Comment 131 for bug 1624317
Revision history for this message
|
|
#131 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Nope, same results unfortunately. I have tried basically everything:
noctua@corinth:~$ nmcli c
NAME UUID TYPE DEVICE
Bn80rrF8 11d6931f-
US-East cf291340-
tun0 2476d73d-
tun0 0058ff81-
tun0 56ca187e-
Here's where I try every possible way to apply 'ipv4.dns-priority -42'
noctua@corinth:~$ sudo nmcli connection modify uuid ipv4.dns-priority -42
0058ff81-
11d6931f-
2476d73d-
noctua@corinth:~$ sudo nmcli connection modify uuid 0058ff81-
noctua@corinth:~$ sudo nmcli connection modify uuid 56ca187e-
noctua@corinth:~$ sudo nmcli connection modify uuid 2476d73d-
noctua@corinth:~$ sudo nmcli connection modify uuid cf291340-
noctua@corinth:~$ sudo nmcli connection modify tun0 ipv4.dns-priority -42noctua@
And then I tried reactivating the connection each time successfully through the GUI and then through nmcli, for example:
noctua@corinth:~$ sudo nmcli connection modify US-East ipv4.dns-priority -42
noctua@corinth:~$ sudo nmcli connection down US-East
Connection 'US-East' successfully deactivated (D-Bus active path: /org/freedeskto
noctua@corinth:~$ sudo nmcli --ask connection up US-East
A password is required to connect to 'US-East'.
Password (vpn.secrets.
VPN connection successfully activated (D-Bus active path: /org/freedeskto
I even tried:
noctua@corinth:~$ sudo nmcli connection reload tun0
noctua@corinth:~$ sudo nmcli connection reload US-East
But every single time, I still I get the same results testing for DNS leaks, that DNS queries are clearly being sent to my ISP (Verizon in this case). So...this doesn't appear to work :(
I think the only real solution here to stop DNS leaks over NM-VPN connections is to provide an option to specify the routing-only domain or make "." a valid search domain name on systems that force the use of systemd-resolved (so...basically every major Linux distro including those based off Ubuntu, Arch Linux, AND the upcoming release of Debian Stretch). This is a rather serious problem, hence the kinda hackish patch I made forcing the systemd-resolved method SetLinkDomains to accept the routing-only domain ".". Ultimately, I think there needs to be the OPTION to specify the routing-only domain to prevent DNS leaks.
All those posts on the original launchpad thread, the Arch forums, and various duplicate bug threads of the original launchpad bug https:/
Even more simply, "." could be allowed/parsed as a valid search domain when reading the dns-search line of a config file in /etc/NetworkMan
[ipv4]
dns=209.
dns-search=.;
ignore-
method=auto
I am positive that domains otherwise considered 'valid' ("." or "~." don't appear to be allowed, see above posts) are passed to SetLinkDomains. For example, if I set dns-search=
noctua@corinth:~$ sudo cat /etc/NetworkMan
[sudo] password for noctua:
[connection]
id=US-East
uuid=cf291340-
type=vpn
permissions=
secondaries=
timestamp=
[vpn]
auth=SHA1
ca=/home/
cipher=BF-CBC
comp-lzo=yes
connection-
dev=tun
dev-type=tun
password-flags=1
proto-tcp=yes
remote=
remote-
reneg-seconds=0
username=<my username here>
service-
[ipv4]
dns=209.
dns-priority=-42
dns-search=
method=auto
[ipv6]
addr-gen-
dns-search=
ip6-privacy=0
method=ignore
Now notice the line under tun0 that says 'DNS Domain: bogusdomain'
noctua@corinth:~$ systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
Link 16 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 209.222.18.222
DNS Domain: bogusdomain
Link 2 (wlo1)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.1.1
DNS Domain: home
So theoretically, all we need to do is allow "." to be parsed as a valid domain here.