[Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS
Nicholas Stommel
1624317 at bugs.launchpad.net
Wed Oct 25 17:17:53 UTC 2017
I'm not sure about split-horizon DNS, frankly I think that is a
different bug entirely. However, I have had no problems with DNS leaks
over my VPN connections whatsoever on Ubuntu 17.10. The bugfix I
personally requested from the NM-devs and backported to Ubuntu 17.04
(running NetworkManager v1.4.x) was effectively just patching the
negative dns-priority bug related to systemd-resolved. From 'man nm-
settings': "Negative values have the special effect of excluding other
configurations with a greater priority value; so in presence of at least
a negative priority, only DNS servers from connections with the lowest
priority value will be used." This means that DNS servers configured for
the non-VPN connection will be 'unseated' and ONLY the VPN-configured
DNS servers are used.
Ubuntu 17.10 is running NetworkManager v1.8.4, so Thomas Haller's merged
bugfix is present and working. You MUST use the command:
'sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority
-42'
or similar to actually set negative DNS priority for the VPN connection.
Restart the network manager with 'sudo service network-manager restart',
then connect to the VPN. Examine the output of 'systemd-resolved
--status' and use the 'Extended' test on dnsleaktest.com to verify that
you are not leaking DNS queries. I use openvpn, but setting negative dns
priority should work for preventing DNS leaks over regular VPN
connections of all kinds as a kind of 'catch-all'.
Auto-connecting to openvpn through the GUI is a little troublesome in 17.10, but this 'fix' worked for me:
https://askubuntu.com/questions/967408/how-to-automatically-connect-to-vpn-in-ubuntu-17-10/967415#967415
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1624317
Title:
systemd-resolved breaks VPN with split-horizon DNS
To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions
More information about the Ubuntu-reviews
mailing list