Bug#1116964: ifupdown: /etc/network/if-up.d/resolved sets resolv.conf search DOMAINS

Sat, 18 Oct 2025 13:25:20 -0700 

Package: ifupdown
Version: 0.8.44
Severity: important

Dear Maintainer,

/etc/network/if-up.d/resolved has a bug where it uses the variable $DOMAINS as 
the value for search domains.
$DOMAINS is DOMAINS=DOMAINS or DOMAINS=DOMAINS6 and should never be used
in search.

The current code always adds:

search DOMAINS

to /run/systemd/resolve/stub-resolv.conf


Using ifupdown with sytsemd-resolved this migth cause the system to
resolve localhost.domains (a domain used for distribuge malware)


The lines in /etc/network/if-up.d/resolved with issues:

DOMAINS=$(echo $DOMAINS6 $DOMAINS)
...

                if [ "$DOMAINS6" ] || [ "$DOMAINS" ]; then
                    resolvectl domain "$ifindex" $DOMAINS6 $DOMAINS || 
resolvectl_failed=$?
                else
...

In both cases $NEW_DOMAINS should be used instead of $DOMAINS6 $DOMAINS.

--- ./debian/if-up.d/resolved.orig      2025-10-01 12:22:21.109339421 +0100
+++ ./debian/if-up.d/resolved   2025-10-01 12:23:05.414919055 +0100
@@ -90,7 +90,7 @@
 LLMNR=yes
 MDNS=no
 SERVERS=$(echo $DNS6 $DNS)
-DOMAINS=$(echo $DOMAINS6 $DOMAINS)
+DOMAINS=$(echo $NEW_DOMAINS)
 EOF
             if [ -n "$DEFAULT_ROUTE" ]; then
                 cat <<EOF >>"$statedir/$ifindex"
@@ -104,8 +104,8 @@
             if systemctl --quiet is-active systemd-resolved; then
                 resolvectl llmnr "$ifindex" yes || resolvectl_failed=$?
                 resolvectl mdns "$ifindex" no || resolvectl_failed=$?
-                if [ "$DOMAINS6" ] || [ "$DOMAINS" ]; then
-                    resolvectl domain "$ifindex" $DOMAINS6 $DOMAINS || 
resolvectl_failed=$?
+                if [ "$NEW_DOMAINS" ]; then
+                    resolvectl domain "$ifindex" $NEW_DOMAINS || 
resolvectl_failed=$?
                 else
                     resolvectl domain "$ifindex" "" || resolvectl_failed=$?
                 fi



-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.16.9+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ifupdown depends on:
ii  adduser   3.153
ii  iproute2  6.16.0-1
ii  libc6     2.41-12

Versions of packages ifupdown recommends:
pn  dhcpcd-base | dhcp-client  <none>

Versions of packages ifupdown suggests:
ii  ppp     2.5.2-1+1.1
pn  rdnssd  <none>

Reply via email to