NetworkManager

Bug #1624317
Comment #96

Comment 96 for bug 1624317

Revision history for this message

Jordi Miralles (jmiralles) wrote on 2017-09-13: Re: [Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS

#96

Hi! There is a fix submitted as a patch i. The thread I have been using for a while. Works flawlessly for me.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

13. Sep 2017 14:55 by <email address hidden>:

> Does anyone know if this happens to be fixed in 17.10? I have little
> hope that the fix is ever going to make into 17.04...
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1624317
>
> Title:
> systemd-resolved breaks VPN with split-horizon DNS
>
> Status in NetworkManager:
> Unknown
> Status in network-manager package in Ubuntu:
> Confirmed
> Status in network-manager source package in Zesty:
> Confirmed
> Status in network-manager source package in Artful:
> Confirmed
>
> Bug description:
> [Impact]
>
> * NetworkManager incorrectly handles dns-priority of the VPN-like
> connections, which leads to leaking DNS queries outside of the VPN
> into the general internet.
>
> * Upstream has resolved this issue in master and 1.8 to correctly
> configure any dns backends with negative dns-priority settings.
>
> [Test Case]
>
> #FIXME#
>
> * detailed instructions how to reproduce the bug
>
> * these should allow someone who is not familiar with the affected
> package to reproduce the bug and verify that the updated package fixes
> the problem.
>
> #FIXME#
>
> [Regression Potential]
>
> * If this issue is changed DNS resolution will change, for certain
> queries, to go via VPN rather than general internet. And therefore,
> one may get new/different results or even loose access to
> resolve/access certain parts of the interent depending on what the DNS
> server on VPN chooses to respond to.
>
> [Other Info]
>
> * Original bug report
>
> I use a VPN configured with network-manager-openconnect-gnome in which
> a split-horizon DNS setup assigns different addresses to some names
> inside the remote network than the addresses seen for those names from
> outside the remote network. However, systemd-resolved often decides
> to ignore the VPN’s DNS servers and use the local network’s DNS
> servers to resolve names (whether in the remote domain or not),
> breaking the split-horizon DNS.
>
> This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1151544
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions

Hi! There is a fix submitted as a patch i. The thread I have been using for a while. Works flawlessly for me.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

13. Sep 2017 14:55 by 1624317@bugs.launchpad.net:

> Does anyone know if this happens to be fixed in 17.10?  I have little
> hope that the fix is ever going to make into 17.04...
>
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1624317
>
> Title:
>   systemd-resolved breaks VPN with split-horizon DNS
>
> Status in NetworkManager:
>   Unknown
> Status in network-manager package in Ubuntu:
>   Confirmed
> Status in network-manager source package in Zesty:
>   Confirmed
> Status in network-manager source package in Artful:
>   Confirmed
>
> Bug description:
>   [Impact]
>
>    * NetworkManager incorrectly handles dns-priority of the VPN-like
>   connections, which leads to leaking DNS queries outside of the VPN
>   into the general internet.
>
>    * Upstream has resolved this issue in master and 1.8 to correctly
>   configure any dns backends with negative dns-priority settings.
>
>   [Test Case]
>
>   #FIXME#
>
>    * detailed instructions how to reproduce the bug
>
>    * these should allow someone who is not familiar with the affected
>      package to reproduce the bug and verify that the updated package fixes
>      the problem.
>
>   #FIXME#
>
>   [Regression Potential]
>
>    * If this issue is changed DNS resolution will change, for certain
>   queries, to go via VPN rather than general internet. And therefore,
>   one may get new/different results or even loose access to
>   resolve/access certain parts of the interent depending on what the DNS
>   server on VPN chooses to respond to.
>
>   [Other Info]
>    
>    * Original bug report
>
>   I use a VPN configured with network-manager-openconnect-gnome in which
>   a split-horizon DNS setup assigns different addresses to some names
>   inside the remote network than the addresses seen for those names from
>   outside the remote network.  However, systemd-resolved often decides
>   to ignore the VPN’s DNS servers and use the local network’s DNS
>   servers to resolve names (whether in the remote domain or not),
>   breaking the split-horizon DNS.
>
>   This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
>   > https://bugzilla.redhat.com/show_bug.cgi?id=1151544
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions