Public bug reported:
Description: Ubuntu 20.04 LTS
Release: 20.04
network-manager:
Installé : 1.22.10-1ubuntu1
Candidat : 1.22.10-1ubuntu1
Table de version :
*** 1.22.10-1ubuntu1 500
500 http://fr.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
Connecting to a IPSEC IKE VPN does not update correctly update systemd-resolve
dns parameters: DNS provided by the VPN tunnel is seen by systemd-resolve but
not use to resolve dns queries resulting to a DNS leak. I tried to play with
network manager priority which as no effect: default setting seems to be fine
as the dns provided by the vpn appears on top of dns list provided by
"systemd-resolve --status" result bellow.
I found out a way to get it working by restarting systemd-resolve
service after the vpn connection is established. I think (pure
speculation, I don't know how systemd-resolve works) systemd-resolve
evaluate which dns use, the one provided by the vpn is the first one
then it decide to use it. This evaluation should be triggered when
tunnel is bringed up.
Bringing up an IPSEC IKE VPN does not create a new interface, it will
use the same used by the default network interface where is configured
the gateway. I think a fix would be to find out a way to triggered the
dns election of systemd-resolve to update the "Current DNS Server".
Maybe it is a bug with systemd-resolve but as I don't know how
everything work together, I choose to report this here.
You will find my network manager config for this particular ipsec tunnel
bellow.
Before systemctl restart systemd-resolved.service
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eno1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.10.1
DNS Servers: 192.168.1.1 #DNS from VPN
192.168.10.1 #DNS from DHCP
DNS Domain: lan
~.
after systemctl restart systemd-resolved.service
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eno1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1 #DNS from VPN
192.168.10.1 #DNS from DHCP
DNS Domain: lan
~.
Network Manager config
[connection]
id=SomeNameForThisConnection
uuid=XXXXXXXXXXXX
type=vpn
autoconnect=false
permissions=user:someuser:;
timestamp=1590573570
[vpn]
address=some.vpn.address.com
certificate=/some/cert/for/some.vpn.address.com
encap=no
esp=aes256gcm16-ecp384
ike=aes256-sha256-prfsha256-ecp384
ipcomp=no
method=eap
password-flags=2
proposal=yes
user=some_login
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan
[ipv4]
dns-search=lan;
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore
[proxy]
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1880864
Title:
networkmanager IKE VPN connection causes DNS leak
Status in network-manager package in Ubuntu:
New
Bug description:
Description: Ubuntu 20.04 LTS
Release: 20.04
network-manager:
Installé : 1.22.10-1ubuntu1
Candidat : 1.22.10-1ubuntu1
Table de version :
*** 1.22.10-1ubuntu1 500
500 http://fr.archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
Connecting to a IPSEC IKE VPN does not update correctly update
systemd-resolve dns parameters: DNS provided by the VPN tunnel is seen by
systemd-resolve but not use to resolve dns queries resulting to a DNS leak. I
tried to play with network manager priority which as no effect: default setting
seems to be fine as the dns provided by the vpn appears on top of dns list
provided by "systemd-resolve --status" result bellow.
I found out a way to get it working by restarting systemd-resolve
service after the vpn connection is established. I think (pure
speculation, I don't know how systemd-resolve works) systemd-resolve
evaluate which dns use, the one provided by the vpn is the first one
then it decide to use it. This evaluation should be triggered when
tunnel is bringed up.
Bringing up an IPSEC IKE VPN does not create a new interface, it will
use the same used by the default network interface where is configured
the gateway. I think a fix would be to find out a way to triggered the
dns election of systemd-resolve to update the "Current DNS Server".
Maybe it is a bug with systemd-resolve but as I don't know how
everything work together, I choose to report this here.
You will find my network manager config for this particular ipsec
tunnel bellow.
Before systemctl restart systemd-resolved.service
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eno1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.10.1
DNS Servers: 192.168.1.1 #DNS from VPN
192.168.10.1 #DNS from DHCP
DNS Domain: lan
~.
after systemctl restart systemd-resolved.service
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eno1)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1 #DNS from VPN
192.168.10.1 #DNS from DHCP
DNS Domain: lan
~.
Network Manager config
[connection]
id=SomeNameForThisConnection
uuid=XXXXXXXXXXXX
type=vpn
autoconnect=false
permissions=user:someuser:;
timestamp=1590573570
[vpn]
address=some.vpn.address.com
certificate=/some/cert/for/some.vpn.address.com
encap=no
esp=aes256gcm16-ecp384
ike=aes256-sha256-prfsha256-ecp384
ipcomp=no
method=eap
password-flags=2
proposal=yes
user=some_login
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan
[ipv4]
dns-search=lan;
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore
[proxy]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1880864/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
