Comment 0 for bug 666446

Binary package hint: network-manager

If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does not.

When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name looks up correctly, when it should fail.

If this were a real attack instead of a test scenario, it'd have security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager