Package: wireguard-tools Version: 1.0.20210914-1 Severity: normal I use wg-quick to setup a tunnel to my home LAN from various wireless (WiFi) networks that I don't control. My /etc/wireguard/wg0.conf contains the line:
DNS = yy.yy.yy.yy where yy.yy.yy.yy is a DNS server on my LAN. With a typical WiFi network, when I initially connect to it, /etc/resolv.conf becomes populated with something like the following: nameserver xx.xx.xx.xx search nnn.nnn.nnn When I then do 'wg-quick' up, resolv.conf ends up like this: nameserver yy.yy.yy.yy nameserver xx.xx.xx.xx search nnn.nnn.nnn So DNS queries will generally go through my designated DNS server, which is good, but if something goes wrong with my server, queries will leak out to the DNS server supplied by the WiFi network, which is not good. Similarly, queries for addresses like 'example.com.nnn.nnn.nnn' sometimes end up going out into the DNS system, which is also not good. I would think that the correct behavior would be for wg-quick to *replace* the existing contents of resolv.conf, rather than just *prepending* the specified DNS server. I understand that as per the man page, I can presumably get this behavior by using the PostUp and PostDown keys, but I think the default should be changed, or at least that users should be warned of the leak potential in the documentation. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-1-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wireguard-tools depends on: ii libc6 2.33-7 Versions of packages wireguard-tools recommends: ii iptables 1.8.8-1 ii linux-image-amd64 [wireguard-modules] 5.18.2-1 ii nftables 1.0.4-1 Versions of packages wireguard-tools suggests: ii resolvconf 1.91 -- no debconf information