[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This bug was fixed in the package network-manager - 1.10.6-2ubuntu1.2 --- network-manager (1.10.6-2ubuntu1.2) bionic; urgency=medium [ Till Kamppeter ] * debian/tests/nm: Add gi.require_version() calls for NetworkManager and NMClient to avoid stderr output which fails the test. (LP: #1825946) [ Dariusz Gadomski ] * d/p/fix-dns-leak-lp1754671.patch: backport of DNS leak fix. (LP: #1754671) * d/p/lp1790098.patch: retry activating devices when the parent becomes managed. (LP: #1790098) -- Dariusz Gadomski Sat, 07 Sep 2019 16:10:59 +0200 ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have just run the test case from this bug description on the bionic-proposed version 1.10.6-2ubuntu1.2. tcpdump does not show any leak of the VPN-specific queries. I have not observed other issues in my tests. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Hello dwmw2, or anyone else affected, Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network- manager/1.10.6-2ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: network-manager (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags removed: verification-done verification-done-bionic ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Sorry for the late reply, I was on a conference last week. I installed the PPA now and tested with the reproducer of the initial posting. This works for me. Also the machine in general seems to work OK with this version of network-manager. Thank you very much Dariusz for packaging this version. So now the 1.10.14 should be removed from -proposed (to avoid need of an epoch), and the version from the PPA of Dariusz should get uploaded into -proposed, and then the reporters of the regressions in the 1.10.14 SRU informed (by comments in their bug reports) for the new SRU being verified. Could someone from the release team initiate the process by removing 1.10.14 from -proposed? Thanks. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Great work, thank you very much! It will need some testing of which I can only test the reproducer in the initial description of this bug report, not any regressions which the first attempt of upstream-update-based SRU, as I could not reproduce these by myself. So I would say to take this as a new proposed SRU and also ask the reporters of the regressions whether this version does not cause them. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have backported what was listed as nm-1-10 fix for the bug in the upstream bugzilla [1]. I have also applied fixes for bug #1825946 and bug #1790098 to it. [1] https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=1e486a721de1fec76c81bfc461671a7fbdae531b After testing this build for some time (available at ppa:dgadomski /network-manager) I haven't found any problems. @Till I'd appreciate you having a look at it. Thanks! ** Patch added: "bionic_network-manager_1.10.6-2ubuntu1.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671/+attachment/5296236/+files/bionic_network-manager_1.10.6-2ubuntu1.2.debdiff -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Launchpad has imported 73 comments from the remote bug at https://bugzilla.gnome.org/show_bug.cgi?id=746422. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2015-03-18T22:30:03+00:00 Dcbw-y wrote: If the VPN routes all traffic (eg, its ipv4.never-default=false) that usually indicates that the VPN's nameservers should be used instead of the parent interface's nameservers, since the parent interface's nameservers would be accessed over the VPN anyway (since it's routing all traffic). But with dns=dnsmasq, the dnsmasq plugin always does split DNS regardless of the never-default value of the VPN's IPv4 config: /* Use split DNS for VPN configs */ for (iter = (GSList *) vpn_configs; iter; iter = g_slist_next (iter)) { if (NM_IS_IP4_CONFIG (iter->data)) add_ip4_config (conf, NM_IP4_CONFIG (iter->data), TRUE); else if (NM_IS_IP6_CONFIG (iter->data)) add_ip6_config (conf, NM_IP6_CONFIG (iter->data), TRUE); } instead I think that each config should be added with split DNS only if ipv4.never-default=true for that config. That would ensure that when the VPN was routing all traffic, split DNS was not used, but when the VPN was not routing all traffic, split DNS was used. If the user really does want to use the parent interface's nameservers even though they will be contacted over the VPN, they can either add custom dnsmasq options to /etc/NetworkManager/dnsmasq.d or enter them manually for the connection. ISTR that the behavior I'm suggesting was always intended, but apparently we changed that behavior a long time ago and possibly didn't realize it? Reply at: https://bugs.launchpad.net/ubuntu/+source/network- manager/+bug/1754671/comments/0 On 2015-03-19T11:15:43+00:00 Psimerda wrote: In my opinion it is useful to use split DNS view in all cases and only use never-default setting to decide the global DNS. Rationale: There is no such think as sending all traffic across VPN, only default route traffic, i.e. traffic for which there's no specific route over a specific interface. As specific routes (as found in the routing table) are still used even with default route over VPN, I believe that specific zones (as found in per-connection lists of domains) should be maintained as well. Reply at: https://bugs.launchpad.net/ubuntu/+source/network- manager/+bug/1754671/comments/1 