[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
** No longer affects: network-manager (Ubuntu Yakkety) ** No longer affects: network-manager (Ubuntu Xenial) ** No longer affects: network-manager (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
@litinoveweedle this bug is marked fixed. If you are still seeing a similar symptom then I suggest opening a new bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Any updates for this one? After half year? on LTS? Are you serious? Please note, that this bug #1672491 , ##1639776 and many other could be easily patched, just by applying patches: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=2675f2061525bc954be14988d64384b74aa7bf8b http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=16800ea072dd0cdf14d951c4bb8d2808b3dfe53d to dnsmasq package. If someone just could move the lazy ass and at least follow other distros like Fedora https://bugzilla.redhat.com/show_bug.cgi?id=1373485 I will post non constructive and frustrating post to all regarding bugs, so hopefully someone will feel ashamed and finally fix it. Otherwise I would like to ask you: step down as maintainers and orphan given package so someone else who knows how to patch source could take over from you - because you are doing no good by doing nothing! ** Bug watch added: Red Hat Bugzilla #1373485 https://bugzilla.redhat.com/show_bug.cgi?id=1373485 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Have the same issue on 17.04 In order to make dns resolution work again one should type after resume: sudo systemctl restart systemd-resolved.service -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Hmm, just noticed this is likely the same patch merged here -- well, I'm running the latest Xenial packages: ii dnsmasq-base2.75-1ubuntu0.16.04.1 amd64Small caching DNS proxy and DHCP/TFTP server ii network-manager 1.2.6-0ubuntu0.16.04.1 amd64network management framework (daemon and userspace tools) And I am still seeing the same behaviour. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Hmm, just noticed this is likely the same patch merged here -- well, I'm running the latest Xenial packages: ii dnsmasq-base2.75-1ubuntu0.16.04.1 amd64Small caching DNS proxy and DHCP/TFTP server ii network-manager 1.2.6-0ubuntu0.16.04.1 amd64network management framework (daemon and userspace tools) And I am still seeing the same behaviour. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
FWIW I continue to face this issue specifically when suspending while using the mobile broadband connection(predictable interface name wwp0s29u1u4i6) on my x220. I noticed this thread: https://mail.gnome.org/archives/networkmanager- list/2016-September/msg0.html Which notes this command is a workaround: busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload "u" 4 and a link to an upstream bug at https://bugzilla.redhat.com/show_bug.cgi?id=1367772 -- I do wonder whether the fix we've adopted has diverged from what's recommended there, since it's reported to fix the OP's issue. ** Bug watch added: Red Hat Bugzilla #1367772 https://bugzilla.redhat.com/show_bug.cgi?id=1367772 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Here is bug report for DNS VPN problems -> #1688018 ... as requested. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
@exander77 there is no need for personal abuse here. In that case the description of this bug should have been updated to include that. However I see there is debate on that bug about whether it is fixed by the version of dnsmasq which fixes this bug. If not then it is definitely a different bug. I suggest opening a new bug. It will not get duplicated to this one if the dnsmasq fix does not fix the problem. There is no point commenting further on this bug as it is marked as fixed so no-one will do anything about it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
@colin-law That's bullshit, #1671606 was closed as duplicated of this: DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1 https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
@exander77 this bug is specifically about a failure after suspend/resume. If your issue does not relate to suspend/resume it is a different bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I did some testing, it affects PPTP, but does not seem to affect OpenVPN. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I have a fully updated Ubuntu 17.04 and when I connect to VPN /var/run/NetworkManager/resolv.conf does not get updated with DNS. Any fix soon? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Paul, Nish ... VPN problem was initially reported as #1671606 . This bug get closed as duplicate to this one. I am not against opening new bug but we need some kind of statement "why?" ... I don't want to open bug which may get duplicated again to this one. I will test proposal from Paul to see if "Use this connection only for resources on its network" make difference ... FYI: Local resources are un-trusted on networks like network in hotels. So there should be no leaks while secure connection is in place. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Ah yes. This is indeed referenced in the changelog on the system. Not sure what I should do next though. Open a new bugid or continue here? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Yes, that version is OK (I'm on 16.10 so mine is a bit newer). If you check /usr/share/doc/dnsmasq-base/changelog.Debian.gz on your system you should see info related to this bug in that changelog. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
