[Desktop-packages] [Bug 1688018] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6
The author discusses the drawbacks here: https://github.com/jonathanio /update-systemd-resolved (one can still leak under certain circumstances, and we shouldn't only be concerned with the minority who realize this is even happening/a problem and who can hack together a workaround themselves). Not that you implied that by sharing your solution; I'm just speaking generally. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1688018 Title: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6 Status in network-manager package in Ubuntu: Triaged Status in network-manager source package in Xenial: In Progress Status in network-manager source package in Yakkety: Won't Fix Bug description: This was initially opened as #1671606 then later duped to #1639776. Discussion in #1639776 indicate that we need new bug for this so I am opening one ... Please don't mark this as duplicate to #1639776 or other similar bug report. We already lost several months and we are again at beginning ... TL;DR; -> network-manager-1.2.2-0ubuntu0.16.04.4 use DNS defined by VPN (correct). network-manager-1.2.6-0ubuntu0.16.04.1 use DNS from DHCP instead of one defined by VPN (wrong). DNS resolver should query only DNS servers defined by VPN while connection is active. = Test steps / result: - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base-2.75-1ubuntu0.16.04.2) - restated my laptop to ensure clean start - connected to VPN using openconnect / network-manager-openconnect-gnome Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all) - "killall dnsmasq" - dnsmasq get automatically restarted by system Observed results -> most of the the queries are forwarded to DNS servers defined by VPN, but lot of queries get forwarded to DNS servers defined by LAN connection (this is still wrong / DNS leaks, attacker can hijack connection even if VPN is enabled) - I downgraded back network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same) - restated my laptop to ensure clean test - connected to same VPN using openconnect Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior). = Paul Smith requested additional details in #1639776. Here are: * If you're using IPv4 vs. IPv6 -> IPv4 only. I have IPv6 set to ignore on all network definition (lan / wifi /vpn) * If you have checked or unchecked the "Use this connection only for resources on its network" -> unchecked on all nw definition * If you have this checked, try unchecking it and see if that makes a difference -> no change if I toggle this option. Behavior is same. * When you say "DNS lookups" please be clear about whether the hostnames being looked up are public (e.g., www.google.com or whatever), on your local LAN, or in the network accessed via the VPN. Does it make a difference which one you choose? -> No difference. * Are you using fully-qualified hostnames, or relying on the DNS domain search path? Does it make a difference if you do it differently? -> I normaly use FQDN due to nature of HTTPs cert validation. I don't see difference when I try same using hostname + domain search. = I am using openconnect (cisco) and openvpn. Test result are by using openconnect but I saw same behaviour also while using openvpn. = Thanks Lukas To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1688018/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1688018] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6
This is the *nastiest* bug I've ever encountered in the wild on my own in Linux (that has no good solution after this long). Package 1.2.2-0ubuntu0.16.04.4 has disappeared from the mirrors for Xenial (not that anyone should expect a normal user to go through the deep dive that is this subject, once one realizes what is happening). The cipher in use by AWS for Client VPN isn't available in OpenSSL within Trusty Tahr, so running an old Ubuntu distro is also not a viable solution for me. This is about as serious of a bug as I could think of, and we're almost two years in without it being addressed. Hate to be tin-foil-hatty, but this seems like the kind of thing that gets put into software as a result of government-agency interests. How many people around the world expecting their VPN to protect them while viewing content from outside of their nation state are DNS-leaking all over the place to their local ISP? How many companies are leaking private zone DNS names (which often reflect what's running on the target boxes, and would then include information that could be used as part of an attack vector) to their ISP? I understand how open source works, but most people (including me) don't have the ability to work effectively on this nuanced bug. What's the plan? Sorry to sound disgruntled, but I spent about a week on this (coming to terms with understanding the issue, and then trying a number of workarounds). Initially, I accused our CTO of running a broken VPN server (heh), because I could simply not believe that things didn't "just work" in Linux for this extremely common use case. So we don't support pushing "dhcp-option" for DNS in Linux. This works in Mac and in Windows. We need a working/easy way to update our DNS addresses upon connecting to/disconnected from a VPN that users can trust. This bug is so obscene, bwahah, I felt like Linus Torvalds dealing with Nvidia... :-P -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1688018 Title: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6 Status in network-manager package in Ubuntu: Triaged Status in network-manager source package in Xenial: In Progress Status in network-manager source package in Yakkety: Won't Fix Bug description: This was initially opened as #1671606 then later duped to #1639776. Discussion in #1639776 indicate that we need new bug for this so I am opening one ... Please don't mark this as duplicate to #1639776 or other similar bug report. We already lost several