Comment 96 for bug 1624317

Revision history for this message
Jordi Miralles (jmiralles) wrote : Re: [Bug 1624317] Re: systemd-resolved breaks VPN with split-horizon DNS

Hi! There is a fix submitted as a patch i. The thread I have been using for a while. Works flawlessly for me.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

13. Sep 2017 14:55 by <email address hidden>:

> Does anyone know if this happens to be fixed in 17.10? I have little
> hope that the fix is ever going to make into 17.04...
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1624317
>
> Title:
> systemd-resolved breaks VPN with split-horizon DNS
>
> Status in NetworkManager:
> Unknown
> Status in network-manager package in Ubuntu:
> Confirmed
> Status in network-manager source package in Zesty:
> Confirmed
> Status in network-manager source package in Artful:
> Confirmed
>
> Bug description:
> [Impact]
>
> * NetworkManager incorrectly handles dns-priority of the VPN-like
> connections, which leads to leaking DNS queries outside of the VPN
> into the general internet.
>
> * Upstream has resolved this issue in master and 1.8 to correctly
> configure any dns backends with negative dns-priority settings.
>
> [Test Case]
>
> #FIXME#
>
> * detailed instructions how to reproduce the bug
>
> * these should allow someone who is not familiar with the affected
> package to reproduce the bug and verify that the updated package fixes
> the problem.
>
> #FIXME#
>
> [Regression Potential]
>
> * If this issue is changed DNS resolution will change, for certain
> queries, to go via VPN rather than general internet. And therefore,
> one may get new/different results or even loose access to
> resolve/access certain parts of the interent depending on what the DNS
> server on VPN chooses to respond to.
>
> [Other Info]
>
> * Original bug report
>
> I use a VPN configured with network-manager-openconnect-gnome in which
> a split-horizon DNS setup assigns different addresses to some names
> inside the remote network than the addresses seen for those names from
> outside the remote network. However, systemd-resolved often decides
> to ignore the VPN’s DNS servers and use the local network’s DNS
> servers to resolve names (whether in the remote domain or not),
> breaking the split-horizon DNS.
>
> This related bug, reported by Lennart Poettering himself, was closed with the current Fedora release at the time reaching EOL:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1151544
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/network-manager/+bug/1624317/+subscriptions