Hi Adam,
Marking public given the public bug reports elsewhere.
It looks like upstream addressed this in network-manager 1.28, which has
not made it into Ubuntu yet.
** Information type changed from Private Security to Public Security
** Changed in: network-manager (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1909608
Title:
networkmanager sets DNS server configuration without proper dns-search
/dns-priority causing DNS requests leak to ISP (openconnect+split-
tunnel+non-split DNS)
Status in network-manager package in Ubuntu:
Confirmed
Bug description:
VPN server configuration is split tunneling (default route is local ISP) with
"global/primary/main" DNS pushed from VPN (it's important to note that it's not
split DNS).
REDACTED@REDACTED:~$ ip r
default via 192.168.1.1 dev wlo1 proto dhcp metric 600
10.0.0.0/24 dev vpn0 proto static scope link metric 50
VPN (OpenConnect) provides own DNS servers without "DNS Domain".
Connection syslog:
Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: Internal DNS:
192.168.100.10
Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: Internal DNS:
192.168.100.11
Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: DNS Domain:
'(none)'
All DNS requests should be routed through VPN yet the dns-priority and
dns-search configuration restricts it from doing so:
Dec 29 20:30:38 REDACTED systemd-resolved[1017]: Server returned error
NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying
transaction with reduced feature level UDP.
Dec 29 20:30:41 REDACTED systemd-resolved[1017]: message repeated 48 times: [
Server returned error NXDOMAIN, mitigating potential DNS violation
DVE-2018-0001, retrying transaction with reduced feature level UDP.]
I can confirm that changing dns-search to wildcard: ~. and dns-
priority to -50 is resolving the issue.
REDACTED@REDACTED:~$ nmcli c show vpn.example.com | grep ipv4.dns
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 50
REDACTED@REDACTED:~$ resolvectl status
Link 5 (vpn0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlo1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
8.8.4.4
DNS Domain: ~.
REDACTED@REDACTED:~$ nmcli c modify vpn.example.com ipv4.dns-search ~.
REDACTED@REDACTED:~$ nmcli c modify vpn.example.com ipv4.dns-priority -50
REDACTED@REDACTED:~$ nmcli c show vpn.example.com | grep ipv4.dns
ipv4.dns: --
ipv4.dns-search: ~.
ipv4.dns-options: --
ipv4.dns-priority: -50
VPN Restart and our new settings are working properly:
REDACTED@REDACTED:~$ resolvectl status
Link 5 (vpn0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.100.10
DNS Servers: 192.168.100.10
192.168.100.11
DNS Domain: ~.
Link 3 (wlo1)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
When OpenConnect receives "DNS Domain" (split DNS configuration)
everything works as intended:
Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: Internal DNS:
192.168.100.10
Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: Internal DNS:
192.168.100.11
Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: DNS Domain:
'example.com'
REDACTED@REDACTED ~ resolvectl status
Link 6 (vpn0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.100.10
DNS Servers: 192.168.100.10
192.168.100.11
DNS Domain: example.com
PR for the bug in upstream was already done and got accepted:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/bba1ab0f21b4114a6ae3d92c536e0803bcf9e4cd
RH bugzilla for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1863041
This leak can be related to:
https://ubuntu.com/security/CVE-2018-1000135
Bug/CVE found on:
lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
apt-cache policy network-manager
network-manager:
Installed: 1.22.10-1ubuntu2.2
Candidate: 1.22.10-1ubuntu2.2
Version table:
*** 1.22.10-1ubuntu2.2 500
500 http://pl.archive.ubuntu.com/ubuntu focal-updates/main amd64
Packages
100 /var/lib/dpkg/status
1.22.10-1ubuntu1 500
500 http://pl.archive.ubuntu.com/ubuntu focal/main amd64 Packages
apt-cache policy network-manager-openconnect
network-manager-openconnect:
Installed: 1.2.6-1
Candidate: 1.2.6-1
Version table:
*** 1.2.6-1 500
500 http://pl.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1909608/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
