networkmanager sets DNS server configuration without proper dns-search/dns-priority causing DNS requests leak to ISP (openconnect+split-tunnel+non-split DNS)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
VPN server configuration is split tunneling (default route is local ISP) with "global/
REDACTED@
default via 192.168.1.1 dev wlo1 proto dhcp metric 600
10.0.0.0/24 dev vpn0 proto static scope link metric 50
VPN (OpenConnect) provides own DNS servers without "DNS Domain". Connection syslog:
Dec 29 08:48:28 REDACTED NetworkManager[
Dec 29 08:48:28 REDACTED NetworkManager[
Dec 29 08:48:28 REDACTED NetworkManager[
All DNS requests should be routed through VPN yet the dns-priority and dns-search configuration restricts it from doing so:
Dec 29 20:30:38 REDACTED systemd-
Dec 29 20:30:41 REDACTED systemd-
I can confirm that changing dns-search to wildcard: ~. and dns-priority to -50 is resolving the issue.
REDACTED@
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 50
REDACTED@
Link 5 (vpn0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlo1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
DNS Domain: ~.
REDACTED@
REDACTED@
REDACTED@
ipv4.dns: --
ipv4.dns-search: ~.
ipv4.dns-options: --
ipv4.dns-priority: -50
VPN Restart and our new settings are working properly:
REDACTED@
Link 5 (vpn0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.100.10
DNS Servers: 192.168.100.10
DNS Domain: ~.
Link 3 (wlo1)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
When OpenConnect receives "DNS Domain" (split DNS configuration) everything works as intended:
Dec 29 08:46:32 REDACTED NetworkManager[
Dec 29 08:46:32 REDACTED NetworkManager[
Dec 29 08:46:32 REDACTED NetworkManager[
REDACTED@REDACTED ~ resolvectl status
Link 6 (vpn0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.100.10
DNS Servers: 192.168.100.10
DNS Domain: example.com
PR for the bug in upstream was already done and got accepted:
https:/
RH bugzilla for this issue:
https:/
This leak can be related to:
https:/
Bug/CVE found on:
lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
apt-cache policy network-manager
network-manager:
Installed: 1.22.10-1ubuntu2.2
Candidate: 1.22.10-1ubuntu2.2
Version table:
*** 1.22.10-1ubuntu2.2 500
500 http://
100 /var/lib/
1.
500 http://
apt-cache policy network-
network-
Installed: 1.2.6-1
Candidate: 1.2.6-1
Version table:
*** 1.2.6-1 500
500 http://
100 /var/lib/
Hi Adam,
Marking public given the public bug reports elsewhere.
It looks like upstream addressed this in network-manager 1.28, which has not made it into Ubuntu yet.