On 2015-03-20T07:58:02+00:00 warthog9 wrote: Pavel, I'll admit to not 100% following what you've suggested, so please excuse me if I've horribly miss-understood. I disagree with the assertion that "There is no such think as sending all traffic across VPN". The parent interface's adapter will have a local route mainly so you can get to the gateway, as well as a route for vpn endpoint you need to push traffic at however, there are some mitigating circumstances that forcing split-dns, so that the DNS on the VPN is ONLY serving the search spaces pushed, is actually exactly the opposite of what a user likely wants and/or causes some rather broken behavior. - VPNs can, and often do, have IP space overlap issues. So if the parent interface's network you are on happens to be in the 10.0.0.0/255.255.252.0 (gateway 10.0.0.1, DNS server 10.0.0.2 & 10.0.0.3) ip range, and the VPN uses 10.0.1.0/255.255.255.0, you can end up in some very screwed up situation. This is actually taken from a real world scenario (which is why I learned of the change to default to split DNS at all). If you are routing all traffic over the VPN you now have lost access to the two parent interface's DNS servers, and with split DNS you now have *NO* DNS access at all. As it currently stands the only way to fix this is to either manually edit /etc/resolv.conf or to restart NM without dnsmasq. - DNS is not equal at all locations, which your assumption about split DNS I think assumes. DNS zones mean that something that resolves externally one way, may resolve completely differently (and potentially). example.com, to an external resolver may go to a coloed and public instance, while the same dns entry from an internal dns server may not. Assuming the VPN only pushes a search of internal.example.com, but doesn't push a search for example.com (making the assumption that people will just type it), the internal site is now unreachable. Keeping in mind I'm talking about VPNs, and those are typically used in more corporate environments where you are dealing with corporate IT departments. - In a more casual environment, lets say a hotel, part of the reasons to use a VPN is because the
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
** CVE removed: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2018-15688 -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have worked out the problem with the new NetworkManager which required me to set ipv4.dns-priority=-1 (which, in turn, messes things up for those with fresh installs that don't get the new NetworkManager). The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs but it doesn't also set ipv4.dns-priority=-1. This means that any DNS domain on a local network which isn't also explicitly matched by the VPN config, is considered "more specific" and gets used instead of the VPN. This is wrong; NetworkManager should also set ipv4.dns-priority=-1 for full-tunnel VPNs. The reason this was consistently problematic for our users is that we have set up /etc/dhcp/dhclient.conf to *override* the domains given by the local network to include the root of our corporate AD domain "DOM.COMPANY.COM", because various non-FQDN hostnames in AD would otherwise cause problems. This realisation does give me a way out of my current problem, until a newer version of NM correctly sets the priority automatically. Instead of manually configuring ipv4.dns-priority=-1 and breaking things for older NM, I can manually configure ipv4.dns- search=dom.company.com;company.com which works for everyone. And there *are* no other search domains which get leaked now, because our DHCP config doesn't let them get discovered. (Deliberately ignoring RDNSS here because if you live in the 21st century and have IPv6, you still get to use that anyway even when you're on a full-tunnel Legacy IP VPN. Nobody tell the IT folks please.) -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Any word on when this CVE will be fixed? In the meantime I have put the 1.10.14-0ubuntu2 package into an apt repository at http://david.woodhou.se/cve-2018-1000135/ for users who need it. I couldn't work out how to copy it into a PPA without rebuilding it. In the short term can someone please at least confirm that no new update will be shipped for Bionic which *doesn't* fix this, so that I don't have to play games with keeping a package in that repository "newer" than the latest in bionic-updates? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> That's weird, do you understand why? The update was deleted so you should be > back to initial > situation, we had no change to the previous package build Other package changes? Certainly systemd-resolver although we don't use that (because of a previous VPN DNS leak problem) we use dnsmasq. My original thought was that it was the VPN config change that we'd made to cope with the new NM, but testing seems to show it isn't that. Now we have a failure mode which some people had *occasionally* reported before, where even VPN lookups which *must* go to the VPN, for the company domain, are not. This was just occasional before; now it seems to happen all the time. I haven't done a thorough investigation since just putting the updated NM back has been enough to fix it. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: network-manager (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
seb128, it seems that dwmw2 NEEDS this SRU, without he does not get his environment working correctly, with SRU he gets it at least working setting the parameters he mentioned. I asked the posters of the regressions whether they get their situation fixed when using this SRU, the systemd SRU and dwmw2's settings, but no one answered. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> Then the NM update was pulled, and new installations aren't working at all, even if we don't set the DNS config as described. That's weird, do you understand why? The update was deleted so you should be back to initial situation, we had no change to the previous package build Also Till is still trying to understand what the regressions reported are about and what we should do about those -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Do we have any idea when this will be fixed? Most of my users used to get away with the DNS leakage and it was "only" a security problem but stuff actually worked. Then the NM and other updates were shipped, we set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine. Then the NM update was pulled, and new installations aren't working at all, even if we don't set the DNS config as described. There's nothing that works for us except "dig out the package that has now been unpublished, and install that". An ETA for having this properly working again would be very much appreciated. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have checked again on Bionic, making sure that the installed systemd actually comes from the bionic-proposed repository, that the behavior according to the test case shown in the initial description of this bug is correct, DNS queries of destinations in the VPN done through the VPN's DNS and DNS queries to public destinations being done through the public DNS. This works correctly and so the systemd update together with the network-manager update fixes the bug described here. So I am marking this bug as verified in Bionic. ** Tags removed: verification-needed verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This was fixed in systemd 237-3ubuntu10.22 for bionic, and 239-7ubuntu10.14 for cosmic. I missed a "#" in the changelog (sorry) so the tooling didn't automatically mark this bug as fix released. ** Changed in: systemd (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: systemd (Ubuntu Cosmic) Status: Fix Committed => Fix Released ** Tags removed: ddstreet-next -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set up a VPN service; the openconnect 'make check' uses ocserv automatically, for example. You shouldn't have difficulty reproducing this locally. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@dwmw2 and/or @till-kamppeter, can you verify the systemd upload for this bug for b and c? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
We are not going to do cosmic/n-m changes at this point, best to upgrade to Disco if you need that issue resolved ** Changed in: network-manager (Ubuntu Bionic) Assignee: Olivier Tilloy (osomon) => Till Kamppeter (till-kamppeter) ** Changed in: network-manager (Ubuntu Cosmic) Status: New => Won't Fix -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
bug #1831261 is also described as a potential side effect from this change -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
** Also affects: network-manager (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Cosmic) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu Cosmic) Assignee: (unassigned) => Dan Streetman (ddstreet) ** Changed in: systemd (Ubuntu Bionic) Assignee: (unassigned) => Dan Streetman (ddstreet) ** Changed in: systemd (Ubuntu Cosmic) Importance: Undecided => High ** Changed in: systemd (Ubuntu Cosmic) Status: New => In Progress ** Changed in: systemd (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> Is this going to be fixed in disco? speaking for systemd only, the commit needed is a97a3b256cd6c56ab1d817440d3b8acb3272ee17: https://github.com/systemd/systemd/commit/a97a3b256 that's included starting at v240, so is already in disco. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Uploaded patched systemd to b/c queues. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Is this going to be fixed in disco? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
** Tags added: ddstreet-next -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
systemd accepted to bionic/cosmic-proposed, please test ** Tags removed: verification-failed verification-failed-bionic ** Tags added: verification-needed verification-needed-bionic verification-needed-cosmic ** Changed in: systemd (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Changed in: systemd (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
dwmw2, yes, exactly for this case. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
And (in case any of my colleagues are paying attention and inclined to do it before the next time I get to spend any real time in front of a computer, next week), without the dns-priority and dns-search settings that made it work again after the recent NM update. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Till, you want that for the case where dnsmasq is being used and is misbehaving? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Please create the following files (and directories if needed for them): 1. /etc/systemd/journald.d/noratelimit.conf containing RateLimitIntervalSec=0 RateLimitBurst=0 2. /etc/NetworkManager/conf.d/debug.conf [logging] level=TRACE domains=ALL Then restart journald: sudo systemctl restart systemd-journald and NetworkManager: sudo systemctl restart network-manager Then you get the full debug log of NetworkManager via journalctl -u NetworkManager After all that, reboot and/or connect to your VPN and do journalctl -u NetworkManager > log.txt and attach the log.txt file to this bug report. Do not compress the file and do not package it together with other files. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
dwmw2, the systemd fix was mainly meant for people with standard configuration where this fix is actually needed and solve the problem. You are writing that adding "dns-priority=-1;dns-search=~." solves the problem for you. Where/to which file did you add this? Do you need this already with the original network-manager version of Bionic (1.10.6) or do you only need ot after the update (1.10.14)? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Unfortunately, the SRU for systemd did not yet get processed. Therefore I have now uploaded this version of systemd to my PPA so that you can already test/get your problem solved. Please tell here whether it actually fixes the bug. Here is my PPA: https://launchpad.net/~till-kamppeter/+archive/ubuntu/ppa Please follow this link, follow the instructions in the section "Adding this PPA to your system", then update your system with the command sudo apt dist-upgrade This will update only systemd as I did not upload any other package for Bionic to my PPA. Make also sure you have the update of network-manager (1.10.14-0ubuntu2) installed. Reboot and check whether everything works correctly now. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the switch to using dnsmasq: that decision predates my tenure so I have limited visibility. I can try to get our IT team to expend effort in moving to systemd-resolved and see what breaks. It may even be completely unnecessary in xenial, and is merely inherited to make our bionic setups less different. I completely agree with the general observation that they should be filing bugs upstream and not working around them. But if I tell them that, I suspect they're going to point at this security regression in Xenial that still isn't fixed 14 months later, and tell me that working around things locally is much more effective. Right now, I don't know that I can tell them they're wrong. Let's show them the process works, *then* I'll tell them they have to use it :) -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Dammit, "completely unnecessary in bionic but inherited from xenial"... -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the 1.10.14 regression simply making those dns-priority/dns- search settings the *default* behaviour for a full-tunnel VPN would appear to be the correct thing to do (i.e. use the DNS of a full-tunnel VPN for *all* lookups), and I think it should resolve the problems people were seeing. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I have reverted this SRU for the moment, restoring network-manager 1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug verification-failed pending resolution of the reported regressions. ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Released => In Progress ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-failed verification-failed-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> These systems are using dnsmasq not systemd-resolver. > This was done for historical reasons; I'm not sure of > the specific bug which caused that choice. NetworkManager in Ubuntu 16.04 and earlier defaulted to integrating with dnsmasq. But on 18.04 and later, this integration has been deliberately replaced with integration with systemd-resolved. If you are overriding this default integration to force the use of dnsmasq instead of systemd- resolved, that is likely not a supportable configuration. In contrast, any bug in the systemd-resolved integration in 18.04 that would force you to work around it by switching to dnsmasq is almost certainly an SRUable bug. If you can find the information about why you switched to dnsmasq, please report this as a bug against systemd (with 'ubuntu-bug systemd') and provide a link to the bug here. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
We aren't using systemd-resolver for various historical reasons; we are using dnsmasq which should be expected to work. It isn't, but we have manually added the dns-priority=-1;dns-search=~. settings which make it work, as an emergency deployment when the latest NM update broke things for everyone. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I am receiving reports that it isn't fixed in 18.04 either. Users are still seeing DNS lookups on the local network, until they manually edit the VPN config to include: [ipv4] dns-priority=-1 dns-search=~.; I thought that wasn't going to be necessary? -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
dwmw2, did you apply the systemd fix from comment #27? For this bug to be fixed you need BOTRH the fixed packages of network-manager and systemd. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
These systems are using dnsmasq not systemd-resolver. This was done for historical reasons; I'm not sure of the specific bug which caused that choice. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
