systemd-resolved does not reset DNS server and search domain list properly after VPN disconnect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Networking components such as VPNs that rely on systemd-resolved's API to configure search domains may inadvertently leave the network configuration in a bad state. This is a result of a broken systemd-resolved API.
[Test Plan]
* On a jammy host, configure a couple search domains with resolvectl:
$ resolvectl domain <network interface> search1.internal search2.internal
$ resolvectl domain <network interface>
* In any case, both domains should be displayed. Then, attempt to clear the configured domains:
$ resolvectl domain <network interface> ""
$ resolvectl domain <network interface>
* On a patched system, the two domains should no longer be displayed. On an un-patched system, one of the domains will still be configured.
[Where problems could occur]
This patch touches the logic that configures search domains in systemd-resolved. If the patch caused regressions, it would be related to the set of configured search domains.
[Original Description]
Hi,
in Ubuntu 21.10 I am facing a problem with DNS server list and search domain list is not properly reset back to the previous values after a VPN is disconnected. I reproduced this in Ubuntu 21.10 instance which was upgraded from the older version of Ubuntu as well as in Live USB Ubuntu 21.10 so it is not an "upgrade issue".
I use this resolv.conf symlink:
/etc/resolv.conf -> ../run/
Actual behavior:
VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected there are some of the VPN's DNS server and search domain entries left there, so it is not reset back properly.
Desired behavior:
VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected DNS servers and search domain list is restored to exactly the same state as was prior to the VPN connection.
Steps for reproducing:
1. Before VPN is connected this is the DNS server and search domain list in /etc/resolv.conf:
nameserver 192.168.122.1
search .
2. Once the VPN is connected, we see there were VPN's DNS server and serach domain list entries added:
nameserver 2xx.xx.xx.x0
nameserver 2xx.xx.xx.x1
nameserver 192.168.122.1
search domain1.local domain2.internal domain3.internal
3. After VPN disconnection, we see the DNS server and search domain list in /etc/resolv.conf is not restored to the state at point (1.) and some entries from VPN is being kept there:
nameserver 2xx.xx.xx.x1
nameserver 192.168.122.1
search domain2.internal domain3.internal
ProblemType: Bug
DistroRelease: Ubuntu 21.10
Package: systemd 248.3-1ubuntu8
ProcVersionSign
Uname: Linux 5.13.0-19-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu70
Architecture: amd64
CasperMD5CheckR
CasperVersion: 1.465
CurrentDesktop: ubuntu:GNOME
Date: Wed May 25 06:06:05 2022
LiveMediaBuild: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
Lsusb:
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Lsusb-t:
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M
MachineType: QEMU Standard PC (Q35 + ICH9, 2009)
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=
SourcePackage: systemd
SystemdDelta:
[EXTENDED] /usr/lib/
[EXTENDED] /usr/lib/
[EXTENDED] /usr/lib/
3 overridden configuration files found.
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.release: 0.0
dmi.bios.vendor: SeaBIOS
dmi.bios.version: 1.14.0-2
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.
dmi.modalias: dmi:bvnSeaBIOS:
dmi.product.name: Standard PC (Q35 + ICH9, 2009)
dmi.product.
dmi.sys.vendor: QEMU
Related branches
- Lukas Märdian: Approve
-
Diff: 328 lines (+268/-2)7 files modifieddebian/changelog (+21/-0)
debian/patches/lp1975667-Ensure-dns_search_domain_unlink_marked-removes-all-marked.patch (+24/-0)
debian/patches/lp1978079-efi-pstore-not-cleared-on-boot.patch (+10/-2)
debian/patches/lp1979951-network-do-not-remove-localhost-address.patch (+66/-0)
debian/patches/lp1981042-core-firstboot-workaround-timezone-issues-caused-by-Ubunt.patch (+110/-0)
debian/patches/lp1982462-units-remove-the-restart-limit-on-the-modprobe-.service.patch (+33/-0)
debian/patches/series (+4/-0)
tags: | added: fr-2418 |
Changed in systemd (Ubuntu): | |
importance: | Undecided → Medium |
Changed in systemd (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in systemd (Ubuntu): | |
status: | New → Confirmed |
Changed in systemd (Ubuntu Jammy): | |
status: | New → Confirmed |
tags: |
added: rls-ii-notfixing removed: rls-ii-incoming rls-jj-incoming |
description: | updated |
tags: | added: foundations-todo |
tags: | removed: foundations-todo |
I think there are actually two similar bugs here. The first I think is caused by [1], which I have confirmed is present in impish, but not focal or jammy. This can be demonstrated by the following:
$ resolvectl dns eth0 8.8.8.8 8.8.4.4 1.1.1.1
$ resolvectl dns eth0
Link 110 (eth0): 8.8.8.8 8.8.4.4 1.1.1.1
$ resolvectl dns eth0 "" # This SHOULD clear all DNS servers
$ resolvectl dns eth0
Link 110 (eth0): 8.8.4.4 1.1.1.1 # Only 8.8.8.8 was removed.
I think the second issue is caused by [2], which I have confirmed is present in impish and jammy, but not focal. This can be demonstrated by the following:
$ resolvectl domain eth0 search1.internal search2.internal search3.internal
$ resolvectl domain eth0
Link 2 (ens3): search1.internal search2.internal search3.internal
$ resolvectl domain eth0 "" # This SHOULD clear all search domains
$ resolvectl domain eth0
Link 2 (ens3): search2.internal search3.internal # Only search1.internal was removed
[1] https:/ /github. com/systemd/ systemd/ issues/ 19651 /github. com/systemd/ systemd/ issues/ 23027
[2] https:/