Public bug reported:

When using our company VPN, the Network Manager configured dnsmasq
ends up in a weird state where its unable to answer queries because
it's (incorrectly) sending them to 127.0.0.1:53 where nothing is
listening.

| root@ornery:~# nmcli con show 'Canonical UK - All Traffic' | grep -i dns
| ipv4.dns:
| ipv4.dns-search:
| ipv4.dns-options:                       (default)
| ipv4.ignore-auto-dns:                   no
| ipv6.dns:
| ipv6.dns-search:
| ipv6.dns-options:                       (default)
| ipv6.ignore-auto-dns:                   no
| IP4.DNS[1]:                             10.172.192.1
| root@ornery:~# ps auxfwwwww | grep [4]035
| nobody    4035  0.0  0.0  52872  1620 ?        S    Jun29   6:39  \_ 
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 
--cache-size=0 --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d
| root@ornery:~# 

Querying the DNS server provided by the VPN connection works; querying
dnsmasq doesn't:

| root@ornery:~# dig +short @10.172.192.1 www.openbsd.org
| 129.128.5.194
| root@ornery:~# dig @127.0.1.1 www.openbsd.org
| 
| ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.1.1 www.openbsd.org
| ; (1 server found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6996
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
| 
| ;; QUESTION SECTION:
| ;www.openbsd.org.               IN      A
| 
| ;; Query time: 0 msec
| ;; SERVER: 127.0.1.1#53(127.0.1.1)
| ;; WHEN: Mon Jul 18 10:25:48 CEST 2016
| ;; MSG SIZE  rcvd: 33
| 
| root@ornery:~# 

While running 'dig @127.0.1.1 www.openbsd.org':

| root@ornery:~# tcpdump -i lo port 53 -v -n
| tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 
bytes
| 10:26:04.728905 IP (tos 0x0, ttl 64, id 56577, offset 0, flags [none], proto 
UDP (17), length 72)
|     127.0.0.1.54917 > 127.0.1.1.53: 32273+ [1au] A? www.openbsd.org. (44)
| 10:26:04.729001 IP (tos 0x0, ttl 64, id 49204, offset 0, flags [DF], proto 
UDP (17), length 61)
|     127.0.1.1.53 > 127.0.0.1.54917: 32273 Refused$ 0/0/0 (33)

| root@ornery:~# netstat -anp | grep 127.0.[01].1:53
| tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN    
  4035/dnsmasq    
| udp        0      0 127.0.1.1:53            0.0.0.0:*                         
  4035/dnsmasq    
| root@ornery:~# 

You can see below a) that dnsmasq thinks it is configured to use a DNS
server provided by the VPN, and/but that b) it tries to answer a non
local query like www.openbsd.org locally.

| root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
| Jul 18 09:29:22 ornery dnsmasq[4035]: time 1468830562
| Jul 18 09:29:22 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375041
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| root@ornery:~# dig +short @127.0.1.1 www.openbsd.org
| root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
| Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| Jul 18 09:29:37 ornery dnsmasq[4035]: time 1468830577
| Jul 18 09:29:37 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
| Jul 18 09:29:37 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375042
| Jul 18 09:29:37 ornery dnsmasq[4035]: queries for authoritative zones 0
| Jul 18 09:29:37 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
| root@ornery:~# 

This is on Ubuntu 16.04, with the following packages:

| james@ornery:~$ COLUMNS=200 dpkg -l dnsmasq-base network-manager 
network-manager-openvpn | grep ^ii
| ii  dnsmasq-base                                 2.75-1ubuntu0.16.04.1       
amd64                       Small caching DNS proxy and DHCP/TFTP server
| ii  network-manager                              1.2.0-0ubuntu0.16.04.2      
amd64                       network management framework (daemon and userspace 
tools)
| ii  network-manager-openvpn                      1.1.93-1ubuntu1             
amd64                       network management framework (OpenVPN plugin core)
| james@ornery:~$

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1603898

Title:
  DNS resolution fails when using VPN and routing all traffic over it

Status in network-manager package in Ubuntu:
  New

Bug description:
  When using our company VPN, the Network Manager configured dnsmasq
  ends up in a weird state where its unable to answer queries because
  it's (incorrectly) sending them to 127.0.0.1:53 where nothing is
  listening.