The original bug report was about a regression in 16.04 with the dnsmasq integration. While I'm glad this got the ball rolling on the bionic networkd integration, let's not forget that we broke xenial? Added a xenial task for network-manager accordingly. ** Also affects: network-manager (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This bug was fixed in the package network-manager - 1.10.14-0ubuntu2 --- network-manager (1.10.14-0ubuntu2) bionic; urgency=medium [ Till Kamppeter ] * debian/tests/nm: Add gi.require_version() calls for NetworkManager and NMClient to avoid stderr output which fails the test. [ Iain Lane ] * debian/tests/control: The nm tests need dnsmasq-base and isc-dhcp-client too. network-manager (1.10.14-0ubuntu1) bionic; urgency=medium * New stable version (LP: #1809132), including: - Support private keys encrypted with AES-{192,256}-CBC in libnm (LP: #942856) - Fix leak of DNS queries to local name servers when connecting to a full-tunnel VPN (CVE-2018-1000135) (LP: #1754671) * Dropped patch applied upstream: - debian/patches/CVE-2018-15688.patch - debian/patches/e91f1a7d2a6b8400b6b331d5b72287dcb5164a39.patch * Refreshed patches: - debian/patches/Don-t-make-NetworkManager-D-Bus-activatable.patch - debian/patches/Force-online-state-with-unmanaged-devices.patch - debian/patches/Read-system-connections-from-run.patch - debian/patches/Update-dnsmasq-parameters.patch - debian/patches/libnm-register-empty-NMClient-and-NetworkManager-when-loa.patch -- Till Kamppeter Fri, 10 May 2019 13:34:00 +0200 ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15688 -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Will be releasing network-manager without the systemd part for now as it poses no threat to the user. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have now done the test under [Test Case] in the initial description of this bug report. I have a completely updated (including -proposed) Bionic machine (real iron, a Lenovo X1 Carbon 2nd gen from 2015) with network-manager 1.10.14-0ubuntu1 I have configured the Canonical VPN, both UK and US. I have turned on only the UK one. It is configured to be used only for the internal destinations on both IPv4 and IPv6. The system in this configuration I have rebooted to be assure that all processes including the kernel are using the newest software. Then I have followed the instructions of the test case. When running "dig " I get immediately an answer with exit code 0 ("echo $?"), so the request was successful. When I look into the "tcpdump" terminals, the host name gets polled through both interfaces, but naturally the answer only comes from the DNS of the VPN. So to my understanding the bug is not fixed as the private host name gets also sent to the public DNS. "systemd-resolve --status" lists the VPN DNS first, as link 4 and afterwards the public DNS as link3. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Good news, the network-manager SRU is not broken or wrong, but an additional SRU, on systemd, is needed to actually fix this bug. I got a hint from Iain Lane (Laney, thank you very much) to the following fix in systemd upstream: https://github.com/systemd/systemd/commit/a97a3b256 and backported it to Bionic's systemd package (debdiff attached). With the network-manager SRU from -proposed attached plus the patched systemd package installed the problem goes away. If I repeat the test of [Test Case] (after a reboot) the DNS requests to any of the VPN's domains go actually only to the VPN's DNS. ** Patch added: "systemd_237-3ubuntu10.21_237-3ubuntu10.22.debdiff" https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671/+attachment/5262723/+files/systemd_237-3ubuntu10.21_237-3ubuntu10.22.debdiff ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu) Status: New => Fix Released ** Changed in: systemd (Ubuntu Bionic) Status: New => Triaged ** Changed in: systemd (Ubuntu) Importance: Undecided => High ** Changed in: systemd (Ubuntu Bionic) Importance: Undecided => High -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
** Description changed: - * Impact + [Impact] + When using a VPN the DNS requests might still be sent to a DNS server outside the VPN when they should not - When using a VPN the DNS requests might still be sent to a DNS server - outside the VPN when they should not + [Test case] + 1) Set up a VPN with split tunneling: + a) Configure VPN normally (set up remote host, any ports and options needed for the VPN to work) + b) Under the IPv4 tab: enable "Use this connection only for the resources on its network". + c) Under the IPv6 tab: enable "Use this connection only for the resources on its network". - * Test case + 2) Connect to the VPN. - Configure the system to send all the traffic to a VPN, do a name - resolution, the request should not go to the public DNS server (to be - checked by capturing the traffic by example with wireshark) + 3) Run 'systemd-resolve --status'; note the DNS servers configured: + a) For the VPN; under a separate link (probably tun0), note down the IP of the DNS server(s). Also note the name of the interface (link). + b) For the "main" connection; under the link for your ethernet or wireless devices (wl*, en*, whatever it may be), note down the IP of the DNS server(s). Also note the name of the interface (link). + + 4) In a separate