NetworkManager VPN should offer an option to use *only* VPN nameservers

Bug #666446 reported by Richard Laager
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
NetworkManager
Confirmed
Medium
network-manager (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: network-manager

If I configure a VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does not.

When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail.

If this were a real attack instead of a test scenario, it'd have security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: network-manager 0.8-0ubuntu3 [modified: usr/lib/NetworkManager/nm-crash-logger usr/lib/NetworkManager/nm-dhcp-client.action usr/lib/NetworkManager/nm-dispatcher.action usr/lib/NetworkManager/nm-avahi-autoipd.action]
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
CRDA: Error: [Errno 2] No such file or directory
Date: Mon Oct 25 13:32:47 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha amd64 (20100113)
Keyfiles: Error: [Errno 2] No such file or directory
ProcEnviron: Error: [Errno 13] Permission denied: '/proc/24718/environ'
SourcePackage: network-manager

Revision history for this message
Richard Laager (rlaager) wrote :
description: updated
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

I agree with the reasoning, however this is a feature request and should therefore probably be discussed upstream (as on the NetworkManager mailing list: http://mail.gnome.org/mailman/listinfo/networkmanager-list ). I'm marking this bug Triaged/Wishlist, so that if I have time (or somebody else does) to tackle this problem we can track progress.

Richard, if you have time it would also be great if you could (alternatively from mentioning this on the mailing list) open a bug to that regard on the NetworkManager bug tracker: https://bugzilla.gnome.org/browse.cgi?product=NetworkManager. It's another great way to let the NetworkManager developers know that this feature is requested. If you do, please let us know the bug number so that it can be linked to this report.

Thanks for your report!

Changed in network-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Changed in network-manager:
importance: Unknown → Medium
status: Unknown → New
Thomas Hood (jdthood)
summary: - NetworkManager VPN should (have an option to) replace DNS servers in
- /etc/resolv.conf
+ NetworkManager VPN should offer an option to use *only* VPN nameservers
Changed in network-manager:
status: New → Invalid
Revision history for this message
Thomas Hood (jdthood) wrote :

Change upstream bug report URL

Changed in network-manager:
importance: Medium → Unknown
status: Invalid → Unknown
Changed in network-manager:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
dwmw2 (dwmw2) wrote :

I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially malicious local DNS servers is utterly wrong.

In particular I don't agree this is a 'feature request' for 16.04 because it *used* to work there.
You fixed it once with this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch

That patch got dropped in an update, so this isn't just a security problem but also a regression in 16.04.

cf. https://bugzilla.gnome.org/show_bug.cgi?id=746422
    https://bugzilla.redhat.com/show_bug.cgi?id=1553634

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.