Hello Paul. DNS leak mean that DNS queries still hit local DNS server while VPN connection is active. DNS resolver should query only DNS servers defined by VPN while connection is active.
I did following test: - upgraded network-manager to 1.2.6-0ubuntu0.16.04.1 (dnsmasq-base=2.75-1ubuntu0.16.04.2) - restated my laptop to ensure clean start - connected to VPN using openconnect / network-manager-openconnect-gnome Observed results -> DNS queries are forwarded only to DNS servers defined by LAN connection (this is wrong / connection not working at all) - "killall dnsmasq" - dnsmasq get automatically restarted by system Observed results -> most of the the queries are forwarded to DNS servers defined by VPN, but lot of queries get forwarded to DNS servers defined by LAN connection (this is still wrong / DNS leaks, attacker can hijack connection even if VPN is enabled) - I downgraded back to network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base stay same) - restated my laptop to ensure clean test - connected to same VPN using openconnect Observed results -> DNS queries are forwarded only to DNS servers defined by VPN connection. There are no leaks to LAN DNS server (this is correct behavior). ============== DNS leaks are bad for several reasons. Most important ones are that it provide visibility of host names to possibly un-trusted network and give ability to hijack connection. When I connect to VPN server I expect that all traffic hit only particular vpn server / gateway. If there is query to "secure-company-server.example.com" and this hit DNS on LAN then we are instantly leaking secured names. If LAN DNS server respond to this (or response is spoofed) then connection will be made outside of VPN environment. This effectively kill security of VPN connection ... ============== FYI: I am currently in environment where DHCP set DNS servers but policy deny connection to them (don't ask why). Therefore is much more visible if queries get forwarded to LAN DNS server just because they never get responded ... this may be reason why some of folks here claim that fix is working. If LAN DNS server respond with something then there is no visibility of problem ... ============== FYI2: all tests for this update was monitored by wireshark. ... just to not confuse with previous "fyi" comment ============== Lukas -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1639776 Title: name resolution (dnsmasq) fails to send queries out after suspend/resume reconnects the interface To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
