Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DNS server resolution broken after disconnecting from Windscribe VPN #3

Closed
Nuc1eoN opened this issue Nov 13, 2018 · 7 comments

Comments

@Nuc1eoN
Copy link

commented Nov 13, 2018

I don't know if this an issue with the packaging of windscribe-cli or if it is some other issue, but my problem is that after disconnecting from windscribe my resolv.conf is empty and DNS resolution obviously fails.
I have openresolv installed but there is also systemd-resolved, maybe it's needed? The wiki also mentiones some script to update resolv.conf (https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script), but I don't see why I should need some script workaround to get this simple thing working.

@hkuchampudi

This comment has been minimized.

Copy link
Owner

commented Nov 14, 2018

Hmm...

First, systemd-resolved is part of the systemd package and is installed by default in Arch systems (see https://wiki.archlinux.org/index.php/Systemd-resolved).

What are you using to connect to your network? NetworkManager?
Are you using DHCP?
Do you have DNS resolution and Internet connectivity before connecting to Windscribe?

Can you post the contents of your /etc/resolv.conf:

  • before connecting to Windscribe
  • after connecting to Windscribe
  • after disconnecting from Windscribe

Is there any relevant information in the debug log?

I just tested this on a clean installation of Arch. After disconnecting from Windscribe, the original contents of my /etc/resolv.conf are restored.

@Nuc1eoN

This comment has been minimized.

Copy link
Author

commented Nov 16, 2018

Yes I am sorry, I've actually meant core/systemd-resolvconf.
I am using networkd and I think it's using DHCP, how can I find out? I simply connected via LAN cable to the router and it worked.

Do you have DNS resolution and Internet connectivity before connecting to Windscribe?

No I don't. From the moment I have installed and used windscribe I am only able to connect over windscribe.

/etc/resolv.conf before Windscribe connection:

# Resolver configuration file.
# See resolv.conf(5) for details.

during:

# Generated by resolvconf
nameserver 10.255.255.2

after:

# Resolver configuration file.
# See resolv.conf(5) for details.

When I search for windscribe viewlog | grep -i resolv there are many entries like
[INFO] running openvpn command: /usr/bin/openvpn --verb 4 --daemon --management /etc/windscribe/openvpn.sock unix --management-hold --config /etc/windscribe/client.ovpn --log /var/log/windscribe/ovpn_log.txt --up /etc/windscribe/update-resolv.sh --down /etc/windscribe/update-resolv.sh

So there actually seems to be some script inplace to update resolv.conf

@hkuchampudi

This comment has been minimized.

Copy link
Owner

commented Nov 17, 2018

Ok,

Unless you remember configuring a static IP for your computer, you are probably getting your IP address via DHCP. Since you say that, before, you were able to connect your computer via LAN cable without any additional IP configuration also suggests that you are probably using DHCP.

So, you are using systemd-networkd to manage your network configuration? In which case, if you want to get your DNS from your router and DHCP (instead of hard-coding a DNS), please make sure you have done the following (see https://wiki.archlinux.org/index.php/systemd-networkd#Basic_DHCP_network):

  • Enable the systemd-resolved.service
  • Symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf using the command: ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

So, the logic behind this is that systemd-resolved provides the DNS service so it should be enabled. systemd-resolved then creates the file /run/systemd/resolve/resolv.conf which it uses to manage DNS settings. However, to my knowledge, windscribe-cli and other VPN clients rely on making changes to /etc/resolv.conf. Therefore, we need to bridge the gap and create the aforementioned symlink. If your /etc/resolv.conf is not already symlinked, systemd-resolved will use /etc/resolv.conf as the master DNS configuration and, since it is empty, you won't be able to resolve anything. This explains why you only have an Internet connection when connected to Windscribe.

If you already have enabled the systemd-resolved.service and have the symlink as per the instructions above, then there might be an issue somewhere else in the networking setup.

So there actually seems to be some script inplace to update resolv.conf

Yes there is, it is located in /etc/windscribe/update-resolv.sh and it is responsible for restoring /etc/resolv.conf.

Please give the above a try, and let me know if this leads anywhere.

@Nuc1eoN

This comment has been minimized.

Copy link
Author

commented Nov 17, 2018

  • Enable the systemd-resolved.service
  • Symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf using the command: ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Hey @hkuchampudi thank you for your patience that really fixed my issue! :) Feeling dumb right now for not having my system properly set-up. Thank you very much!

@Nuc1eoN Nuc1eoN closed this Nov 17, 2018

@Xavion

This comment has been minimized.

Copy link

commented Sep 12, 2019

@hkuchampudi

According to this section of the systemd-resolved article (on the ArchWiki), it is currently susceptible to man-in-the-middle attacks.

Do you still recommend that we use it with Windscribe?

@hkuchampudi

This comment has been minimized.

Copy link
Owner

commented Sep 14, 2019

@Xavion

Do you still recommend that we use it with Windscribe?

I don't believe that I have ever recommended users to use any specific DNS resolution service. In the above case, that was what the user was already using on their system. Users should be aware of the limitations and issues affecting the services on their systems and make their own decisions based on that.

That being said, the warning you cited does not apply in this case. To my knowledge, Windscribe does not provide a DNS server that utilizes DNS over TLS. The client application (which uses OpenVPN) mitigates against MitM attacks by using embedded certs and credentials in the configuration file to verify that the user is actually connecting to a legitimate Windscribe server; otherwise the connection would fail. Once connected, traffic moves through the encrypted tunnel established by OpenVPN.

If you have any follow-up concerns, please open a new issue. Thanks!

@Xavion

This comment has been minimized.

Copy link

commented Sep 14, 2019

@hkuchampudi

OK, thanks for clearing that up. By telling him how to use systemd-resolved, I thought you were more or less endorsing it (for use with Windscribe).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.