DNS leaks still appear
cryzed opened this issue · 3 comments
Hey, unfortunately I've had some troubles with this script. The problem is that, however I configure my system, the IP of my local nameserver still appears in /etc/resolve.conf. For example with my VPN disabled:
# Generated by resolvconf
nameserver 192.168.0.1
And enabled:
# Generated by resolvconf
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1
While the second version looks good, it isn't at all:
If there are multiple servers, the resolver library queries them in the order listed. If no nameserver entries are present, the default is to use the name server on the local machine. (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)
(Source: http://man7.org/linux/man-pages/man5/resolv.conf.5.html)
So as I understand it, the only thing required for DNS leaks to happen is that the VPN's DNS servers aren't reachable, until eventually the local DNS nameserver entry is cycled to and used.
Also see this discussion about the same issue. I suspected too that dhcpdc might be the cause for the nameserver entry, but it isn't:
$ resolvconf -l
# resolv.conf from NetworkManager
# Generated by NetworkManager
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1
Seemingly all entries are provided by the NetworkManager. The local nameserver is provided by the configured wired connection I am using, and the others by the DNS server I subsequently connect to. Considering this, OpenVPN seems to popualte the foreign_option_* environment variables in reverse order, which results in the current behavior. The (imho) correct behavior would be to have the local nameserver completely removed and only list the VPN's DNS servers.
Is this my fault? Am I misconfiguring or misunderstand something?
EDIT: I just read some more about the environment variables set by OpenVPN, and even ran OpenVPN manually with my configured VPN -- Only the two addresses are pushed by my VPN after all, I'm not sure how my local DNS address even ends up in /etc/resolv.conf. Any ideas?
EDIT2: Seems like this NetworkManager's fault -- The update-resolv-conf script doesn't even seem to be needed when connecting to the VPN using it, it automatically sets the pushed VPN DNS addresses, unfortunately it doesn't remove the local DNS addresses.
If someone is interested, I solved this issue with the following workaround:
#!/bin/bash
#/etc/NetworkManager/dispatcher.d/pia-vpn
interface="$1"
status=$2
case $status in
vpn-up)
if [[ $interface == "tun0" ]]; then
chattr -i /etc/resolv.conf
echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf
chattr +i /etc/resolv.conf
fi
;;
vpn-down)
if [[ $interface == "tun0" ]]; then
chattr -i /etc/resolv.conf
fi
;;
esac
This is hacky though, it would be really cool if we found a proper fix, so that providing the exclusive flag -x is enough.
On another side, using this method instead of -x flag somewhat helps with #18, in my case the corporate VPN run on ppp0 interface, while PIA VPN runs on tun0, and so given the conditions in the script the DNS is not exlusive for the corporate VPN.
EDIT2: Seems like this NetworkManager's fault -- The update-resolv-conf script doesn't even seem to be needed when connecting to the VPN using it, it automatically sets the pushed VPN DNS addresses, unfortunately it doesn't remove the local DNS addresses.
@cryzed Is there an open issue for NetworkManager or discussion thread concerning this?
Yes, I created an issue somewhere in the NetworkManager bugtracker (which doesn't allow Google to index it so I can't find the issue), and similar problems can be found all over the internet. I decided that using NetworkManager for VPN things is completely unreliable for many reasons, not just this one.
I set # chattr +i /etc/resolv.conf and ended up running my own local Unbound DNS resolver and use OpenVPN systemd units directly to turn the VPS on/off now, which works and forces all applications to use the single entry specified in my resolv.conf.
The NetworkManager bug tracker seems completely dead and no one really pays attention to it, IIRC.