[Bug 1603898] [NEW] DNS resolution fails when using VPN and routing all traffic over it

Mon, 18 Jul 2016 01:46:34 -0700 

Public bug reported:

When using our company VPN, the Network Manager configured dnsmasq
ends up in a weird state where its unable to answer queries because
it's (incorrectly) sending them to 127.0.0.1:53 where nothing is
listening.

| root@ornery:~# nmcli con show 'Canonical UK - All Traffic' | grep -i dns
| ipv4.dns:
| ipv4.dns-search:
| ipv4.dns-options:                       (default)
| ipv4.ignore-auto-dns:                   no
| ipv6.dns:
| ipv6.dns-search:
| ipv6.dns-options:                       (default)
| ipv6.ignore-auto-dns:                   no
| IP4.DNS[1]:                             10.172.192.1
| root@ornery:~# ps auxfwwwww | grep [4]035
| nobody    4035  0.0  0.0  52872  1620 ?        S    Jun29   6:39  \_ 
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 
--cache-size=0 --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d
| root@ornery:~# 

Querying the DNS server provided by the VPN connection works; querying
dnsmasq doesn't:

| root@ornery:~# dig +short @10.172.192.1 www.openbsd.org
| 129.128.5.194
| root@ornery:~# dig @127.0.1.1 www.openbsd.org
| 
| ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.1.1 www.openbsd.org
| ; (1 server found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6996
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
| 
| ;; QUESTION SECTION:
| ;www.openbsd.org.               IN      A
| 
| ;; Query time: 0 msec
| ;; SERVER: 127.0.1.1#53(127.0.1.1)
| ;; WHEN: Mon Jul 18 10:25:48 CEST 2016
| ;; MSG SIZE  rcvd: 33
| 
| root@ornery:~# 

While running 'dig @127.0.1.1 www.openbsd.org':

| root@ornery:~# tcpdump -i lo port 53 -v -n
| tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 
bytes
| 10:26:04.728905 IP (tos 0x0, ttl 64, id 56577, offset 0, flags [none], proto 
UDP (17), length 72)
|     127.0.0.1.54917 > 127.0.1.1.53: 32273+ [1au] A? www.openbsd.org. (44)
| 10:26:04.729001 IP (tos 0x0, ttl 64, id 49204, offset 0, flags [DF], proto 
UDP (17), length 61)
|     127.0.1.1.53 > 127.0.0.1.54917: 32273 Refused$ 0/0/0 (33)

| root@ornery:~# netstat -anp | grep 127.0.[01].1:53
| tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN    
  4035/dnsmasq    
| udp        0      0 127.0.1.1:53            0.0.0.0:*                         
  4035/dnsmasq    
| root@ornery:~# 

You can see below a) that dnsmasq thinks it is configured to use a DNS
server provided by the VPN, and/but that b) it tries to answer a non
local query like www.openbsd.org locally.

| root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
| Jul 18 09:29:22 ornery dnsmasq[4035]: time 1468830562
| Jul 18 09:29:22 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375041
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| root@ornery:~# dig +short @127.0.1.1 www.openbsd.org
| root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| Jul 18 09:29:37 ornery dnsmasq[4035]: time 1468830577
| Jul 18 09:29:37 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
| Jul 18 09:29:37 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375042
| Jul 18 09:29:37 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:37 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| root@ornery:~# 

This is on Ubuntu 16.04, with the following packages:

| james@ornery:~$ COLUMNS=200 dpkg -l dnsmasq-base network-manager 
network-manager-openvpn | grep ^ii
| ii  dnsmasq-base                                 2.75-1ubuntu0.16.04.1       
amd64                       Small caching DNS proxy and DHCP/TFTP server
| ii  network-manager                              1.2.0-0ubuntu0.16.04.2      
amd64                       network management framework (daemon and userspace 
tools)
| ii  network-manager-openvpn                      1.1.93-1ubuntu1             
amd64                       network management framework (OpenVPN plugin core)
| james@ornery:~$

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1603898

Title:
  DNS resolution fails when using VPN and routing all traffic over it

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1603898/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to