GNOME Bugzilla – Bug 780913
full-tunnel VPN DNS breakage
Last modified: 2017-04-05 08:51:56 UTC
I have a full-tunnel VPN. When I'm on the VPN I can't reach the DNS server advertised by the local network. I am, unfortunately for me, using Ubuntu 16.04. On the older 1.2.2 package this works correctly: NetworkManager[27474]: <info> [1491336108.5135] manager: NetworkManager state is now CONNECTED_GLOBAL NetworkManager[27474]: <debug> [1491336108.5136] dns-mgr: (update_routing_and_dns): DNS configuration changed NetworkManager[27474]: <debug> [1491336108.5138] dns-mgr: (update_routing_and_dns): no DNS changes to commit (1) NetworkManager[27474]: <debug> [1491336108.5138] dns-mgr: (vpn_connection_activated): DNS configuration changed NetworkManager[27474]: <debug> [1491336108.5138] dns-mgr: (vpn_connection_activated): committing DNS changes (0) NetworkManager[27474]: <debug> [1491336108.5139] dns-mgr: update-dns: updating resolv.conf NetworkManager[27474]: <debug> [1491336108.5139] dns-mgr: update-dns: updating plugin dnsmasq NetworkManager[27474]: <debug> [1491336108.5139] dnsmasq[0x1e73840]: adding nameserver '10.4.4.10' NetworkManager[27474]: <debug> [1491336108.5139] dnsmasq[0x1e73840]: trying to update dnsmasq nameservers NetworkManager[27474]: <info> [1491336108.5140] dns-mgr: Writing DNS information to /sbin/resolvconf Since they updated to 1.2.6, however, it fails because it *only* uses the VPN's DNS server for addresses within the default search domain, not for all lookups: NetworkManager[19782]: <info> [1491334481.9497] manager: NetworkManager state is now CONNECTED_GLOBAL NetworkManager[19782]: <debug> [1491334481.9498] dns-mgr: (update_routing_and_dns): DNS configuration changed NetworkManager[19782]: <debug> [1491334481.9498] dns-mgr: (update_routing_and_dns): no DNS changes to commit (1) NetworkManager[19782]: <debug> [1491334481.9498] dns-mgr: (vpn_connection_activated): DNS configuration changed NetworkManager[19782]: <debug> [1491334481.9499] dns-mgr: (vpn_connection_activated): committing DNS changes (0) NetworkManager[19782]: <debug> [1491334481.9499] dns-mgr: update-dns: updating resolv.conf NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: -1 vpn v4 vpn0 : 10.4.4.10 NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 best v4 wlp2s0 <SKIP>: 4.2.2.1 NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v4 enp0s31f6 <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v6 enp0s31f6 <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v4 lo <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v6 lo <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v6 wlp2s0 <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v4 vpn0 <SKIP>: NetworkManager[19782]: <trace> [1491334481.9499] dns-mgr: config: 100 default v6 vpn0 <SKIP>: NetworkManager[19782]: <debug> [1491334481.9500] dns-mgr: update-dns: updating plugin dnsmasq NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "amazon.com" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "88.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "89.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "90.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "91.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "92.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "93.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9500] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "94.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9501] dnsmasq[0x1881500]: adding nameserver '10.4.4.10@vpn0' for domain "95.85.10.in-addr.arpa" NetworkManager[19782]: <debug> [1491334481.9501] dnsmasq[0x1881500]: trying to update dnsmasq nameservers NetworkManager[19782]: <info> [1491334481.9501] dns-mgr: Writing DNS information to /sbin/resolvconf I note that this is not the first time that the default search domain has been abused by NetworkManager. The default search domain of 'amazon.com' means that if I do an unqualified lookup for 'foo', we should *try* looking for 'foo.amazon.com.' if 'foo.' does not exist. It does not mean anything more than that. This seems to be a regression in NetworkManager 1.2.6. I tried setting ipv4.dns-priority=-1 on the VPN connection, to force NM not to use the "local" DNS server. But that just results in an instant failure instead of a slow failure when it attempts to use an unreachable server.
I don't see any commit in 1.2.6 that can cause this change is the way NM sets the domain for DNS servers. With both 1.2.2 and 1.2.6 the name servers should be added only for the VPN domain, which is the wrong behavior already described in bug 746422. There are downstream patches in the Ubuntu package that modify the behavior of DNS manager for VPN servers and domains; probably the change you see is caused by those patches.
It looks like Ubuntu had this patch in 1.2.2 which fixed bug 746422, but has dropped it now causing the 'regression'? http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch We should definitely fix this upstream properly.
*** This bug has been marked as a duplicate of bug 746422 ***