[Bug 666446] [NEW] NetworkManager VPN should (have an option to) replace DNS servers in /etc/resolv.conf

Tue, 26 Oct 2010 09:22:51 -0700 

You have been subscribed to a public bug by Jamie Strandboge (jdstrand):

Binary package hint: network-manager

If I configure a VPN in NetworkManger, the DNS servers I get via DHCP
over that VPN connection are *prepended* to /etc/resolv.conf. This is
good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does
not.

When I connect to the VPN and try to resolve a name which fails DNSSEC
validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers
return SERVFAIL (as per DNSSEC validation behavior). This causes libc to
fail over to my ISP's DNS server. The result is that the domain name
resolves, when it should fail.

If this were a real attack instead of a test scenario, it'd have
security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf,
everything would work as expected.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: 
usr/lib/NetworkManager/nm-crash-logger 
usr/lib/NetworkManager/nm-dhcp-client.action 
usr/lib/NetworkManager/nm-dispatcher.action 
usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug lucid
-- 
NetworkManager VPN should (have an option to) replace DNS servers in 
/etc/resolv.conf
https://bugs.launchpad.net/bugs/666446
You received this bug notification because you are a member of Ubuntu Bugs, 
which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to