I have successfully backported Thomas Haller's excellent upstream
solution as detailed in
https://bugzilla.gnome.org/show_bug.cgi?id=783569 This took some time as
things have changed quite a bit upstream, but the patch works on the
current zesty 17.04 1.4.4-1ubuntu3.1 network-manager! This is a much
better fix than the stopgap SetLinkDomains "." bus call based on link
type I included in the previous patch. It should be reviewed for
current application/submission to the package maintainers as it is
basically a direct backport of Haller's fix merged upstream.
NOTE: You MUST set the ipv4.dns-priority to a negative number for the
network-manager to unseat DNS configurations for other non-VPN
interfaces. This patch allows for correct behavior with negative ipv4
.dns-priority: "Negative values have the special effect of excluding
other configurations with a greater priority value; so in presence of at
least a negative priority, only DNS servers from connections with the
lowest priority value will be used." Usage of a negative dns-priority
disables DNS configuration for all other interfaces, ensuring there are
no DNS leaks over a VPN connection using systemd-resolved. Before
Haller's bugfix, this feature did not work with systemd-resolved.
To set the ipv4.dns-priority, open the VPN connection profile you have
configured through NM like so:
sudo nano /etc/NetworkManager/system-connections/<VPN-con-profile-name-here>
and adding the line (value of -42 recommended by Haller) "dns-priority=-42" so
that the file contains something like:
[ipv4]
dns-priority=-42
dns-search=
method=auto
Alternatively, use the command
sudo nmcli connection modify "<VPN-con-profile-name-here>" ipv4.dns-priority -42
And you should see that the config file for that connection contains the same
line as shown above. After doing so and patching/installing the patched network
manager, you should not experience DNS leaks.
When I am connected to PIA's servers through network-manager-openvpn
using the patched network manager and a negative ipv4.dns-priority set
for my VPN connection, the output of systemd-resolved looks like this
(notice that the Verizon ISP DNS server was 'unseated' and is absent for
the primary wireless link wlo1):
Global
DNSSEC NTA: 10.in-addr.arpa
...(long list of NTAs omitted)...
test
Link 4 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 209.222.18.222
209.222.18.218
Link 2 (wlo1)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
If anyone is curious about support for the routing-only domain in NM,
see the following bug https://bugzilla.gnome.org/show_bug.cgi?id=746422
which is about adding support for routing-only domains for systemd-
resolved (still work in progress).
** Bug watch added: GNOME Bug Tracker #746422
https://bugzilla.gnome.org/show_bug.cgi?id=746422
** Patch added: "systemd-resolved-dns-priority-fix.patch"
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1624317/+attachment/4900587/+files/systemd-resolved-dns-priority-fix.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1624317
Title:
systemd-resolved breaks VPN with split-horizon DNS
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1624317/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
