Comment 28 for bug 1169437

hashstat (hashstat) wrote on 2013-12-24 in comment #17:
> NetworkManager is prepending /domain/ strings to the returned DNS servers so
> that they are only used for the local domain. Remaining queries are falling
> to the bottom two servers, which are the original pre-VPN DNS servers, for
> which routes no longer exists causing DNS queries to anything other than
> example.com domain to fail.

*This* appears to sum up the core issue perfectly.

Thomas Hood (jthood) wrote on 2013-12-24 in comment #18:
> NetworkManager prepends domain names to the DNS server addresses so that
> those addresses are only used for those domains, which are presumably the
> (non-public) domains of the VPN.

That is one huge assumption you're making, and I bet is in contrast to what many people are expecting. Anyone who uses a VPN provider such as AirVPN, PureVPN, etc to bypass censorship, government snooping, etc is going to need DNS data sent over the DNS link to thwart DNS leaks.

Thomas Hood (jthood) wrote on 2013-12-24 in comment #18:
> > Remaining queries are falling to the bottom two servers, which are the
> original pre-VPN DNS servers
>
> Thas is by design.

I put it to you that this design is defective if it does not consider this important use case.