[Bug 1975667] Re: systemd-resolved does not reset DNS server and search domain list properly after VPN disconnect

Nick Rosbrook 1975667 at bugs.launchpad.net
Thu Jul 21 16:15:51 UTC 2022 

** Description changed:

+ [Impact]
+ 
+ Networking components such as VPNs that rely on systemd-resolved's API
+ to configure search domains may inadvertently leave the network
+ configuration in a bad state. This is a result of a broken systemd-
+ resolved API.
+ 
+ [Test Plan]
+ * On a jammy host, configure a couple search domains with resolvectl:
+ 
+ $ resolvectl domain <network interface> search1.internal search2.internal
+ $ resolvectl domain <network interface>
+ 
+ * In any case, both domains should be displayed. Then, attempt to clear
+ the configured domains:
+ 
+ $ resolvectl domain <network interface> ""
+ $ resolvectl domain <network interface>
+ 
+ * On a patched system, the two domains should no longer be displayed. On
+ an un-patched system, one of the domains will still be configured.
+ 
+ [Where problems could occur]
+ This patch touches the logic that configures search domains in systemd-resolved. If the patch caused regressions, it would be related to the set of configured search domains.
+ 
+ [Original Description]
+ 
  Hi,
  in Ubuntu 21.10 I am facing a problem with DNS server list and search domain list is not properly reset back to the previous values after a VPN is disconnected. I reproduced this in Ubuntu 21.10 instance which was upgraded from the older version of Ubuntu as well as in Live USB Ubuntu 21.10 so it is not an "upgrade issue".
  
  I use this resolv.conf symlink:
  /etc/resolv.conf -> ../run/systemd/resolve/resolv.conf
  
- Actual behavior: 
+ Actual behavior:
  VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected there are some of the VPN's DNS server and search domain entries left there, so it is not reset back properly.
  
  Desired behavior:
  VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected DNS servers and search domain list is restored to exactly the same state as was prior to the VPN connection.
  
  Steps for reproducing:
  1. Before VPN is connected this is the DNS server and search domain list in /etc/resolv.conf:
  
  nameserver 192.168.122.1
  search .
  
  2. Once the VPN is connected, we see there were VPN's DNS server and
  serach domain list entries added:
  
  nameserver 2xx.xx.xx.x0
  nameserver 2xx.xx.xx.x1
  nameserver 192.168.122.1
  search domain1.local domain2.internal domain3.internal
  
  3. After VPN disconnection, we see the DNS server and search domain list
  in /etc/resolv.conf is not restored to the state at point (1.) and some
  entries from VPN is being kept there:
  
  nameserver 2xx.xx.xx.x1
  nameserver 192.168.122.1
  search domain2.internal domain3.internal
  
  ProblemType: Bug
  DistroRelease: Ubuntu 21.10
  Package: systemd 248.3-1ubuntu8
  ProcVersionSignature: Ubuntu 5.13.0-19.19-generic 5.13.14
  Uname: Linux 5.13.0-19-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu70
  Architecture: amd64
  CasperMD5CheckResult: pass
  CasperVersion: 1.465
  CurrentDesktop: ubuntu:GNOME
  Date: Wed May 25 06:06:05 2022
  LiveMediaBuild: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
  Lsusb:
-  Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
-  Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
-  Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
+  Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
+  Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
+  Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  Lsusb-t:
-  /:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 5000M
-  /:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 480M
-      |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M
+  /:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 5000M
+  /:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 480M
+      |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M
  MachineType: QEMU Standard PC (Q35 + ICH9, 2009)
  ProcEnviron:
-  TERM=xterm-256color
-  PATH=(custom, no user)
-  XDG_RUNTIME_DIR=<set>
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
+  TERM=xterm-256color
+  PATH=(custom, no user)
+  XDG_RUNTIME_DIR=<set>
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/username.seed maybe-ubiquity quiet splash ---
  SourcePackage: systemd
  SystemdDelta:
-  [EXTENDED]   /usr/lib/systemd/system/rc-local.service → /usr/lib/systemd/system/rc-local.service.d/debian.conf
-  [EXTENDED]   /usr/lib/systemd/system/systemd-localed.service → /usr/lib/systemd/system/systemd-localed.service.d/locale-gen.conf
-  [EXTENDED]   /usr/lib/systemd/system/user at .service → /usr/lib/systemd/system/user at .service.d/timeout.conf
-  
-  3 overridden configuration files found.
+  [EXTENDED]   /usr/lib/systemd/system/rc-local.service → /usr/lib/systemd/system/rc-local.service.d/debian.conf
+  [EXTENDED]   /usr/lib/systemd/system/systemd-localed.service → /usr/lib/systemd/system/systemd-localed.service.d/locale-gen.conf
+  [EXTENDED]   /usr/lib/systemd/system/user at .service → /usr/lib/systemd/system/user at .service.d/timeout.conf
+ 
+  3 overridden configuration files found.
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/01/2014
  dmi.bios.release: 0.0
  dmi.bios.vendor: SeaBIOS
  dmi.bios.version: 1.14.0-2
  dmi.chassis.type: 1
  dmi.chassis.vendor: QEMU
  dmi.chassis.version: pc-q35-6.0
  dmi.modalias: dmi:bvnSeaBIOS:bvr1.14.0-2:bd04/01/2014:br0.0:svnQEMU:pnStandardPC(Q35+ICH9,2009):pvrpc-q35-6.0:sku:cvnQEMU:ct1:cvrpc-q35-6.0:
  dmi.product.name: Standard PC (Q35 + ICH9, 2009)
  dmi.product.version: pc-q35-6.0
  dmi.sys.vendor: QEMU

