I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially malicious local DNS servers is utterly wrong.
In particular I don't agree this is a 'feature request' for 16.04 because it *used* to work there. You fixed it once with this patch: http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch That patch got dropped in an update, so this isn't just a security problem but also a regression in 16.04. cf. https://bugzilla.gnome.org/show_bug.cgi?id=746422 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 ** Bug watch added: GNOME Bug Tracker #746422 https://bugzilla.gnome.org/show_bug.cgi?id=746422 ** Bug watch added: Red Hat Bugzilla #1553634 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/666446 Title: NetworkManager VPN should offer an option to use *only* VPN nameservers Status in NetworkManager: Confirmed Status in network-manager package in Ubuntu: Triaged Bug description: Binary package hint: network-manager If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough. Here's the scenario: My two office DNS servers support DNSSEC validation. My ISP at home does not. When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail. If this were a real attack instead of a test scenario, it'd have security implications. If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected. ProblemType: Bug DistroRelease: Ubuntu 10.04 Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action] ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7 Uname: Linux 2.6.32-25-generic x86_64 Architecture: amd64 CRDA: Error: [Errno 2] No such file or directory Date: Mon Oct 25 13:32:47 2010 EcryptfsInUse: Yes InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113) Keyfiles: Error: [Errno 2] No such file or directory ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ' SourcePackage: network-manager To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/666446/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
