NetworkManager

NetworkManager VPN should offer an option to use only VPN nameservers

Bug #666446 reported by Richard Laager on 2010-10-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	NetworkManager	Confirmed	Medium	gnome-bugs #656260
	network-manager (Ubuntu)	Triaged	Wishlist	Unassigned

Bug Description

Binary package hint: network-manager

If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does not.

When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail.

If this were a real attack instead of a test scenario, it'd have security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager

See original description

Tags:

Revision history for this message

Richard Laager (rlaager) wrote on 2010-10-25:

Dependencies.txt Edit (6.6 KiB, text/plain; charset="utf-8")
Gconf.txt Edit (16.1 KiB, text/plain; charset="utf-8")
IfupdownConfig.txt Edit (171 bytes, text/plain; charset="utf-8")
IpAddr.txt Edit (1.5 KiB, text/plain; charset="utf-8")
IpRoute.txt Edit (650 bytes, text/plain; charset="utf-8")
IwConfig.txt Edit (660 bytes, text/plain; charset="utf-8")
NetDevice.br0.txt Edit (3.1 KiB, text/plain; charset="utf-8")
NetDevice.eth0.txt Edit (1.0 KiB, text/plain; charset="utf-8")
NetDevice.lo.txt Edit (3.1 KiB, text/plain; charset="utf-8")
NetDevice.pan0.txt Edit (3.1 KiB, text/plain; charset="utf-8")
NetDevice.ppp0.txt Edit (3.1 KiB, text/plain; charset="utf-8")
NetDevice.virbr0.txt Edit (3.1 KiB, text/plain; charset="utf-8")
NetDevice.wlan0.txt Edit (1.1 KiB, text/plain; charset="utf-8")
PciNetwork.txt Edit (1.2 KiB, text/plain; charset="utf-8")
RfKill.txt Edit (112 bytes, text/plain; charset="utf-8")
WifiSyslog.txt Edit (11.3 KiB, text/plain; charset="utf-8")
nm-system-settings.conf.txt Edit (313 bytes, text/plain; charset="utf-8")

description:

updated

Jamie Strandboge (jdstrand) on 2010-10-26

security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) wrote on 2010-12-01:

I agree with the reasoning, however this is a feature request and should therefore probably be discussed upstream (as on the NetworkManager mailing list: http://mail.gnome.org/mailman/listinfo/networkmanager-list ). I'm marking this bug Triaged/Wishlist, so that if I have time (or somebody else does) to tackle this problem we can track progress.

Richard, if you have time it would also be great if you could (alternatively from mentioning this on the mailing list) open a bug to that regard on the NetworkManager bug tracker: https://bugzilla.gnome.org/browse.cgi?product=NetworkManager. It's another great way to let the NetworkManager developers know that this feature is requested. If you do, please let us know the bug number so that it can be linked to this report.

Thanks for your report!

Changed in network-manager (Ubuntu):
status:	New → Triaged
importance:	Undecided → Wishlist

Bug Watch Updater (bug-watch-updater) on 2011-01-10

Changed in network-manager:
importance:	Unknown → Medium
status:	Unknown → New

Thomas Hood (jdthood) on 2012-06-26

summary:

- NetworkManager VPN should (have an option to) replace DNS servers in
- /etc/resolv.conf
+ NetworkManager VPN should offer an option to use *only* VPN nameservers

Bug Watch Updater (bug-watch-updater) on 2012-07-28

Changed in network-manager:
status:	New → Invalid

Revision history for this message

Thomas Hood (jdthood) wrote on 2012-08-07:

Change upstream bug report URL

Changed in network-manager:
importance:	Medium → Unknown
status:	Invalid → Unknown

Bug Watch Updater (bug-watch-updater) on 2012-08-07

Changed in network-manager:
importance:	Unknown → Medium
status:	Unknown → Confirmed

Revision history for this message

dwmw2 (dwmw2) wrote on 2018-03-09:

I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially malicious local DNS servers is utterly wrong.

In particular I don't agree this is a 'feature request' for 16.04 because it *used* to work there.
You fixed it once with this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch