update-resolv-conf/resolvconf dns leaks from ISP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux Mint |
New
|
Undecided
|
Unassigned | ||
openresolv (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I'm running Mint 15 Cinnamon and after using update-resolv-conf with OpenVPN from the command line and testing the DNS I noticed the DNS from the ISP are still being queried and leaking through.
This is an example of my openvpn.conf
-------
client
dev tun
proto udp
route-delay 10
comp-lzo no
tls-auth ta.key 1
sndbuf 131072
rcvbuf 131072
script-security 2
cipher AES-128-CBC
tls-cipher DHE-RSA-AES128-SHA
# Server List
remote 12.2.64.14 443
#remote 11.4.21.40 443
remote-random
resolv-retry 10
nobind
persist-key
#persist-tun
keepalive 3 10
ns-cert-type server
# Set log file verbosity & log path
#log /var/log/openvpn
verb 1
# Silence repeating messages
mute 20
#Push DNS from the server
up /etc/openvpn/
down /etc/openvpn/
#User Info
ca /etc/openvpn/
cert /etc/openvpn/
key /etc/openvpn/
tls-auth /etc/openvpn/
-------
Inside as an example for /etc/resolv.conf it still shows like below for pulling in my dns;
search mydomain.com
Therefore because of the above example that appears in resolv.conf your DNS from your ISP are leaking by and still being used.
Considering OpenVPN, I thought the point of the update-resolv-conf was to push the DNS from the VPN server to the client so that you only use these DNS, and prevent the DNS from the ISP from being used, afterall this should be the reason why you use this script but this does not work.
The only way I see this can work properly is the line in /etc/resolv.conf needs to be commented out or removed;
#search mydomain.com
One of the best places I've found online you can test this at is 'GRC DNS Nameserver Spoofability Test'
https:/
When you run the GRC test you will see it does query and find your ISP DNS.
description: | updated |
summary: |
- update-resolv-conf causes dns leaks from ISP + update-resolv-conf/resolvconf dns leaks from ISP |
affects: | resolvconf (Ubuntu) → openresolv (Ubuntu) |
Changed in openresolv (Ubuntu): | |
status: | New → Fix Released |
Hi,
I talked to the upstream and this bug was fixed in version 3.7.0, which is
in Debian testing right now.
I did the upload.
regards,
Herbert