*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Hi there!
I'm running ubuntu 22.04.1 LTS installed via the ISO image
ubuntu-22.04.1-desktop-amd64.iso.
This issue affects both the Live CD and installed operating system.
I have configured my modem's DHCP server to push my adguard home DNS
server (cloud-hosted) as the DNS for the network. I have an access point
that is setup to do the same.
With the Live CD and installed operating system, there is a local DNS
server installed that runs on 127.0.0.1:53. Somehow this bypasses the
DNS servers I've configured for the network and suddenly websites that
have been blocked for being malicious or harmful are now accessible.
There is no option in the installer or GUI to disable this.
Changing the network DNS settings via the GUI of either the live cd or
installation do not change the behavior and do not result in the
specified DNS server(s) being used. The 127.0.0.1:53 server still
overrides anything set in the GUI.
The only way I have found to override this behavior is to edit
/etc/systemd/resolved.conf:
1) uncomment DNSStubListener=yes
2) change yes to no
3) save file
4) run the following commands in terminal:
sudo systemctl daemon-reload
sudo systemctl restart systemd-networkd
sudo systemctl restart systemd-resolved
After doing so, the DNS servers that have been provided by DHCP are
properly used.
This is considered a security vulnerability due to there being no way
for a normal user to change this setting without editing system
configuration files and no warning given to the user that the settings
they are applying in the GUI have not been applied due to this default
configuration.
This is considered a hack if this is the intentional configuration as it
overrides network configuration options set by the DHCP server.
I've resolved it for myself for now by making a custom iso image that
removes this configuration by default and instead installs the
/etc/systemd/resolved.conf file attached to this bug report.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: systemd 249.11-0ubuntu3.4
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Sun Aug 28 21:18:35 2022
InstallationDate: Installed on 2022-08-29 (0 days ago)
InstallationMedia: Ubuntu 22.04.1 2022.08.28 LTS "Custom Jammy Jellyfish"
(20220828)
MachineType: Micro-Star International Co., Ltd. GS75 Stealth 9SG
ProcEnviron:
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-46-generic
root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7
SourcePackage: systemd
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 03/26/2019
dmi.bios.release: 1.12
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: E17G1IMS.10C
dmi.board.asset.tag: Default string
dmi.board.name: MS-17G1
dmi.board.vendor: Micro-Star International Co., Ltd.
dmi.board.version: REV:1.0
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: Micro-Star International Co., Ltd.
dmi.chassis.version: N/A
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvrE17G1IMS.10C:bd03/26/2019:br1.12:svnMicro-StarInternationalCo.,Ltd.:pnGS75Stealth9SG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-17G1:rvrREV1.0:cvnMicro-StarInternationalCo.,Ltd.:ct10:cvrN/A:sku17G1.1:
dmi.product.family: GS
dmi.product.name: GS75 Stealth 9SG
dmi.product.sku: 17G1.1
dmi.product.version: REV:1.0
dmi.sys.vendor: Micro-Star International Co., Ltd.
mtime.conffile..etc.systemd.resolved.conf: 2022-08-28T19:29:41
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy
--
systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI
https://bugs.launchpad.net/bugs/1988010
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
