[Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS
Dimitri John Ledkov
launchpad at surgut.co.uk
Thu Jul 6 12:32:39 UTC 2017
@ Nicholas Stommel (nstommel)
Could you please help to update the bug description SRU template to fix this issue in 17.04?
I do not fully understand the issue at hand, but I do have access to VPN and can set VPN setting in Netowrk Manager to route all traffic through VPN. After doing that, I should check dns-leak website?! to make sure all responses come from the VPN's DNS server rather than my ISP/public DNS servers? A write up of easy steps would be nice like:
1) check dns leak website, record dns servers
2) connect to vpn
3) check dns leak website again
expected: servers in #3 should be behind vpn, and different from public
dns servers listed in #1. Or some such.
Would you be able to distill testcase steps into easy steps that anybody
with a VPN connection setup via network manager can reproduce? This way
we will be able to validate this issue and release a stable release
update.
** Description changed:
+ [Impact]
+
+ * NetworkManager incorrectly handles dns-priority of the VPN-like
+ connections, which leads to leaking DNS queries outside of the VPN into
+ the general internet.
+
+ * Upstream has resolved this issue in master and 1.8 to correctly
+ configure any dns backends with negative dns-priority settings.
+
+ [Test Case]
+
+ #FIXME#
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
+
+ #FIXME#
+
+ [Regression Potential]
+
+ * If this issue is changed DNS resolution will change, for certain
+ queries, to go via VPN rather than general internet. And therefore, one
+ may get new/different results or even loose access to resolve/access
+ certain parts of the interent depending on what the DNS server on VPN
+ chooses to respond to.
+
+ [Other Info]
+
+ * Original bug report
+
I use a VPN configured with network-manager-openconnect-gnome in which a
split-horizon DNS setup assigns different addresses to some names inside
the remote network than the addresses seen for those names from outside
the remote network. However, systemd-resolved often decides to ignore
the VPN’s DNS servers and use the local network’s DNS servers to resolve
names (whether in the remote domain or not), breaking the split-horizon
DNS.
This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
https://bugzilla.redhat.com/show_bug.cgi?id=1151544
** Changed in: network-manager (Ubuntu Zesty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1624317
Title:
systemd-resolved breaks VPN with split-horizon DNS
To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions
More information about the Ubuntu-reviews
mailing list