Ubuntu
dnsmasq package

Bug #1639776
Comment #39

Comment 39 for bug 1639776

Revision history for this message

Lukas Dzunko (lukas-d) wrote on 2017-04-24:

#39

Hello Paul. DNS leak mean that DNS queries still hit local DNS server while VPN connection is active. DNS resolver should query only DNS servers defined by VPN while connection is active.

I did following test:

- upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base=2.75-1ubuntu0.16.04.2)
- restated my laptop to ensure clean start
- connected to VPN using openconnect / network-manager-openconnect-gnome

Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all)

- "killall dnsmasq"
- dnsmasq get automatically restarted by system

Observed results -> most of the the queries are forwarded to DNS servers defined by VPN, but lot of queries get forwarded to DNS servers defined by LAN connection (this is still wrong / DNS leaks, attacker can hijack connection even if VPN is enabled)

- I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same)
- restated my laptop to ensure clean test
- connected to same VPN using openconnect

Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior).

==============

DNS leaks are bad for several reasons. Most important ones are that it provide visibility of host names to possibly un-trusted network and give ability to hijack connection. When I connect to VPN server I expect that all traffic hit only particular vpn server / gateway. If there is query to "secure-company-server.example.com" and this hit DNS on LAN then we are instantly leaking secured names. If LAN DNS server respond to this (or response is spoofed) then connection will be made outside of VPN environment. This effectively kill security of VPN connection ...

==============

FYI: I am currently in environment where DHCP set DNS servers but policy deny connection to them (don't ask why). Therefore is much more visible if queries get forwarded to LAN DNS server just because they never get responded ... this may be reason why some of folks here claim that fix is working. If LAN DNS server respond with something then there is no visibility of problem ...

==============

FYI2: all tests for this update was monitored by wireshark. ... just to not confuse with previous "fyi" comment

==============

Lukas

Hello Paul. DNS leak mean that DNS queries still hit local DNS server while VPN connection is active. DNS resolver should query only DNS servers defined by VPN while connection is active.

I did following test:

Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all)

- "killall dnsmasq"
- dnsmasq get automatically restarted by system

- I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same)
- restated my laptop to ensure clean test
- connected to same VPN using openconnect

Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior).

==============

FYI2: all tests for this update was monitored by wireshark. ... just to not confuse with previous "fyi" comment

==============

Lukas

Ubuntudnsmasq package

Comment 39 for bug 1639776

Ubuntu
dnsmasq package