Ubuntu

Networkmanager VPN DNS leak on 16.04

Asked by Emmanuel Dupont

Hi,
After connecting the VPN

# killall -USR1 dnsmasq

# tail syslog.log
...
Jul 13 02:18:56 tp dnsmasq[1476]: time 1499905136
Jul 13 02:18:56 tp dnsmasq[1476]: cache size 0, 0/0 cache insertions re-used unexpired cache entries.
Jul 13 02:18:56 tp dnsmasq[1476]: queries forwarded 154, queries answered locally 1
Jul 13 02:18:56 tp dnsmasq[1476]: queries for authoritative zones 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 198.18.0.1#53: queries sent 0, retried or failed 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 198.18.0.2#53: queries sent 0, retried or failed 0
Jul 13 02:18:56 tp dnsmasq[1476]: server 192.168.0.254#53: queries sent 12, retried or failed 0

The first two name server are provided by the vpn connection.
The last 192.168.0.254 name server is running on my local router and forward request to my ISP (this is the default name server when VPN is not activated).

When I query the DNS, queries are sent to each name server which makes a DNS information leaking to my ISP
I validated that by the mean of tcpdump on eth and tun interfaces and also by using that site: https://www.dnsleaktest.com/

it is not clear to me if dnsmasq is keeping the local network dns information and then add the vpn name servers or if dnsmasq is receiving the name server information from both the local and vpn dhcp source.

I tried to force the DNS server IPs in the VPN configuration (edit Vpn connection -> ipv4 - > Automatic Adresses only ..) but the result is the same.

 I would like to have the local DNS removed when the VPN is connected and restored when VPN is disconnected.

How can it be solved?
Is it a bug?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Try:

echo "nameserver 192.168.0.254" | sudo tee -a /etc/resolvconf/resolv.conf.d/head > /dev/null

Then reboot and try the VPN

Revision history for this message
Emmanuel Dupont (mahn) said : 		#2

@andrew-woodhead666
I tried what you suggested but it didn't solved the problem

After reboot :
% cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.254
nameserver 127.0.1.1

After connecting to the VPN:
% cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.254
nameserver 127.0.1.1

Dnsmasq has still VPN and local network name servers.
sudo killall -USR1 dnsmasq; tail syslog.log
..
Jul 13 08:47:19 tp dnsmasq[2470]: server 198.18.0.1#53: queries sent 0, retried or failed 0
Jul 13 08:47:19 tp dnsmasq[2470]: server 198.18.0.2#53: queries sent 0, retried or failed 0
Jul 13 08:47:19 tp dnsmasq[2470]: server 192.168.0.254#53: queries sent 0, retried or failed 0

That would not solve the leak problem as my local network dns would be put in front of the resolv.conf and additionally it is still present in the dnsmasq after the VPN connection is established.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

Yes but you forced the local DNS to the top. Is resolution of local systems faster now?

Revision history for this message
Emmanuel Dupont (mahn) said : 		#4

Sorry I didn't make me clear (I do apologize for my syntax).
The problem is "information leaking".
It is a matter of having network requests not going to the VPN name server but also to the ISP's name server.
That makes public the private network operations.

I think I will need to set some IP filtering here but I really would prefer not to have a non standard Ubuntu configuration; it makes upgrades more difficult.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#5

Adding filters doesn't make the install non-standard

Revision history for this message
Emmanuel Dupont (mahn) said : 		#6

Thank you for the help, I will set filters but that's a workaround.

Can you help with this problem?

Provide an answer of your own, or ask Emmanuel Dupont for more information if necessary.

To post a message you must log in.