Bug 637894 – NetworkManager VPN should (have an option to) replace DNS servers in /etc/resolv.conf

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 637894 - NetworkManager VPN should (have an option to) replace DNS servers in /etc/resolv.conf


Summary:	NetworkManager VPN should (have an option to) replace DNS servers in /etc/res...


Status:	RESOLVED DUPLICATE of bug 656260

Product:	NetworkManager
Classification:	Platform
Component:	VPN: pptp
Version:	0.8.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Dan Williams
QA Contact:	Dan Williams

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-12-23 20:12 UTC by Richard Laager
Modified:	2016-03-11 17:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Richard Laager 2010-12-23 20:12:42 UTC

If I configure a (PPTP) VPN in NetworkManger, the DNS servers I get via DHCP over that VPN connection are *prepended* to /etc/resolv.conf. This is good in that they get used first, but it's not quite enough.

Here's the scenario:

My two office DNS servers support DNSSEC validation. My ISP at home does not.

When I connect to the VPN and try to resolve a name which fails DNSSEC validation (e.g. badsign-a.test.dnssec-tools.org), my office DNS servers return SERVFAIL (as per DNSSEC validation behavior). This causes libc to fail over to my ISP's DNS server. The result is that the domain name resolves, when it should fail.

If this were a real attack instead of a test scenario, it'd have security implications.

If I could make the VPN *replace* my DNS servers in /etc/resolv.conf, everything would work as expected.

Comment 1 Dan Winship 2012-07-27 13:49:43 UTC

not pptp-specific

*** This bug has been marked as a duplicate of bug 656260 ***