months and we are again at beginning ... TL;DR; -> network-manager-1.2.2-0ubuntu0.16.04.4 use DNS defined by VPN (correct). network-manager-1.2.6-0ubuntu0.16.04.1 use DNS from DHCP instead of one defined by VPN (wrong). DNS resolver should query only DNS servers defined by VPN while connection is active. = Test steps / result: - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base-2.75-1ubuntu0.16.04.2) - restated my laptop to ensure clean start - connected to VPN using openconnect / network-manager-openconnect-gnome Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all) - "killall dnsmasq" - dnsmasq get automatically restarted by system Observed results -> most of the the queries are forwarded to DNS servers defined by VPN, but lot of queries get forwarded to DNS servers defined by LAN connection (this is still wrong / DNS leaks, attacker can hijack connection even if VPN is enabled) - I downgraded back network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same) - restated my laptop to ensure clean test - connected to same VPN using openconnect Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior). = Paul Smith requested additional details in #1639776. Here are: * If you're using IPv4 vs. IPv6 -> IPv4 only. I have IPv6 set to ignore on all network definition (lan / wifi /vpn) * If you have checked or unchecked the "Use this connection only for resources on its network" -> unchecked on all nw definition * If you have this checked, try unchecking it and see if that makes a difference -> no change if I toggle this option. Behavior is same. * When you say "DNS lookups" please be clear about whether the hostnames being looked up are public (e.g., www.google.com or whatever), on your local LAN, or in the network accessed via the VPN. Does it make a difference which one you choose? -> No difference. * Are you using fully-qualified hostnames, or relying on the DNS domain search path? Does it make a difference if you do it differently? -> I normaly
[Desktop-packages] [Bug 1671606] Re: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1
*** This bug is a duplicate of bug 1688018 *** https://bugs.launchpad.net/bugs/1688018 This is the *nastiest* bug I've ever encountered in the wild on my own in Linux (that has no good solution after this long). Package 1.2.2-0ubuntu0.16.04.4 has disappeared from the mirrors for Xenial (not that anyone should expect a normal user to go through the deep dive that is this subject, once one realizes what is happening). The cipher in use by AWS for Client VPN isn't available in OpenSSL within Trusty Tahr, so running an old Ubuntu distro is also not a viable solution for me. This is about as serious of a bug as I could think of, and we're almost two years in without it being addressed. Hate to be tin-foil-hatty, but this seems like the kind of thing that gets put into software as a result of government-agency interests. How many people around the world expecting their VPN to protect them while viewing content from outside of their nation state are DNS-leaking all over the place to their local ISP? How many companies are leaking private zone DNS names (which often reflect what's running on the target boxes, and would then include information that could be used as part of an attack vector) to their ISP? I understand how open source works, but most people (including me) don't have the ability to work effectively on this nuanced bug. What's the plan? Sorry to sound disgruntled, but I spent about a week on this (coming to terms with understanding the issue, and then trying a number of workarounds). Initially I accused our CTO of running a broken VPN server (heh), because I could simply not believe that things didn't "just work" in Linux for this extremely common use case. So we don't support pushing "dhcp-option" for DNS in Linux. This works in Mac and in Windows. We need a working/easy way to update our DNS addresses upon connecting to/disconnected from a VPN that users can trust. This bug is so obscene, bwahah, I felt like Linus Torvalds dealing with Nvidia... :-P -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1671606 Title: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1 Status in network-manager package in Ubuntu: Confirmed Status in resolvconf package in Ubuntu: Invalid Bug description: I use my company's cisco vpn via network-manager in Ubuntu 16.04.2 LTS. After recent upgrade of network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 DNS resolution of VPN's server hostnames does not work. Roll back to version 1.2.2-0ubuntu0.16.04.4 solves the problem. Steps for reproducing: 1. upgrade network-manager:amd64 from version 1.2.2-0ubuntu0.16.04.4 to version 1.2.6-0ubuntu0.16.04.1 2. connect to VPN via network-manager applet 3. nslookop servername.internal --> ** server can't find servername.internal: NXDOMAIN 4. disconnect from VPN via network-manager applet 5. roll back network-manager via command: sudo apt-get install network-manager=1.2.2-0ubuntu0.16.04.4 6. restart network-manager via sudo service network-manager restart 7. connect to VPN via network-manager applet 8. nslookop servername.internal --> the server is resolved correctly ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: network-manager 1.2.6-0ubuntu0.16.04.1 ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44 Uname: Linux 4.4.0-66-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 CurrentDesktop: Unity Date: Thu Mar 9 19:49:55 2017 InstallationDate: Installed on 2015-10-05 (520 days ago) InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422) NetworkManager.state: [main] NetworkingEnabled=true WirelessEnabled=true WWANEnabled=true WimaxEnabled=true SourcePackage: network-manager UpgradeStatus: No upgrade log present (probably fresh install) nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.2.6connected started full enabled enabled enabled enabled enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
