Comment 5 for bug 992411

Sorry for the bump but dnsmasq is still enabled by default and cannot be removed without removing network-manager.

I ran into the issue where dnsmasq introduced a security problem when running VPN connections. For security reasons all DNS traffic was supposed to be flowing to the DNS server pushed by the VPN Server. This used to work before dnsmasq was made the default. With dnsmasq enabled, it sends the DNS request completely at random to the various DNS server the system has learned, including those from the public network (DHCP). This not only leaks information, it also breaks resolving hosts on the other end of the VPN because dnsmasq responds with NXDOMAIN if the query for a VPN-connected hostname happened to have ended up in the public DNS.

After commenting out the line dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf DNS is properly enforced again and behaving completely predictable.

I wish to remove dnsmasq from my client systems as well because of this security leak.