Public bug reported:
Currently, NM will write all search domains to both any DNS-handling
plugins running, and also to resolv.conf / resolvconf; in all cases.
The issue is that doing so means that in the split-DNS case on VPNs, you
might get a negative response from all nameservers, then a new request
by glibc with the search tacked on, to nameservers again, which might
cause DNS requests for "private" resources (say, on the VPN) to be sent
to external, untrusted resolvers, or for DNS queries not meant for VPN
nameservers to be sent through the VPN anyway.
This is fixable in the case where we have a caching plugin running (such
as dnsmasq). dnsmasq will already know about the search domains and use
that to limit queries to the right nameservers when a VPN is running.
Writing search domains to resolv.conf is unnecessary in this case.
We should still write search domains if no caching gets done, as we then
need to expect glibc to send requests as it otherwise would.
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1592721
Title:
Don't write search domains to resolv.conf in the case of split DNS
Status in network-manager package in Ubuntu:
New
Bug description:
Currently, NM will write all search domains to both any DNS-handling
plugins running, and also to resolv.conf / resolvconf; in all cases.
The issue is that doing so means that in the split-DNS case on VPNs,
you might get a negative response from all nameservers, then a new
request by glibc with the search tacked on, to nameservers again,
which might cause DNS requests for "private" resources (say, on the
VPN) to be sent to external, untrusted resolvers, or for DNS queries
not meant for VPN nameservers to be sent through the VPN anyway.
This is fixable in the case where we have a caching plugin running
(such as dnsmasq). dnsmasq will already know about the search domains
and use that to limit queries to the right nameservers when a VPN is
running. Writing search domains to resolv.conf is unnecessary in this
case.
We should still write search domains if no caching gets done, as we
then need to expect glibc to send requests as it otherwise would.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1592721/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