terminal, run 'sudo tcpdump -ni + port 53'; let it run. + + 5) In a separate terminal, run 'sudo tcpdump -ni + port 53'; let it run. + + 6) In yet another terminal, issue name resolution requests using dig: + a) For a name known to be reachable via the public network: + 'dig www.yahoo.com' + b) For a name known to be reachable only via the VPN: + 'dig ' + + 7) Check the output of each terminal running tcpdump. When requesting + the public name, traffic can go through either. When requesting the + "private" name (behind the VPN), traffic should only be going through + the interface for the VPN. Additionally, ensure the IP receiving the + requests for the VPN name is indeed the IP address noted above for the + VPN's DNS server. + + If you see no traffic showing in tcpdump output when requesting a name, + it may be because it is cached by systemd-resolved. Use a different name + you have not tried before. - * Regression potential - - The code change the handling of DNS servers when using a VPN, we should - check that name resolution still work whne using a VPN in different - configurations + [Regression potential] + The code change the handling of DNS servers when using a VPN, we should check that name resolution still work whne using a VPN in different configurations - - In 16.04 the NetworkManager package used to carry this patch: http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch It fixed the DNS setup so that when I'm on the VPN, I am not sending unencrypted DNS queries to the (potentially hostile) local nameservers. This patch disappeared in an update. I think it was present in 1.2.2-0ubuntu0.16.04.4 but was dropped some time later. This security bug exists upstream too: https://bugzilla.gnome.org/show_bug.cgi?id=746422 It's not a *regression* there though, as they didn't fix it yet (unfortunately!) -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@dwmw2, 'This was a regression there caused by an earlier update.' would give some details ont that? you should probably open another report specifically about that if there was a regression in a xenial update -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN domains. It's all going to the local VPN server. I don't know what changed. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Not sure what happened there. It was looking up *some* names in the $COMPANY.com domain on the VPN, but others not, consistently. I couldn't see a pattern. I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and now it does seem to be behaving. However, this shouldn't be necessary. This VPN has non-split routing and shouldn't it have non-split DNS too, by default? I shouldn't have to change the configuration, just to get back to the secure behaviour which used to work. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@dwmw2, as far as i understand, you should configuring DNS through systemd-resolve only. Try remove your edits from `/etc/NetworkManager /system-connections`, or even delete your connections from NetworkManager interface, and create new. After that, establish vpn connection and see at `systemd-resolve --status`, you should get something like this: ``` Link 3 (tun0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: xx.xx.xx.xx xx.xx.xx.xx DNS Domain: ~. Link 2 (enp3s0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 192.168.1.1 DNS Domain: local.domain ``` Where local.domain was received from DHCP server in local network. In that case you will send DNS requests in local.domain to local DNS server, and all other DNS requests - over VPN. That is expected behaviour. If you get this, but you have needs for redirecting DNS requests for some domain through other route (let's say, requests to local2.domain2, without VPN), you can do this with next command: `systemd-resolve -i enp3s0 --set-domain=local2.domain2` -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here; thanks. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I can also confirm that the network-manager package version 1.10.14-0ubuntu1 from bionic-proposed fixes the issue. -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@Steve (sorry for the late reply): not sure how that relates to bug #1726124, but in my limited understanding of the changes, they shouldn't regress the split-DNS use case. Some relevant pointers to better understand the fixes and their context: - https://bugzilla.gnome.org/show_bug.cgi?id=746422 (particularly comments 8 and 26) - https://wiki.gnome.org/Projects/NetworkManager/DNS - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/blob/nm-1-10/NEWS -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Please test and share your feedback on this new version here, but refrain from changing the verification-needed-bionic tag for now. This new version includes many changes and we want to give it an extended testing period to ensure no regressions sneak in, before it is published to bionic-updates. Thanks! -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Hello dwmw2, or anyone else affected, Accepted network-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network- manager/1.10.14-0ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: network-manager (Ubuntu Bionic) Status: Confirmed => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Network- manager, which is subscribed to NetworkManager. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop