Ubuntu
dnsmasq package

Ubuntu 16.04 VPN : DNS information leaking through dnsmasq

Bug #1704288 reported by Emmanuel Dupont
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi,
After connecting the VPN

# killall -USR1 dnsmasq

# tail syslog.log
...
Jul 13 02:18:56 tp dnsmasq[1476]: time 1499905136
Jul 13 02:18:56 tp dnsmasq[1476]: cache size 0, 0/0 cache insertions re-used unexpired cache entries.
Jul 13 02:18:56 tp dnsmasq[1476]: queries forwarded 154, queries answered locally 1
Jul 13 02:18:56 tp dnsmasq[1476]: queries for authoritative zones 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 198.18.0.1#53: queries sent 0, retried or failed 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 198.18.0.2#53: queries sent 0, retried or failed 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 192.168.0.254#53: queries sent 12, retried or failed 0

The first two name server are provided by the vpn connection.
The last 192.168.0.254 name server is running on my local router and forward request to my ISP (this is the default name server when VPN is not activated).

When I query the DNS, queries are sent to each name server which makes a DNS information leaking to my ISP

I validated that by the mean of tcpdump on eth and tun interfaces and also by using that site: https://www.dnsleaktest.com/

I tried to force the VPN DNS server IPs in the VPN configuration (edit Vpn connection -> ipv4 - > Automatic Adresses only ..) but the result is the same.

dnsmasq must not have the local DNS present while VPN connection is established.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1704288/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Brian Murray (brian-murray)
tags: added: xenial
affects: ubuntu → dnsmasq (Ubuntu)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

What kind of vpn are you using, is it openvpn? How did you establish it, was it via the network-manager plugin? Or do you manually bring up an openvpn client? If it's some other vpn, could you clarify how it is used please?

Thanks

Changed in dnsmasq (Ubuntu):
status: New → Incomplete
Revision history for this message
Emmanuel Dupont (mahn) wrote :

Hi,
I am using Networkmanager's openvpn plugin;
I think that perhaps dnsmasq is receiving information from both VPN and LAN.
Perhaps networkmanager should set the dnsmasq to listen only to the VPN "tun" interface and restart or reload dnsmasq after the VPN is established.

Revision history for this message
bedfojo (bedfojo) wrote :

I can confirm this bug on an up to date 16.04.02 Ubuntu MATE in a virtual machine.

This is a regression as the problem only surfaced within the last 2-3 weeks: it was working correctly before.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Do you have your vpn configuration in network-manager so that all traffic should go through it, or do you have "Use this connection only for resources on its network" checked? That's in ipv4-settings->routes, same under ipv6-settings.

Also, I assume your /etc/resolv.conf, *after* connecting to the vpn, still has only one "nameserver" entry and pointing at 127.0.1.1?

Revision history for this message
Emmanuel Dupont (mahn) wrote :

The option you mentioned is not set.
First default gw in the routing table is through the vpn.

Only 127.0.1.1 after connecting the VPN.

Revision history for this message
Emmanuel Dupont (mahn) wrote :

Sorry I posted too fast the last sentence was unclear:
...
Only 127.0.1.1 nameserver is set in resolv.conf after connecting thz VPN

Revision history for this message
Emmanuel Dupont (mahn) wrote :

Hi,
here are the openvpn, network manager, dnsmasq version I use.

============
ii dnsmasq-base 2.75-1ubuntu0.16.04.2 amd64 Small caching DNS proxy and DHCP/TFTP server
ii libnm-glib-vpn1:amd64 1.2.6-0ubuntu0.16.04.1 amd64 network management framework (GLib VPN shared library)
ii libnm0:amd64 1.2.6-0ubuntu0.16.04.1 amd64 GObject-based client library for NetworkManager
ii libproxy1-plugin-networkmanager:amd64 0.4.11-5ubuntu1 amd64 automatic proxy configuration management library (Network Manager plugin)
ii network-manager-openvpn 1.1.93-1ubuntu1.1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.1.93-1ubuntu1.1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii openvpn 2.3.10-1ubuntu2.1 amd64 virtual private network daemon
===========

Revision history for this message
Emmanuel Dupont (mahn) wrote :

Ubuntu 16.04.3 LTS, packages updated today, problem is still present

Andreas Hasenack (ahasenack)
Changed in dnsmasq (Ubuntu):
status: Incomplete → New
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

If you downgrade network-manager (and its dependent packages) back to 1.2.2-0ubuntu0.16.04.4, does it fix the problem? Now you have 1.2.6-0ubuntu0.16.04.1, correct?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm checking if this bug could be a duplicate of https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606/comments/9 says that resolvconf should also be downgraded.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I did some tests, and can confirm that with n-m 1.2.6-0ubuntu0.16.04.1 my local DNS (sent via dhcp to the machine) is also added to the DNS server list when the VPN is established:
Aug 31 20:36:32 31-64 dnsmasq[1118]: setting upstream servers from DBus
Aug 31 20:36:32 31-64 dnsmasq[1118]: using nameserver 10.0.5.5#53(via ens3)
Aug 31 20:36:32 31-64 dnsmasq[1118]: using nameserver 10.172.64.1#53 for domain private
Aug 31 20:36:32 31-64 dnsmasq[1118]: using nameserver 10.172.64.1#53 for domain internal
(...)

The line about using the 10.0.5.5 nameserver does not appear the logs when using n-m 1.2.2.

As far as I can see, there are two other bugs filed about this:
bug #1671606 DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6-0ubuntu0.16.04.1
bug #1688018 DNS server from vpn connection is not being used after network-manager upgrade to 1.2.6

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dnsmasq (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.