@dwmw2, as far as i understand, you should configuring DNS through
systemd-resolve only. Try remove your edits from `/etc/NetworkManager
/system-connections`, or even delete your connections from
NetworkManager interface, and create new. After that, establish vpn
connection and see at `systemd-resolve --status`, you should get
something like this:
```
Link 3 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: xx.xx.xx.xx
xx.xx.xx.xx
DNS Domain: ~.
Link 2 (enp3s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.1.1
DNS Domain: local.domain
```
Where local.domain was received from DHCP server in local network. In
that case you will send DNS requests in local.domain to local DNS
server, and all other DNS requests - over VPN. That is expected
behaviour. If you get this, but you have needs for redirecting DNS
requests for some domain through other route (let's say, requests to
local2.domain2, without VPN), you can do this with next command:
`systemd-resolve -i enp3s0 --set-domain=local2.domain2`
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
Status in NetworkManager:
Fix Released
Status in network-manager package in Ubuntu:
Fix Released
Status in network-manager source package in Bionic:
Fix Committed
Bug description:
* Impact
When using a VPN the DNS requests might still be sent to a DNS server
outside the VPN when they should not
* Test case
Configure the system to send all the traffic to a VPN, do a name
resolution, the request should not go to the public DNS server (to be
checked by capturing the traffic by example with wireshark)
* Regression potential
The code change the handling of DNS servers when using a VPN, we
should check that name resolution still work whne using a VPN in
different configurations
-----------------
In 16.04 the NetworkManager package used to carry this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch
It fixed the DNS setup so that when I'm on the VPN, I am not sending
unencrypted DNS queries to the (potentially hostile) local
nameservers.
This patch disappeared in an update. I think it was present in
1.2.2-0ubuntu0.16.04.4 but was dropped some time later.
This security bug exists upstream too:
https://bugzilla.gnome.org/show_bug.cgi?id=746422
It's not a *regression* there though, as they didn't fix it yet
(unfortunately!)
To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
