Ubuntu
dnsmasq package

  1. Bug #1639776
  2. Comment #42

Comment 42 for bug 1639776

Revision history for this message
Nish Aravamudan (nacc) wrote : Re: [Bug 1639776] Re: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface

Lukas, thank you for the detailed information. However

On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunko <email address hidden> wrote:
> Hello Paul. DNS leak mean that DNS queries still hit local DNS server
> while VPN connection is active. DNS resolver should query only DNS
> servers defined by VPN while connection is active.

You seemed to have ignored Paul's message and instead provided context
which should go in a different bug.

This bug was for name resolution failing after suspend/resume. It had
nothing directly to do with VPNs. Please file a new bug.

On Mon, Apr 24, 2017 at 9:33 AM, Lukas Dzunko <email address hidden> wrote:
> Hello Paul. DNS leak mean that DNS queries still hit local DNS server
> while VPN connection is active. DNS resolver should query only DNS
> servers defined by VPN while connection is active.
>
> I did following test:
>
> - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base=2.75-1ubuntu0.16.04.2)
> - restated my laptop to ensure clean start
> - connected to VPN using openconnect / network-manager-openconnect-gnome
>
> Observed results -> DNS queries are forwarded only to DNS servers
> defined by LAN connection (this is wrong / connection not working at
> all)
>
> - "killall dnsmasq"
> - dnsmasq get automatically restarted by system
>
> Observed results -> most of the the queries are forwarded to DNS servers
> defined by VPN, but lot of queries get forwarded to DNS servers defined
> by LAN connection (this is still wrong / DNS leaks, attacker can hijack
> connection even if VPN is enabled)
>
> - I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same)
> - restated my laptop to ensure clean test
> - connected to same VPN using openconnect
>
> Observed results -> DNS queries are forwarded only to DNS servers
> defined by VPN connection. There are no leaks to LAN DNS server (this is
> correct behavior).
>
> ==============
>
> DNS leaks are bad for several reasons. Most important ones are that it
> provide visibility of host names to possibly un-trusted network and give
> ability to hijack connection. When I connect to VPN server I expect that
> all traffic hit only particular vpn server / gateway. If there is query
> to "secure-company-server.example.com" and this hit DNS on LAN then we
> are instantly leaking secured names. If LAN DNS server respond to this
> (or response is spoofed) then connection will be made outside of VPN
> environment. This effectively kill security of VPN connection ...
>
> ==============
>
> FYI: I am currently in environment where DHCP set DNS servers but policy
> deny connection to them (don't ask why). Therefore is much more visible
> if queries get forwarded to LAN DNS server just because they never get
> responded ... this may be reason why some of folks here claim that fix
> is working. If LAN DNS server respond with something then there is no
> visibility of problem ...
>
> ==============
>
> FYI2: all tests for this update was monitored by wireshark. ... just to
> not confuse with previous "fyi" comment
>
> ==============
>
> Lukas
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1639776
>
> Title:
> name resolution (dnsmasq) fails to send queries out after
> suspend/resume reconnects the interface
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions