NetworkManager VPN should offer an option to use *only* VPN nameservers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NetworkManager |
Confirmed
|
Medium
|
|||
network-manager (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: network-manager
If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.
Here's the scenario:
My two office DNS servers support DNSSEC validation. My ISP at home does not.
When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-
If this were a real attack instead of a test scenario, it'd have security implications.
If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/
ProcVersionSign
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/
SourcePackage: network-manager
security vulnerability: | yes → no |
visibility: | private → public |
Changed in network-manager: | |
importance: | Unknown → Medium |
status: | Unknown → New |
summary: |
- NetworkManager VPN should (have an option to) replace DNS servers in - /etc/resolv.conf + NetworkManager VPN should offer an option to use *only* VPN nameservers |
Changed in network-manager: | |
status: | New → Invalid |
Changed in network-manager: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
I agree with the reasoning, however this is a feature request and should therefore probably be discussed upstream (as on the NetworkManager mailing list: http:// mail.gnome. org/mailman/ listinfo/ networkmanager- list ). I'm marking this bug Triaged/Wishlist, so that if I have time (or somebody else does) to tackle this problem we can track progress.
Richard, if you have time it would also be great if you could (alternatively from mentioning this on the mailing list) open a bug to that regard on the NetworkManager bug tracker: https:/ /bugzilla. gnome.org/ browse. cgi?product= NetworkManager. It's another great way to let the NetworkManager developers know that this feature is requested. If you do, please let us know the bug number so that it can be linked to this report.
Thanks for your report!