAs omitted)...
                      test

Link 4 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 209.222.18.222
                      209.222.18.218

Link 2 (wlo1)
      Current Scopes: LLMNR/IPv4 LLMNR/IPv6
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

If anyone is curious about support for the routing-only domain in NM,
see the following bug https://bugzilla.gnome.org/show_bug.cgi?id=746422
which is about adding support for routing-only domains for systemd-
resolved (still work in progress).

** Bug watch added: GNOME Bug Tracker #746422
   https://bugzilla.gnome.org/show_bug.cgi?id=746422

** Patch added: "systemd-resolved-dns-priority-fix.patch"
   https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1624317/+attachment/4900587/+files/systemd-resolved-dns-priority-fix.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624317

Title:
  systemd-resolved breaks VPN with split-horizon DNS

Status in systemd:
  New
Status in network-manager package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed
Status in network-manager source package in Artful:
  Confirmed
Status in systemd source package in Artful:
  Confirmed

Bug description:
  I use a VPN configured with network-manager-openconnect-gnome in which
  a split-horizon DNS setup assigns different addresses to some names
  inside the remote network than the addresses seen for those names from
  outside the remote network.  However, systemd-resolved often decides
  to ignore the VPN’s DNS servers and use the local network’s DNS
  servers to resolve names (whether in the remote domain or not),
  breaking the split-horizon DNS.

  This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
  https://bugzilla.redhat.com/show_bug.cgi?id=1151544

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1624317/+subscriptions