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1975667

Title:
  systemd-resolved does not reset DNS server and search domain list
  properly after VPN disconnect

Status in systemd package in Ubuntu:
  Confirmed
Status in systemd source package in Jammy:
  Confirmed

Bug description:
  [Impact]

  Networking components such as VPNs that rely on systemd-resolved's API
  to configure search domains may inadvertently leave the network
  configuration in a bad state. This is a result of a broken systemd-
  resolved API.

  [Test Plan]
  * On a jammy host, configure a couple search domains with resolvectl:

  $ resolvectl domain <network interface> search1.internal search2.internal
  $ resolvectl domain <network interface>

  * In any case, both domains should be displayed. Then, attempt to
  clear the configured domains:

  $ resolvectl domain <network interface> ""
  $ resolvectl domain <network interface>

  * On a patched system, the two domains should no longer be displayed.
  On an un-patched system, one of the domains will still be configured.

  [Where problems could occur]
  This patch touches the logic that configures search domains in systemd-resolved. If the patch caused regressions, it would be related to the set of configured search domains.

  [Original Description]

  Hi,
  in Ubuntu 21.10 I am facing a problem with DNS server list and search domain list is not properly reset back to the previous values after a VPN is disconnected. I reproduced this in Ubuntu 21.10 instance which was upgraded from the older version of Ubuntu as well as in Live USB Ubuntu 21.10 so it is not an "upgrade issue".

  I use this resolv.conf symlink:
  /etc/resolv.conf -> ../run/systemd/resolve/resolv.conf

  Actual behavior:
  VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected there are some of the VPN's DNS server and search domain entries left there, so it is not reset back properly.

  Desired behavior:
  VPN connect will add VPN's DNS servers and search domains into /etc/resolv.conf. When VPN is disconnected DNS servers and search domain list is restored to exactly the same state as was prior to the VPN connection.

  Steps for reproducing:
  1. Before VPN is connected this is the DNS server and search domain list in /etc/resolv.conf:

  nameserver 192.168.122.1
  search .

  2. Once the VPN is connected, we see there were VPN's DNS server and
  serach domain list entries added:

  nameserver 2xx.xx.xx.x0
  nameserver 2xx.xx.xx.x1
  nameserver 192.168.122.1
  search domain1.local domain2.internal domain3.internal

  3. After VPN disconnection, we see the DNS server and search domain
  list in /etc/resolv.conf is not restored to the state at point (1.)
  and some entries from VPN is being kept there:

  nameserver 2xx.xx.xx.x1
  nameserver 192.168.122.1
  search domain2.internal domain3.internal

  ProblemType: Bug
  DistroRelease: Ubuntu 21.10
  Package: systemd 248.3-1ubuntu8
  ProcVersionSignature: Ubuntu 5.13.0-19.19-generic 5.13.14
  Uname: Linux 5.13.0-19-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu70
  Architecture: amd64
  CasperMD5CheckResult: pass
  CasperVersion: 1.465
  CurrentDesktop: ubuntu:GNOME
  Date: Wed May 25 06:06:05 2022
  LiveMediaBuild: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
  Lsusb:
   Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
   Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  Lsusb-t:
   /:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 5000M
   /:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/15p, 480M
       |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M
  MachineType: QEMU Standard PC (Q35 + ICH9, 2009)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/username.seed maybe-ubiquity quiet splash ---
  SourcePackage: systemd
  SystemdDelta:
   [EXTENDED]   /usr/lib/systemd/system/rc-local.service → /usr/lib/systemd/system/rc-local.service.d/debian.conf
   [EXTENDED]   /usr/lib/systemd/system/systemd-localed.service → /usr/lib/systemd/system/systemd-localed.service.d/locale-gen.conf
   [EXTENDED]   /usr/lib/systemd/system/user at .service → /usr/lib/systemd/system/user at .service.d/timeout.conf

   3 overridden configuration files found.
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/01/2014
  dmi.bios.release: 0.0
  dmi.bios.vendor: SeaBIOS
  dmi.bios.version: 1.14.0-2
  dmi.chassis.type: 1
  dmi.chassis.vendor: QEMU
  dmi.chassis.version: pc-q35-6.0
  dmi.modalias: dmi:bvnSeaBIOS:bvr1.14.0-2:bd04/01/2014:br0.0:svnQEMU:pnStandardPC(Q35+ICH9,2009):pvrpc-q35-6.0:sku:cvnQEMU:ct1:cvrpc-q35-6.0:
  dmi.product.name: Standard PC (Q35 + ICH9, 2009)
  dmi.product.version: pc-q35-6.0
  dmi.sys.vendor: QEMU

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1975667/+subscriptions

More information about the foundations-bugs mailing list