I have successfully backported Thomas Haller's excellent upstream
solution as detailed in
https://bugzilla.gnome.org/show_bug.cgi?id=783569 This took some time as
things have changed quite a bit upstream, but the patch works on the
current zesty 17.04 1.4.4-1ubuntu3.1 network-manager! This is a much
better fix than the stopgap SetLinkDomains "." bus call based on link
type I included in the previous patch. It should be reviewed for
current application/submission to the package maintainers as it is
basically a direct backport of Haller's fix merged upstream.
NOTE: You MUST set the ipv4.dns-priority to a negative number for the
network-manager to unseat DNS configurations for other non-VPN
interfaces. This patch allows for correct behavior with negative ipv4
.dns-priority: "Negative values have the special effect of excluding
other configurations with a greater priority value; so in presence of at
least a negative priority, only DNS servers from connections with the
lowest priority value will be used." Usage of a negative dns-priority
disables DNS configuration for all other interfaces, ensuring there are
no DNS leaks over a VPN connection using systemd-resolved. Before
Haller's bugfix, this feature did not work with systemd-resolved.
To set the ipv4.dns-priority, open the VPN connection profile you have
configured through NM like so:
sudo nano /etc/NetworkManager/system-connections/<VPN-con-profile-name-here>
and adding the line (value of -42 recommended by Haller) "dns-priority=-42" so
that the file contains something like:
[ipv4]
dns-priority=-42
dns-search=
method=auto
Alternatively, use the command
sudo nmcli connection modify "<VPN-con-profile-name-here>" ipv4.dns-priority -42
And you should see that the config file for that connection contains the same
line as shown above. After doing so and patching/installing the patched network
manager, you should not experience DNS leaks.
When I am connected to PIA's servers through network-manager-openvpn
using the patched network manager and a negative ipv4.dns-priority set
for my VPN connection, the output of systemd-resolved looks like this
(notice that the Verizon ISP DNS server was 'unseated' and is absent for
the primary wireless link wlo1):
Global
DNSSEC NTA: 10.in-addr.arpa
...(long list of NTAs omitted)...
test
Link 4 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 209.222.18.222
209.222.18.218
Link 2 (wlo1)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
If anyone is curious about support for the routing-only domain in NM,
see the following bug https://bugzilla.gnome.org/show_bug.cgi?id=746422
which is about adding support for routing-only domains for systemd-
resolved (still work in progress).
** Bug watch added: GNOME Bug Tracker #746422
https://bugzilla.gnome.org/show_bug.cgi?id=746422
** Patch added: "systemd-resolved-dns-priority-fix.patch"
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1624317/+attachment/4900587/+files/systemd-resolved-dns-priority-fix.patch
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1624317
Title:
systemd-resolved breaks VPN with split-horizon DNS
Status in systemd:
New
Status in network-manager package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Confirmed
Status in network-manager source package in Artful:
Confirmed
Status in systemd source package in Artful:
Confirmed
Bug description:
I use a VPN configured with network-manager-openconnect-gnome in which
a split-horizon DNS setup assigns different addresses to some names
inside the remote network than the addresses seen for those names from
outside the remote network. However, systemd-resolved often decides
to ignore the VPN’s DNS servers and use the local network’s DNS
servers to resolve names (whether in the remote domain or not),
breaking the split-horizon DNS.
This related bug, reported by Lennart Poettering himself, was closed with the
current Fedora release at the time reaching EOL:
https://bugzilla.redhat.com/show_bug.cgi?id=1151544
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1624317/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
