After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 637894 - NetworkManager VPN should (have an option to) replace DNS servers in /etc/resolv.conf
NetworkManager VPN should (have an option to) replace DNS servers in /etc/res...
Status: RESOLVED DUPLICATE of bug 656260
Product: NetworkManager
Classification: Platform
Component: VPN: pptp
0.8.x
Other Linux
: Normal normal
: ---
Assigned To: Dan Williams
Dan Williams
Depends on:
Blocks:
 
 
Reported: 2010-12-23 20:12 UTC by Richard Laager
Modified: 2016-03-11 17:42 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Richard Laager 2010-12-23 20:12:42 UTC
If I configure a (PPTP) VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does not.

When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail.

If this were a real attack instead of a test scenario, it'd have security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.
Comment 1 Dan Winship 2012-07-27 13:49:43 UTC
not pptp-specific

*** This bug has been marked as a duplicate of bug 656260 ***