← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1592721] Re: Don't write search domains to resolv.conf in the case of split DNS

 

** Description changed:

+ [Impact]
+ All VPN users meaning to use split-tunnelling in a situation where leaking DNS data to the internet about what might be behind their VPN is undesirable.
+ 
+ [Test case]
+ 1) connect to VPN
+ 2) Use dig to request a name that should be on the VPN
+ 3) Verify (kill -USR1 the dnsmasq binary from NM) that the request has only gone through the VPN nameservers (only its request number should have increased by one)
+ 4) Use dig to request a name off-VPN, such as google.com.
+ 5) Verify (kill -USR1 again) that the request has caused the non-VPN nameserver request number to increase, and that the VPN number has not increased.
+ 
+ It is easier to verify this when there is as little traffic as possible
+ on the system, to avoid spurious DNS requests which would make it harder
+ to validate the counters.
+ 
+ [Regression potential]
+ This change modifies the way in which DNS nameservers and search domains are passed to dnsmasq, as such, if a VPN is configured in a non-standard way and intended to be used to resolve all network requests (which is typically not the case for split-tunnelling) or if the public network is intended to always resolve all requests while the VPN still provides search domains, one might observe incorrect behavior.
+ 
+ Possible failure cases would include failure to resolve names correctly
+ (resulting in NXDOMAIN or REFUSED from dnsmasq) or resolving to the
+ incorrect values (if the wrong nameserver is used).
+ 
+ ---
+ 
  Currently, NM will write all search domains to both any DNS-handling
  plugins running, and also to resolv.conf / resolvconf; in all cases.
  
  The issue is that doing so means that in the split-DNS case on VPNs, you
  might get a negative response from all nameservers, then a new request
  by glibc with the search tacked on, to nameservers again, which might
  cause DNS requests for "private" resources (say, on the VPN) to be sent
  to external, untrusted resolvers, or for DNS queries not meant for VPN
  nameservers to be sent through the VPN anyway.
  
  This is fixable in the case where we have a caching plugin running (such
  as dnsmasq). dnsmasq will already know about the search domains and use
  that to limit queries to the right nameservers when a VPN is running.
  Writing search domains to resolv.conf is unnecessary in this case.
  
  We should still write search domains if no caching gets done, as we then
  need to expect glibc to send requests as it otherwise would.

** Also affects: network-manager (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: network-manager (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: network-manager (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: network-manager (Ubuntu Xenial)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1592721

Title:
  Don't write search domains to resolv.conf in the case of split DNS

Status in network-manager package in Ubuntu:
  Fix Released
Status in network-manager source package in Xenial:
  In Progress

Bug description:
  [Impact]
  All VPN users meaning to use split-tunnelling in a situation where leaking DNS data to the internet about what might be behind their VPN is undesirable.

  [Test case]
  1) connect to VPN
  2) Use dig to request a name that should be on the VPN
  3) Verify (kill -USR1 the dnsmasq binary from NM) that the request has only gone through the VPN nameservers (only its request number should have increased by one)
  4) Use dig to request a name off-VPN, such as google.com.
  5) Verify (kill -USR1 again) that the request has caused the non-VPN nameserver request number to increase, and that the VPN number has not increased.

  It is easier to verify this when there is as little traffic as
  possible on the system, to avoid spurious DNS requests which would
  make it harder to validate the counters.

  [Regression potential]
  This change modifies the way in which DNS nameservers and search domains are passed to dnsmasq, as such, if a VPN is configured in a non-standard way and intended to be used to resolve all network requests (which is typically not the case for split-tunnelling) or if the public network is intended to always resolve all requests while the VPN still provides search domains, one might observe incorrect behavior.

  Possible failure cases would include failure to resolve names
  correctly (resulting in NXDOMAIN or REFUSED from dnsmasq) or resolving
  to the incorrect values (if the wrong nameserver is used).

  ---

  Currently, NM will write all search domains to both any DNS-handling
  plugins running, and also to resolv.conf / resolvconf; in all cases.

  The issue is that doing so means that in the split-DNS case on VPNs,
  you might get a negative response from all nameservers, then a new
  request by glibc with the search tacked on, to nameservers again,
  which might cause DNS requests for "private" resources (say, on the
  VPN) to be sent to external, untrusted resolvers, or for DNS queries
  not meant for VPN nameservers to be sent through the VPN anyway.

  This is fixable in the case where we have a caching plugin running
  (such as dnsmasq). dnsmasq will already know about the search domains
  and use that to limit queries to the right nameservers when a VPN is
  running. Writing search domains to resolv.conf is unnecessary in this
  case.

  We should still write search domains if no caching gets done, as we
  then need to expect glibc to send requests as it otherwise would.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1592721/+subscriptions