Ubuntu
network-manager package

networkmanager sets DNS server configuration without proper dns-search/dns-priority causing DNS requests leak to ISP (openconnect+split-tunnel+non-split DNS)

Bug #1909608 reported by Adam Majchrowicz
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

VPN server configuration is split tunneling (default route is local ISP) with "global/primary/main" DNS pushed from VPN (it's important to note that it's not split DNS).

REDACTED@REDACTED:~$ ip r
default via 192.168.1.1 dev wlo1 proto dhcp metric 600
10.0.0.0/24 dev vpn0 proto static scope link metric 50

VPN (OpenConnect) provides own DNS servers without "DNS Domain". Connection syslog:

Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: Internal DNS: 192.168.100.10
Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: Internal DNS: 192.168.100.11
Dec 29 08:48:28 REDACTED NetworkManager[1038]: <info> Data: DNS Domain: '(none)'

All DNS requests should be routed through VPN yet the dns-priority and dns-search configuration restricts it from doing so:

Dec 29 20:30:38 REDACTED systemd-resolved[1017]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Dec 29 20:30:41 REDACTED systemd-resolved[1017]: message repeated 48 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]

I can confirm that changing dns-search to wildcard: ~. and dns-priority to -50 is resolving the issue.

REDACTED@REDACTED:~$ nmcli c show vpn.example.com | grep ipv4.dns
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 50

REDACTED@REDACTED:~$ resolvectl status
Link 5 (vpn0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
Link 3 (wlo1)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8
                      8.8.4.4
          DNS Domain: ~.

REDACTED@REDACTED:~$ nmcli c modify vpn.example.com ipv4.dns-search ~.
REDACTED@REDACTED:~$ nmcli c modify vpn.example.com ipv4.dns-priority -50

REDACTED@REDACTED:~$ nmcli c show vpn.example.com | grep ipv4.dns
ipv4.dns: --
ipv4.dns-search: ~.
ipv4.dns-options: --
ipv4.dns-priority: -50

VPN Restart and our new settings are working properly:

REDACTED@REDACTED:~$ resolvectl status
Link 5 (vpn0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.100.10
         DNS Servers: 192.168.100.10
                      192.168.100.11
          DNS Domain: ~.
Link 3 (wlo1)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

When OpenConnect receives "DNS Domain" (split DNS configuration) everything works as intended:

Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: Internal DNS: 192.168.100.10
Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: Internal DNS: 192.168.100.11
Dec 29 08:46:32 REDACTED NetworkManager[1038]: <info> Data: DNS Domain: 'example.com'

REDACTED@REDACTED  ~  resolvectl status
Link 6 (vpn0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.100.10
         DNS Servers: 192.168.100.10
                      192.168.100.11
          DNS Domain: example.com

PR for the bug in upstream was already done and got accepted:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/bba1ab0f21b4114a6ae3d92c536e0803bcf9e4cd

RH bugzilla for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1863041

This leak can be related to:
https://ubuntu.com/security/CVE-2018-1000135

Bug/CVE found on:
lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04

apt-cache policy network-manager
network-manager:
  Installed: 1.22.10-1ubuntu2.2
  Candidate: 1.22.10-1ubuntu2.2
  Version table:
 *** 1.22.10-1ubuntu2.2 500
        500 http://pl.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.22.10-1ubuntu1 500
        500 http://pl.archive.ubuntu.com/ubuntu focal/main amd64 Packages

apt-cache policy network-manager-openconnect
network-manager-openconnect:
  Installed: 1.2.6-1
  Candidate: 1.2.6-1
  Version table:
 *** 1.2.6-1 500
        500 http://pl.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

Tags: focal
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Adam,

Marking public given the public bug reports elsewhere.

It looks like upstream addressed this in network-manager 1.28, which has not made it into Ubuntu yet.

information type: Private Security → Public Security
Changed in network-manager (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.