[Dnssec-trigger] [Bug] incorrect DNS servers are used when network-manager connects to VPN

Paul Wouters paul at nohats.ca
Wed Sep 3 19:47:19 UTC 2014


On Wed, 3 Sep 2014, Ralf Jung wrote:

> I hope this is the right channel for a bugreport, please excuse me if it
> is not.
> First of all, thanks a lot for making this awesome program. It is
> exactly what I looked for to finally use DNSSEC on my Laptop :)
>
> I am having a problem though when using dnssec-trigger with
> network-mananger and VPN connections. After the connection is
> established, dnssec-trigger still uses the DNS servers supplied by the
> physical "outer" connection, instead of the ones that came from the VPN.
> Thus, DNS does not work if the servers are configured to serve the local
> network only.
> I can see the following in the system journal after the VPN connection
> is established:
>
>> Sep 01 11:12:12 r-schnelltop logger[3766]: dnssec-trigger-hook(networkmanager) vpn0 vpn-up added global DNS 134.96.7.100 134.96.7.99 134.96.7.5
>
> However, these are the DNS servers of wlan0. The VPN returned a
> different set of DNS servers.
> Only after supplying the VPN-DNS-servers to dnssec-trigger-control,
> everything works as expected.
>
> I am using the packages in Debian testing, and also reported this issue
> downstream: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760147>
> The version of NM is 0.9.10.0, dnssec-trigger is at version 0.13~svn685.

In fedora/rhel/centos, we have hooks in the vpn software that checks if
unbound is running, and reconfigured unbound. We have this for libreswan
IPsec and in openvpn (and I believe vpnc). What VPN software are you
using?

Here is an example (see around line 209):

https://github.com/libreswan/libreswan/blob/master/programs/_updown.netkey/_updown.netkey.in

Paul



More information about the dnssec-trigger mailing list