After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 766769 - vpn with ipv6 support breaks DNS resolution completely
vpn with ipv6 support breaks DNS resolution completely
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
1.0.x
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2016-05-22 12:17 UTC by Samuel Thibault
Modified: 2016-05-26 08:55 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
configuration file (4.75 KB, text/plain)
2016-05-22 12:17 UTC, Samuel Thibault 		  Details
cert file for server (1.99 KB, text/plain)
2016-05-22 12:17 UTC, Samuel Thibault 		  Details
[PATCH] helper: support IPv6 DNS servers (6.33 KB, patch)
2016-05-23 13:13 UTC, Beniamino Galvani 		none Details | Review
[PATCH] dns/dnsmasq: use servers without split DNS if no domain was received (1.52 KB, patch)
2016-05-23 13:14 UTC, Beniamino Galvani 		none Details | Review

Description Samuel Thibault 2016-05-22 12:17:12 UTC 
Created attachment 328339 [details]
configuration file

Hello,

This is happening with network-manager 1.0.4 and network-manager-openvpn 0.9.10, but upgrading to 1.1.93 gets the same issue.

We have added support for ipv6 in our vpn server, and this broke DNS resolution for our clients using network-manager. We provide an open server so that you can test, I am attaching the configuration. For authentification, just use whatever login / password, anything will be accepted.

What happens is that the VPN connexion succeeds, but although the server sends dhcp-option DNS 80.67.169.12, dhcp-option DNS 2001:910:800::40, dhcp-option DNS 80.67.169.40, dhcp-option DNS 2001:910:800::12, network-manager does not take the IPv6 DNS addresses into account. The consequence seems to be that network-manager turns into split-dns mode. And that happens to break DNS resolution completely, the started dnsmasq only supports the RDNS zone for the IP range of the VPN, and all other domains are rejected. I.e. ping bugzilla.gnome.org returns "unknown host bugzilla.gnome.org", while ping 209.132.180.186" works fine (as well as IPv6 addresses)

Adding the IPv6 DNS addresses by hand in the IPv6 part of the configuration of the VPN works around the issue: there is no split-dns mode any more, everything works fine. That's however not a proper fix, network-manager should just automatically take what the server provides.

Samuel
Comment 1 Samuel Thibault 2016-05-22 12:17:39 UTC 
Created attachment 328340 [details]
cert file for server
Comment 2 Beniamino Galvani 2016-05-23 09:41:17 UTC 
(In reply to Samuel Thibault from comment #0)

> What happens is that the VPN connexion succeeds, but although the server
> sends dhcp-option DNS 80.67.169.12, dhcp-option DNS 2001:910:800::40,
> dhcp-option DNS 80.67.169.40, dhcp-option DNS 2001:910:800::12,
> network-manager does not take the IPv6 DNS addresses into account. The
> consequence seems to be that network-manager turns into split-dns mode. And
> that happens to break DNS resolution completely, the started dnsmasq only
> supports the RDNS zone for the IP range of the VPN, and all other domains
> are rejected. I.e. ping bugzilla.gnome.org returns "unknown host
> bugzilla.gnome.org", while ping 209.132.180.186" works fine (as well as IPv6
> addresses)

Are you using dns=dnsmasq with NM? Does it work if you switch to dns=none?

Also, do you push a DNS domain/search list?

It looks like at the moment, when dnsmasq is enabled, NM always uses
split DNS for VPNs; but if the server doesn't push a domain only an
entry for reverse queries gets added:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=d3d648f9ef1086fdba8f5c320b380ff962f674db#n74

The fix is probably to unconditionally add the nameserver pushed by
server without split DNS if the server didn't push any domain.

Also, the feature in bug 746422 would be helpful since it would allow
to disable split DNS for VPNs having the default route.
Comment 3 Beniamino Galvani 2016-05-23 09:48:16 UTC 
Also, we don't support IPv6 addresses in "dhcp-option DNS" ATM, while openvpn client scripts support them.
Comment 4 Beniamino Galvani 2016-05-23 13:13:11 UTC 
Created attachment 328389 [details] [review]
[PATCH] helper: support IPv6 DNS servers

Patch for network-manager-openvpn.
Comment 5 Beniamino Galvani 2016-05-23 13:14:49 UTC 
Created attachment 328390 [details] [review]
[PATCH] dns/dnsmasq: use servers without split DNS if no domain was received

Patch for NM master.
Comment 6 Beniamino Galvani 2016-05-23 13:17:58 UTC 
This first patch adds support to nm-openvpn plugin for parsing IPv6 DNS server pushed through "dhcp-option DNS". The second one fixes NM to add the received DNS servers to dnsmasq without split DNS if the server didn't supply any domain. 

These two patches should fix the issue, do you have a way to recompile and test them?
Comment 7 Samuel Thibault 2016-05-23 23:44:32 UTC 
Hello,

We are using the default ubuntu configuration, which does use dns=dnsmasq indeed. Switching to dns=none fixes the issue indeed (but that's only a workaround which we don't want to have to tell our users to do)

We are not pushing any DNS domain/search list.

The network-manager-openvpn patch alone indeed fixes the issue, and the IPv6 DNS servers are properly used.

The network-manager patch alone also fixes the issue (since we don't push any domain/search).

Could these be applied to the 1.1 branch, so that our clients get them relatively soon?

Thanks!
Comment 8 Thomas Haller 2016-05-25 15:51:49 UTC 
(In reply to Beniamino Galvani from comment #4)
> Created attachment 328389 [details] [review] [review]
> [PATCH] helper: support IPv6 DNS servers
> 
> Patch for network-manager-openvpn.

I don't really understand why you add dns_domains both to NM_VPN_PLUGIN_IP4_CONFIG_DOMAINS and NM_VPN_PLUGIN_IP6_CONFIG_DOMAINS.
Could you explain that in a code comment?
Comment 9 Thomas Haller 2016-05-25 15:59:00 UTC 
(In reply to Beniamino Galvani from comment #5)
> Created attachment 328390 [details] [review] [review]
> [PATCH] dns/dnsmasq: use servers without split DNS if no domain was received
> 
> Patch for NM master.

lgtm
Comment 10 Dan Williams 2016-05-25 16:17:07 UTC 
Both patches LGTM.
Comment 11 Beniamino Galvani 2016-05-25 16:30:15 UTC 
(In reply to Thomas Haller from comment #8)
> > [PATCH] helper: support IPv6 DNS servers
> I don't really understand why you add dns_domains both to
> NM_VPN_PLUGIN_IP4_CONFIG_DOMAINS and NM_VPN_PLUGIN_IP6_CONFIG_DOMAINS.
> Could you explain that in a code comment?

The reason is that the domain list is not specific to IPv4 and is
valid also for IPv6; we have a NMIP4Config and a NMIP6Config with
their own nameservers and domains, and when using dnsmasq we use IPv4
nameservers only for IPv4 domains and IPv6 nameservers only for IPv6
domains. In order to achieve the desired result, domains must be added
to both configurations.

How about this?

++  /* Domains apply to both IPv4 and IPv6 configurations */
+   if (has_ip6_address) {
+       val = g_variant_new_strv ((const gchar **) dns_domains->pdata, dns_domains->len);
+       g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DOMAINS, val);
+   }
Comment 12 Thomas Haller 2016-05-25 16:34:03 UTC 
(In reply to Beniamino Galvani from comment #11)

> The reason is that [...]

Understood, thanks.

> How about this?

lgtm