[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression

dwmw2 dwmw2 at infradead.org
Wed May 22 17:46:13 UTC 2019


This is Bionic.

After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are
using dnsmasq) reported that DNS supported working for them while they
were on the VPN. Some internal names were looked up correctly, others
weren't.

I resolved it for them as follows:

$ sudo nmcli con modify "$COMPANY VPN" ipv4.dns-priority -1 ipv4.dns-
search ~.

This matches the observations I made in comment #18 on 2019-02-04.

I believe that with 1.10.6 all $company.com DNS did get sent to the VPN
and it was lookups outside the company search domains which were leaked.
So it was mostly functional, but insecure. Since 1.10.14 it got worse
and many (but not all) of the $company.com lookups are being leaked too.
Which is a functional problem.


(For Xenial, my advice to users has been the same since March 2018 when this ticket was first filed: tell apt to hold network-manager_1.2.2-0ubuntu0.16.04.4_amd64.deb and don't let it get updated until/unless the regression is fixed.)

-- 
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671

Title:
  Full-tunnel VPN DNS leakage regression

To manage notifications about this bug go to:
https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions



More information about the ubuntu-desktop mailing list