  | root@ornery:~# nmcli con show 'Canonical UK - All Traffic' | grep -i dns
  | ipv4.dns:
  | ipv4.dns-search:
  | ipv4.dns-options:                       (default)
  | ipv4.ignore-auto-dns:                   no
  | ipv6.dns:
  | ipv6.dns-search:
  | ipv6.dns-options:                       (default)
  | ipv6.ignore-auto-dns:                   no
  | IP4.DNS[1]:                             10.172.192.1
  | root@ornery:~# ps auxfwwwww | grep [4]035
  | nobody    4035  0.0  0.0  52872  1620 ?        S    Jun29   6:39  \_ 
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 
--cache-size=0 --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d
  | root@ornery:~# 

  Querying the DNS server provided by the VPN connection works; querying
  dnsmasq doesn't:

  | root@ornery:~# dig +short @10.172.192.1 www.openbsd.org
  | 129.128.5.194
  | root@ornery:~# dig @127.0.1.1 www.openbsd.org
  | 
  | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.1.1 www.openbsd.org
  | ; (1 server found)
  | ;; global options: +cmd
  | ;; Got answer:
  | ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6996
  | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  | 
  | ;; QUESTION SECTION:
  | ;www.openbsd.org.               IN      A
  | 
  | ;; Query time: 0 msec
  | ;; SERVER: 127.0.1.1#53(127.0.1.1)
  | ;; WHEN: Mon Jul 18 10:25:48 CEST 2016
  | ;; MSG SIZE  rcvd: 33
  | 
  | root@ornery:~# 

  While running 'dig @127.0.1.1 www.openbsd.org':

  | root@ornery:~# tcpdump -i lo port 53 -v -n
  | tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 
bytes
  | 10:26:04.728905 IP (tos 0x0, ttl 64, id 56577, offset 0, flags [none], 
proto UDP (17), length 72)
  |     127.0.0.1.54917 > 127.0.1.1.53: 32273+ [1au] A? www.openbsd.org. (44)
  | 10:26:04.729001 IP (tos 0x0, ttl 64, id 49204, offset 0, flags [DF], proto 
UDP (17), length 61)
  |     127.0.1.1.53 > 127.0.0.1.54917: 32273 Refused$ 0/0/0 (33)

  | root@ornery:~# netstat -anp | grep 127.0.[01].1:53
  | tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN  
    4035/dnsmasq    
  | udp        0      0 127.0.1.1:53            0.0.0.0:*                       
    4035/dnsmasq    
  | root@ornery:~# 

  You can see below a) that dnsmasq thinks it is configured to use a DNS
  server provided by the VPN, and/but that b) it tries to answer a non
  local query like www.openbsd.org locally.

  | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
  | Jul 18 09:29:22 ornery dnsmasq[4035]: time 1468830562
  | Jul 18 09:29:22 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
  | Jul 18 09:29:22 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375041
  | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
  | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
  | root@ornery:~# dig +short @127.0.1.1 www.openbsd.org
  | root@ornery:~# kill -USR1 4035; tail /var/log/syslog | grep dnsmasq
  | Jul 18 09:29:22 ornery dnsmasq[4035]: queries for authoritative zones 0
  | Jul 18 09:29:22 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
  | Jul 18 09:29:37 ornery dnsmasq[4035]: time 1468830577
  | Jul 18 09:29:37 ornery dnsmasq[4035]: cache size 0, 0/0 cache insertions 
re-used unexpired cache entries.
  | Jul 18 09:29:37 ornery dnsmasq[4035]: queries forwarded 1880976, queries 
answered locally 375042
  | Jul 18 09:29:37 ornery dnsmasq[4035]: queries for authoritative zones 0
  | Jul 18 09:29:37 ornery dnsmasq[4035]: server 10.172.192.1#53: queries sent 
792, retried or failed 0
  | root@ornery:~# 

  This is on Ubuntu 16.04, with the following packages:

  | james@ornery:~$ COLUMNS=200 dpkg -l dnsmasq-base network-manager 
network-manager-openvpn | grep ^ii
  | ii  dnsmasq-base                                 2.75-1ubuntu0.16.04.1      
 amd64                       Small caching DNS proxy and DHCP/TFTP server
  | ii  network-manager                              1.2.0-0ubuntu0.16.04.2     
 amd64                       network management framework (daemon and userspace 
tools)
  | ii  network-manager-openvpn                      1.1.93-1ubuntu1            
 amd64                       network management framework (OpenVPN plugin core)
  | james@ornery:~$

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1603898/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to