[Desktop-packages] [Bug 1688018] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6

Sun, 01 Sep 2019 10:45:59 -0700 

On 19.04 I can see the following (correct) behavior.

With VPN (turned on via NetworkManager):

# note: no "global" DNS servers have been configured by hand through
systemd-resolved conf using "DNS=" directive

systemd-resolved --status

# ...

Link 15 (tun0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <vpndns1>
         DNS Servers: <vpndns1>
                      <vpndns2>
          DNS Domain: ~.


Link 2 (wlp59s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <local-dhcp-dns1>
         DNS Servers: <local-dhcp-dns1>
                      <local-dhcp-dns2>
          DNS Domain: deadbeefcafe


Without VPN:

systemd-resolved --status
# ...

Link 2 (wlp59s0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: <local-dhcp-dns1>
         DNS Servers: <local-dhcp-dns1>
                      <local-dhcp-dns2>
          DNS Domain: ~.
                      deadbeefcafe


"~." configuration goes to the tun0 interface once VPN is enabled and is 
removed from the physical interface. In this example it means that 
DHCP-advertised local DNS servers will be used for deadbeefcafe domain only and 
everything else will go through the DNS servers of a VPN service.

Clarifications on how "~." affects DNS request routing:

https://github.com/systemd/systemd/blame/v240/src/resolve/resolved-dns-scope.c#L1411-L1418
                 * "~."  really trumps everything and clearly indicates that 
this interface shall receive all
                 * traffic it can get. */
http://manpages.ubuntu.com/manpages/disco/man5/resolved.conf.5.html#options
https://www.freedesktop.org/software/systemd/man/resolved.conf.html#Domains=

Packages:

ii  network-manager                               1.16.0-0ubuntu2               
        amd64        network management framework (daemon and userspace tools)
ii  network-manager-config-connectivity-ubuntu    1.16.0-0ubuntu2               
        all          NetworkManager configuration to enable connectivity 
checking
ii  network-manager-gnome                         1.8.20-1ubuntu1               
        amd64        network management framework (GNOME frontend)
ii  network-manager-openvpn                       1.8.10-1                      
        amd64        network management framework (OpenVPN plugin core)
ii  network-manager-openvpn-gnome                 1.8.10-1                      
        amd64        network management framework (OpenVPN plugin GNOME GUI)
ii  netplan.io                                    0.97-0ubuntu1~19.04.1         
        amd64        YAML network configuration abstraction for various backends
ii  systemd                                       240-6ubuntu5.3                
        amd64        system and service manager


I have also captured DNS packets on all interfaces via Wireshark and confirmed 
that DNS requests go to the correct DNS servers on 19.04.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1688018

Title:
  DNS server from vpn connection is not being used after network-manager
  upgrade to 1.2.6

Status in network-manager package in Ubuntu:
  Triaged
Status in network-manager source package in Xenial:
  In Progress
Status in network-manager source package in Yakkety:
  Won't Fix

Bug description:
  This was initially opened as #1671606 then later duped to #1639776.
  Discussion in #1639776 indicate that we need new bug for this so I am
  opening one ... Please don't mark this as duplicate to #1639776 or
  other similar bug report. We already lost several months and we are
  again at beginning ...

  TL;DR; -> network-manager-1.2.2-0ubuntu0.16.04.4 use DNS defined by
  VPN (correct). network-manager-1.2.6-0ubuntu0.16.04.1 use DNS from
  DHCP instead of one defined by VPN (wrong).

  DNS resolver should query only DNS servers defined by VPN while
  connection is active.

  =================================

  Test steps / result:

  - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 
(dnsmasq-base-2.75-1ubuntu0.16.04.2)
  - restated my laptop to ensure clean start
  - connected to VPN using openconnect / network-manager-openconnect-gnome

  Observed results -> DNS queries are forwarded only to DNS servers
  defined by LAN connection (this is wrong / connection not working at
  all)

  - "killall dnsmasq"
  - dnsmasq get automatically restarted by system

  Observed results -> most of the the queries are forwarded to DNS
  servers defined by VPN, but lot of queries get forwarded to DNS
  servers defined by LAN connection (this is still wrong / DNS leaks,
  attacker can hijack connection even if VPN is enabled)

  - I downgraded back network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base 
stay same)
  - restated my laptop to ensure clean test
  - connected to same VPN using openconnect

  Observed results -> DNS queries are forwarded only to DNS servers
  defined by VPN connection. There are no leaks to LAN DNS server (this
  is correct behavior).

  =================================

  Paul Smith requested additional details in #1639776. Here are:

  * If you're using IPv4 vs. IPv6
  -> IPv4 only. I have IPv6 set to ignore on all network definition (lan / wifi 
/vpn)

  * If you have checked or unchecked the "Use this connection only for 
resources on its network"
  -> unchecked on all nw definition

  * If you have this checked, try unchecking it and see if that makes a 
difference
  -> no change if I toggle this option. Behavior is same.

  * When you say "DNS lookups" please be clear about whether the hostnames 
being looked up are public (e.g., www.google.com or whatever), on your local 
LAN, or in the network accessed via the VPN. Does it make a difference which 
one you choose?
  -> No difference.

  * Are you using fully-qualified hostnames, or relying on the DNS domain 
search path? Does it make a difference if you do it differently?
  -> I normaly use FQDN due to nature of HTTPs cert validation. I don't see 
difference when I try same using hostname + domain search.

  =================================

  I am using openconnect (cisco) and openvpn. Test result are by using
  openconnect but I saw same behaviour also while using openvpn.

  =================================

  Thanks

  Lukas

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1688018/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to