On 19.04 I can see the following (correct) behavior.
With VPN (turned on via NetworkManager):
# note: no "global" DNS servers have been configured by hand through
systemd-resolved conf using "DNS=" directive
systemd-resolved --status
# ...
Link 15 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <vpndns1>
DNS Servers: <vpndns1>
<vpndns2>
DNS Domain: ~.
Link 2 (wlp59s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1>
<local-dhcp-dns2>
DNS Domain: deadbeefcafe
Without VPN:
systemd-resolved --status
# ...
Link 2 (wlp59s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: <local-dhcp-dns1>
DNS Servers: <local-dhcp-dns1>
<local-dhcp-dns2>
DNS Domain: ~.
deadbeefcafe
"~." configuration goes to the tun0 interface once VPN is enabled and is
removed from the physical interface. In this example it means that
DHCP-advertised local DNS servers will be used for deadbeefcafe domain only and
everything else will go through the DNS servers of a VPN service.
Clarifications on how "~." affects DNS request routing:
https://github.com/systemd/systemd/blame/v240/src/resolve/resolved-dns-scope.c#L1411-L1418
* "~." really trumps everything and clearly indicates that
this interface shall receive all
* traffic it can get. */
http://manpages.ubuntu.com/manpages/disco/man5/resolved.conf.5.html#options
https://www.freedesktop.org/software/systemd/man/resolved.conf.html#Domains=
Packages:
ii network-manager 1.16.0-0ubuntu2
amd64 network management framework (daemon and userspace tools)
ii network-manager-config-connectivity-ubuntu 1.16.0-0ubuntu2
all NetworkManager configuration to enable connectivity
checking
ii network-manager-gnome 1.8.20-1ubuntu1
amd64 network management framework (GNOME frontend)
ii network-manager-openvpn 1.8.10-1
amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.10-1
amd64 network management framework (OpenVPN plugin GNOME GUI)
ii netplan.io 0.97-0ubuntu1~19.04.1
amd64 YAML network configuration abstraction for various backends
ii systemd 240-6ubuntu5.3
amd64 system and service manager
I have also captured DNS packets on all interfaces via Wireshark and confirmed
that DNS requests go to the correct DNS servers on 19.04.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1688018
Title:
DNS server from vpn connection is not being used after network-manager
upgrade to 1.2.6
Status in network-manager package in Ubuntu:
Triaged
Status in network-manager source package in Xenial:
In Progress
Status in network-manager source package in Yakkety:
Won't Fix
Bug description:
This was initially opened as #1671606 then later duped to #1639776.
Discussion in #1639776 indicate that we need new bug for this so I am
opening one ... Please don't mark this as duplicate to #1639776 or
other similar bug report. We already lost several months and we are
again at beginning ...
TL;DR; -> network-manager-1.2.2-0ubuntu0.16.04.4 use DNS defined by
VPN (correct). network-manager-1.2.6-0ubuntu0.16.04.1 use DNS from
DHCP instead of one defined by VPN (wrong).
DNS resolver should query only DNS servers defined by VPN while
connection is active.
=================================
Test steps / result:
- upgraded network-manager to 1.2.6-0ubuntu0.16.04.1
(dnsmasq-base-2.75-1ubuntu0.16.04.2)
- restated my laptop to ensure clean start
- connected to VPN using openconnect / network-manager-openconnect-gnome
Observed results -> DNS queries are forwarded only to DNS servers
defined by LAN connection (this is wrong / connection not working at
all)
- "killall dnsmasq"
- dnsmasq get automatically restarted by system
Observed results -> most of the the queries are forwarded to DNS
servers defined by VPN, but lot of queries get forwarded to DNS
servers defined by LAN connection (this is still wrong / DNS leaks,
attacker can hijack connection even if VPN is enabled)
- I downgraded back network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base
stay same)
- restated my laptop to ensure clean test
- connected to same VPN using openconnect
Observed results -> DNS queries are forwarded only to DNS servers
defined by VPN connection. There are no leaks to LAN DNS server (this
is correct behavior).
=================================
Paul Smith requested additional details in #1639776. Here are:
* If you're using IPv4 vs. IPv6
-> IPv4 only. I have IPv6 set to ignore on all network definition (lan / wifi
/vpn)
* If you have checked or unchecked the "Use this connection only for
resources on its network"
-> unchecked on all nw definition
* If you have this checked, try unchecking it and see if that makes a
difference
-> no change if I toggle this option. Behavior is same.
* When you say "DNS lookups" please be clear about whether the hostnames
being looked up are public (e.g., www.google.com or whatever), on your local
LAN, or in the network accessed via the VPN. Does it make a difference which
one you choose?
-> No difference.
* Are you using fully-qualified hostnames, or relying on the DNS domain
search path? Does it make a difference if you do it differently?
-> I normaly use FQDN due to nature of HTTPs cert validation. I don't see
difference when I try same using hostname + domain search.
=================================
I am using openconnect (cisco) and openvpn. Test result are by using
openconnect but I saw same behaviour also while using openvpn.
=================================
Thanks
Lukas
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1688018/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
