[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

[dwmw2]

I have worked out the problem with the new NetworkManager which required
me to set ipv4.dns-priority=-1 (which, in turn, messes things up for
those with fresh installs that don't get the new NetworkManager).

The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs
but it doesn't also set ipv4.dns-priority=-1. This means that any DNS
domain on a local network which isn't also explicitly matched by the VPN
config, is considered "more specific" and gets used instead of the VPN.

This is wrong; NetworkManager should also set ipv4.dns-priority=-1 for
full-tunnel VPNs.

The reason this was consistently problematic for our users is that we
have set up /etc/dhcp/dhclient.conf to *override* the domains given by
the local network to include the root of our corporate AD domain
"DOM.COMPANY.COM", because various non-FQDN hostnames in AD would
otherwise cause problems.

This realisation does give me a way out of my current problem, until a
newer version of NM correctly sets the priority automatically. Instead
of manually configuring ipv4.dns-priority=-1 and breaking things for
older NM, I can manually configure ipv4.dns-
search=dom.company.com;company.com which works for everyone. And there
*are* no other search domains which get leaked now, because our DHCP
config doesn't let them get discovered. (Deliberately ignoring RDNSS
here because if you live in the 21st century and have IPv6, you still
get to use that anyway even when you're on a full-tunnel Legacy IP VPN.
Nobody tell the IT folks please.)

-- 
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671

Title:
  Full-tunnel VPN DNS leakage regression

To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions