[Bug 1248834] Re: update-resolv-conf/resolvconf dns leaks from ISP

Thomas Hood 1248834 at bugs.launchpad.net
Thu Nov 7 15:20:36 UTC 2013 

** Package changed: resolvconf (Ubuntu) => openresolv (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to resolvconf in Ubuntu.
https://bugs.launchpad.net/bugs/1248834

Title:
  update-resolv-conf/resolvconf dns leaks from ISP

Status in The Linux Mint Distribution:
  New
Status in “openresolv” package in Ubuntu:
  New

Bug description:
  I'm running Mint 15 Cinnamon and after using update-resolv-conf with
  OpenVPN from the command line and testing the DNS I noticed the DNS
  from the ISP are still being queried and leaking through.

  This is an example of my openvpn.conf

  ------------------------------------------

  client
  dev tun
  proto udp
  route-delay 10
  comp-lzo no
  tls-auth ta.key 1
  sndbuf 131072
  rcvbuf 131072

  script-security 2

  cipher AES-128-CBC
  tls-cipher DHE-RSA-AES128-SHA

  # Server List
  remote 12.2.64.14 443
  #remote 11.4.21.40 443

  remote-random

  resolv-retry 10
  nobind

  persist-key
  #persist-tun
  keepalive 3 10

  ns-cert-type server

  # Set log file verbosity & log path
  #log /var/log/openvpn
  verb 1

  # Silence repeating messages
  mute 20

  #Push DNS from the server
  up /etc/openvpn/update-resolv-conf
  down /etc/openvpn/update-resolv-conf

  #User Info
  ca /etc/openvpn/certs/ca.crt
  cert /etc/openvpn/certs/my.crt
  key /etc/openvpn/keys/my.key
  tls-auth /etc/openvpn/keys/ta.key 1

  ------------------------------------------

  Inside as an example for /etc/resolv.conf it still shows like below for pulling in my dns;
  search mydomain.com

  Therefore because of the above example that appears in resolv.conf
  your DNS from your ISP are leaking by and still being used.

  Considering OpenVPN, I thought the point of the update-resolv-conf was
  to push the DNS from the VPN server to the client so that you only use
  these DNS, and prevent the DNS from the ISP from being used, afterall
  this should be the reason why you use this script but this does not
  work.

  The only way I see this can work properly is the line in
  /etc/resolv.conf needs to be commented out or removed;

  #search mydomain.com

  One of the best places I've found online you can test this at is 'GRC
  DNS Nameserver Spoofability Test'

  https://www.grc.com/dns/dns.htm

  When you run the GRC test you will see it does query and find your ISP
  DNS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/linuxmint/+bug/1248834/+subscriptions

More information about the foundations-bugs mailing list