[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> These systems are using dnsmasq not systemd-resolver. > This was done for historical reasons; I'm not sure of > the specific bug which caused that choice. NetworkManager in Ubuntu 16.04 and earlier defaulted to integrating with dnsmasq. But on 18.04 and later, this integration has been deliberately replaced with integration with systemd-resolved. If you are overriding this default integration to force the use of dnsmasq instead of systemd- resolved, that is likely not a supportable configuration. In contrast, any bug in the systemd-resolved integration in 18.04 that would force you to work around it by switching to dnsmasq is almost certainly an SRUable bug. If you can find the information about why you switched to dnsmasq, please report this as a bug against systemd (with 'ubuntu-bug systemd') and provide a link to the bug here. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
We aren't using systemd-resolver for various historical reasons; we are using dnsmasq which should be expected to work. It isn't, but we have manually added the dns-priority=-1;dns-search=~. settings which make it work, as an emergency deployment when the latest NM update broke things for everyone. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This is Bionic. After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are using dnsmasq) reported that DNS supported working for them while they were on the VPN. Some internal names were looked up correctly, others weren't. I resolved it for them as follows: $ sudo nmcli con modify "$COMPANY VPN" ipv4.dns-priority -1 ipv4.dns- search ~. This matches the observations I made in comment #18 on 2019-02-04. I believe that with 1.10.6 all $company.com DNS did get sent to the VPN and it was lookups outside the company search domains which were leaked. So it was mostly functional, but insecure. Since 1.10.14 it got worse and many (but not all) of the $company.com lookups are being leaked too. Which is a functional problem. (For Xenial, my advice to users has been the same since March 2018 when this ticket was first filed: tell apt to hold network-manager_1.2.2-0ubuntu0.16.04.4_amd64.deb and don't let it get updated until/unless the regression is fixed.) -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the 1.10.14 regression simply making those dns-priority/dns- search settings the *default* behaviour for a full-tunnel VPN would appear to be the correct thing to do (i.e. use the DNS of a full-tunnel VPN for *all* lookups), and I think it should resolve the problems people were seeing. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I have reverted this SRU for the moment, restoring network-manager 1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug verification-failed pending resolution of the reported regressions. ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Released => In Progress ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-failed verification-failed-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the switch to using dnsmasq: that decision predates my tenure so I have limited visibility. I can try to get our IT team to expend effort in moving to systemd-resolved and see what breaks. It may even be completely unnecessary in xenial, and is merely inherited to make our bionic setups less different. I completely agree with the general observation that they should be filing bugs upstream and not working around them. But if I tell them that, I suspect they're going to point at this security regression in Xenial that still isn't fixed 14 months later, and tell me that working around things locally is much more effective. Right now, I don't know that I can tell them they're wrong. Let's show them the process works, *then* I'll tell them they have to use it :) -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Dammit, "completely unnecessary in bionic but inherited from xenial"... -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 942856] Re: NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication
Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I have reverted this SRU for the moment, restoring network-manager 1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug verification-failed pending resolution of the reported regressions. ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Released => In Progress ** Tags removed: verification-done verification-done-bionic ** Tags added: verification-failed verification-failed-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/942856 Title: NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/942856/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
dwmw2, the systemd fix was mainly meant for people with standard configuration where this fix is actually needed and solve the problem. You are writing that adding "dns-priority=-1;dns-search=~." solves the problem for you. Where/to which file did you add this? Do you need this already with the original network-manager version of Bionic (1.10.6) or do you only need ot after the update (1.10.14)? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Unfortunately, the SRU for systemd did not yet get processed. Therefore I have now uploaded this version of systemd to my PPA so that you can already test/get your problem solved. Please tell here whether it actually fixes the bug. Here is my PPA: https://launchpad.net/~till-kamppeter/+archive/ubuntu/ppa Please follow this link, follow the instructions in the section "Adding this PPA to your system", then update your system with the command sudo apt dist-upgrade This will update only systemd as I did not upload any other package for Bionic to my PPA. Make also sure you have the update of network-manager (1.10.14-0ubuntu2) installed. Reboot and check whether everything works correctly now. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