@Paul dnsmasq is 2.75-1ubuntu0.16.04.2 and I don't see anything newer within my repo. Has the pkg been updated for 16.04? pkg info: https://pastebin.com/aximAJxc Mint 18.1 (Ubuntu 16.04.2) x64 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Shawn B it sounds like your issue might be related to this one, since it's fixed by restarting dnsmasq. Do you have the newer dnsmasq version (you need dnsmasq-base 2.76-4ubuntu0.1 or better)? Just to note: it's definitely true that this bug will impact VPN users; that's how I ran into it. Basically, anything that causes changes to DNS configuration will hit this: so starting / stopping VPN and also suspend / resume. However, if your problem is solved by switching versions of NetworkManager then it's not this bug. Also if the problem is NOT solved by restarting dnsmasq then it's not this bug. In general, the above version of dnsmasq definitely fixes _this_ bug, so if you have that version and you're still seeing problems then it's not _this_ bug. You should file a new issue in Launchpad, with all the details you can obtain. Feel free to add a comment here with a link to the bug you create so people can follow it if they come here first. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
** Changed in: dnsmasq (Ubuntu Xenial) Assignee: Nish Aravamudan (nacc) => (unassigned) ** Changed in: dnsmasq (Ubuntu Yakkety) Assignee: Nish Aravamudan (nacc) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Lukas, thank you for the detailed information. However On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunkowrote: > Hello Paul. DNS leak mean that DNS queries still hit local DNS server > while VPN connection is active. DNS resolver should query only DNS > servers defined by VPN while connection is active. You seemed to have ignored Paul's message and instead provided context which should go in a different bug. This bug was for name resolution failing after suspend/resume. It had nothing directly to do with VPNs. Please file a new bug. On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunko wrote: > Hello Paul. DNS leak mean that DNS queries still hit local DNS server > while VPN connection is active. DNS resolver should query only DNS > servers defined by VPN while connection is active. > > I did following test: > > - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 > (dnsmasq-base=2.75-1ubuntu0.16.04.2) > - restated my laptop to ensure clean start > - connected to VPN using openconnect / network-manager-openconnect-gnome > > Observed results -> DNS queries are forwarded only to DNS servers > defined by LAN connection (this is wrong / connection not working at > all) > > - "killall dnsmasq" > - dnsmasq get automatically restarted by system > > Observed results -> most of the the queries are forwarded to DNS servers > defined by VPN, but lot of queries get forwarded to DNS servers defined > by LAN connection (this is still wrong / DNS leaks, attacker can hijack > connection even if VPN is enabled) > > - I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 > (dnsmasq-base stay same) > - restated my laptop to ensure clean test > - connected to same VPN using openconnect > > Observed results -> DNS queries are forwarded only to DNS servers > defined by VPN connection. There are no leaks to LAN DNS server (this is > correct behavior). > > == > > DNS leaks are bad for several reasons. Most important ones are that it > provide visibility of host names to possibly un-trusted network and give > ability to hijack connection. When I connect to VPN server I expect that > all traffic hit only particular vpn server / gateway. If there is query > to "secure-company-server.example.com" and this hit DNS on LAN then we > are instantly leaking secured names. If LAN DNS server respond to this > (or response is spoofed) then connection will be made outside of VPN > environment. This effectively kill security of VPN connection ... > > == > > FYI: I am currently in environment where DHCP set DNS servers but policy > deny connection to them (don't ask why). Therefore is much more visible > if queries get forwarded to LAN DNS server just because they never get > responded ... this may be reason why some of folks here claim that fix > is working. If LAN DNS server respond with something then there is no > visibility of problem ... > > == > > FYI2: all tests for this update was monitored by wireshark. ... just to > not confuse with previous "fyi" comment > > == > > Lukas > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/1639776 > > Title: > name resolution (dnsmasq) fails to send queries out after > suspend/resume reconnects the interface > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
It sounds like a different bug to me, if changing networkmanager fixes it without changing dnsmasq. I would file a new Launchpad bug with all the details you can provide. You can add a comment to this issue with a link. In particular, please specify: * If you're using IPv4 vs. IPv6 * If you have checked or unchecked the "Use this connection only for resources on its network" * If you have this checked, try unchecking it and see if that makes a difference * When you say "DNS lookups" please be clear about whether the hostnames being looked up are public (e.g., www.google.com or whatever), on your local LAN, or in the network accessed via the VPN. Does it make a difference which one you choose? * Are you using fully-qualified hostnames, or relying on the DNS domain search path? Does it make a difference if you do it differently? FYI, if you choose "Use this connection only for resources on its network" then different DNS lookups going to different servers is expected: the decision is made based on the DNS domain name; lookups for hosts with domains that are served via the VPN (as determined by information obtained from the DHCP response when you got an IP address over the VPN) will be sent to DNS servers in the VPN (again, based on DHCP). Lookups for hosts with domains that are not registered by the VPN will not be sent to the VPN's DNS server. I assume (but have not tried) that if you don't check that box then all DNS lookups would go to the VPN DNS servers. However, this does mean that no local LAN hostnames can be resolved since your local DNS server will not be consulted. It also means if you have multiple VPN connections going, only one of them will have DNS available. If you either use fully-qualified hostnames, and/or you ensure that the VPN's DNS domains come first in the search path, then I don't think there should be a security issue (unless you don't trust your normal DNS server, but that's an entirely different situation). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Lukas, thank you for the detailed information. However On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunkowrote: > Hello Paul. DNS leak mean that DNS queries still hit local DNS server > while VPN connection is active. DNS resolver should query only DNS > servers defined by VPN while connection is active. You seemed to have ignored Paul's message and instead provided context which should go in a different bug. This bug was for name resolution failing after suspend/resume. It had nothing directly to do with VPNs. Please file a new bug. On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunko wrote: > Hello Paul. DNS leak mean that DNS queries still hit local DNS server > while VPN connection is active. DNS resolver should query only DNS > servers defined by VPN while connection is active. > > I did following test: > > - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 > (dnsmasq-base=2.75-1ubuntu0.16.04.2) > - restated my laptop to ensure clean start > - connected to VPN using openconnect / network-manager-openconnect-gnome > > Observed results -> DNS queries are forwarded only to DNS servers > defined by LAN connection (this is wrong / connection not working at > all) > > - "killall dnsmasq" > - dnsmasq get automatically restarted by system > > Observed results -> most of the the queries are forwarded to DNS servers > defined by VPN, but lot of queries get forwarded to DNS servers defined > by LAN connection (this is still wrong / DNS leaks, attacker can hijack > connection even if VPN is enabled) > > - I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 > (dnsmasq-base stay same) > - restated my laptop to ensure clean test > - connected to same VPN using openconnect > > Observed results -> DNS queries are forwarded only to DNS servers > defined by VPN connection. There are no leaks to LAN DNS server (this is > correct behavior). > > == > > DNS leaks are bad for several reasons. Most important ones are that it > provide visibility of host names to possibly un-trusted network and give > ability to hijack connection. When I connect to VPN server I expect that > all traffic hit only particular vpn server / gateway. If there is query > to "secure-company-server.example.com" and this hit DNS on LAN then we > are instantly leaking secured names. If LAN DNS server respond to this > (or response is spoofed) then connection will be made outside of VPN > environment. This effectively kill security of VPN connection ... > > == > > FYI: I am currently in environment where DHCP set DNS servers but policy > deny connection to them (don't ask why). Therefore is much more visible > if queries get forwarded to LAN DNS server just because they never get > responded ... this may be reason why some of folks here claim that fix > is working. If LAN DNS server respond with something then there is no > visibility of problem ... > > == > > FYI2: all tests for this update was monitored by wireshark. ... just to > not confuse with previous "fyi" comment > > == > > Lukas > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/1639776 > > Title: > name resolution (dnsmasq) fails to send queries out after > suspend/resume reconnects the interface > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I also have the same issue as Lukas. Occurs: VPN Connects using redirect gateway VPN DNS is not used Local DNS unavailable No DNS queries work Expected: VPN Connects using redirect gateway VPN DNS is used Local DNS unavailable Temporary workaround: sudo pkill dnsmasq -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Hello Paul. DNS leak mean that DNS queries still hit local DNS server while VPN connection is active. DNS resolver should query only DNS servers defined by VPN while connection is active. I did following test: - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base=2.75-1ubuntu0.16.04.2) - restated my laptop to ensure clean start - connected to VPN using openconnect / network-manager-openconnect-gnome Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all) - "killall dnsmasq" - dnsmasq get automatically restarted by system Observed results -> most of the the queries are forwarded to DNS servers defined by VPN, but lot of queries get forwarded to DNS servers defined by LAN connection (this is still wrong / DNS leaks, attacker can hijack connection even if VPN is enabled) - I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same) - restated my laptop to ensure clean test - connected to same VPN using openconnect Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior). == DNS leaks are bad for several reasons. Most important ones are that it provide visibility of host names to possibly un-trusted network and give ability to hijack connection. When I connect to VPN server I expect that all traffic hit only particular vpn server / gateway. If there is query to "secure-company-server.example.com" and this hit DNS on LAN then we are instantly leaking secured names. If LAN DNS server respond to this (or response is spoofed) then connection will be made outside of VPN environment. This effectively kill security of VPN connection ... == FYI: I am currently in environment where DHCP set DNS servers but policy deny connection to them (don't ask why). Therefore is much more visible if queries get forwarded to LAN DNS server just because they never get responded ... this may be reason why some of folks here claim that fix is working. If LAN DNS server respond with something then there is no visibility of problem ... == FYI2: all tests for this update was monitored by wireshark. ... just to not confuse with previous "fyi" comment == Lukas -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I think the problems being reported by NJ and Lukas at least, are different issues and you should file a new report about them. I can't say about GammaPoint because the description there ("DNS leaks") is not understandable to me. This issue has the following characteristics: DNS lookups fail, often with an error of REFUSED. Restarting dnsmasq and/or "pkill -HUP NetworkManager" fixes the problem. If your issue doesn't meet those characteristics (particularly if it isn't fixed by restarting dnsmasq or sending SIGHUP to NetworkManager to restart it) then it's probably not this bug and you should open a new bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I am running Ubuntu 16.04.2 LTS and I updated all packages to latest stable version including dnsmasq-base (2.75-1ubuntu0.16.04.2). VPN connection is still not working. Wireshark show that all queries are forwarded to local DNS server instead of one defined by VPN. This is not only information leak bud it also break DNS resolution at all. I am getting "resolve call failed: Query timed out" from systemd-resolve and "no servers could be reached" from host command. I downgraded network-manager manager again to 1.2.2-0ubuntu0.16.04.4 and it start working fine. Wireshak show that all DNS queries (at least during time i was monitoring it) are forwarded to correct DNS server defined by VPN server. Is there a way how to expedite this ? This bug is affecting lot of users and guys are considering to not stick with Ubuntu as work machine. If there is no clear way how to fix this then please downgrade network- manager and network-manager-gnome back to 1.2.2* version in stable tree. Especially the second one is important as it will resolve problems with GUI and was removed from Ubuntu repository right after update was introduced ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
This bug fix corrected my VPN leaks in Ubuntu 16.10, but I've since upgraded to 17.04 (fresh install) and I'm seeing DNS leaks again. Should this issue be fixed in Zesty already, or is that coming later? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I've installed dnsmasq-base_2.75-1ubuntu0.16.04.2 (on Linux Mint), installed the 1.2.6 version of Network Manager and . . my VPN still didn't work; the problem (that I had with network-manager 1.2.6 and the older version of dnsmasq) wasn't solved. Still, my problem didn't begin after suspend/resume but rather with boot. Reverting back, once again, to the 1.2.2 version of Network Manager makes everything work again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
This bug was fixed in the package dnsmasq - 2.75-1ubuntu0.16.04.2 --- dnsmasq (2.75-1ubuntu0.16.04.2) xenial; urgency=medium * Add two upstream patches to fix binding to an interface being destroyed and recreated. LP: #1639776. + 2675f2061525bc954be14988d64384b74aa7bf8b + 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d -- Nishanth AravamudanMon, 27 Mar 2017 17:22:13 -0700 ** Changed in: dnsmasq (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
This bug was fixed in the package dnsmasq - 2.76-4ubuntu0.1 --- dnsmasq (2.76-4ubuntu0.1) yakkety; urgency=medium * Add two upstream patches to fix binding to an interface being destroyed and recreated. LP: #1639776. + 2675f2061525bc954be14988d64384b74aa7bf8b + 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d -- Nishanth AravamudanTue, 28 Mar 2017 10:36:48 -0700 ** Changed in: dnsmasq (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Hi Paul, https://wiki.ubuntu.com/StableReleaseUpdates is the standard reference. It takes at least 7 days in -proposed before the SRU team will release it. Thanks, Nish -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Hi Paul, https://wiki.ubuntu.com/StableReleaseUpdates is the standard reference. It takes at least 7 days in -proposed before the SRU team will release it. Thanks, Nish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Given the current state of Zesty and the proximity to a release day I believe we need patience here heh. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
Just curious if there's more work needed here before this fix moves out of proposed and into standard updates for xenial / yakkety, or if not then is there a timeline when that transition is normally expected? I'm currently recommending to users that they reset NetworkManager by hand when they have a DNS error: once this package makes it into the normal update queue then I can just tell them to update their systems. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface
I have merged in another bug(s) and updated the name of the bug to be a bit more "user friendly". ** Summary changed: - dnsmasq fails to send queries out after suspend disconnects the interface + name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs