-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After connected to VPN, systemd-resolve still use ISP's DNS server( which was polluted because of regulation ) #6076
Comments
Hmm, not sure I follow. How exactly did you configure your DNS? What does "systemd-resolve --status" report about the DNS servers? Is /etc/resolv.conf a file or a symlink? |
@poettering thanks for your reply. here is the information
ping failed, 93.46.8.89 is incorrect , ISP's DNS server resolve it to 93.46.8.89 because of Internet regulation. VPN's DNS Server resolve it to 172.217.26.36, which can ping successfully. |
Can confirm the same effect with a OpenVPN connection.
Running "systemd-resolve internal.name.local" fails to find it (it only tries the 192.* DNS server), running "systemd-resolve -i tun0 internal.name.local" resolves the name correctly (via 172.* DNS server), but no applications actually supply that interface, naturally. Systemd version 232 Currently I have to workaround this by overwriting the /etc/resolv.conf file each time I connect to the VPN, but even that now stops working as some apps use the systemd-resolv directly if it is available. Alternative solution that worked for me is using a patched version of NetworkManager from https://bugs.launchpad.net/network-manager/+bug/1624317 that forces using the VPN DNS server by adding a "DNS Domain: ~." declaration to the tun0 section of systemd-resolve |
You (joshuafc and aigarius) need to do 2 things:
|
aigarius, for you the domain .local should be configured as "routing" domain on this link (tun0). |
@mikken, that script you're telling us to use is 400 lines long. What does it do? Any bugs? Is it safe or does it expose our systems to vulnerabilities? Will it break something else? Why do we need a 400 lines long script (and then to do even more stuff) to achieve something as essential as getting DNS lookups to go through the VPN connection? Nearly every time someone connects to a VPN service the user's expected system behaviour is that the VPN service's DNS servers should be used and all traffic should go through the VPN connection; this is especially true for novice users. This should therefore be the default behaviour. But not only is this not the default behavior, there also isn't some easy way to make systemd-resolved to work as desired (e.g. you have to use 400 lines long scripts, block packets to your ISP's DNS server at the IP-level, etc). systemd-resolved is a "system service that provides network name resolution". It is beyond essential that a system that "provides network name resolution" should be able to with little effort to be made to route DNS requests through a VPN connection. Also, it's default behavior out-of-the-box should comply with the most common use cases (e.g. user connects to a VPN service ==> all data goes through VPN connection). |
See #7182 |
My current workaround is to do the following tricks every time I start my workplace VPN:
Apparently there isn't any simple cli tool for managing systemd-resolved's settings. That |
So, resolved is actually doing the right thing here, given the configuration it was given. @joshuafc, resolved only knows the DNS server 192.168.83.2 in your setup, but you want it to know 208.67.222.222 and 8.8.8.8, right? If so, this information needs to be made available to resolved, and the ppp scripts (given that you are using ppp/pptp) need to push it into resolved, which i think ubuntu updated the "resolvconf" package to do. But that's really outside of the scope of upstream resolved. @nox, can you help? is there some ppp/pptp hookup missing for resolved in ubuntu? |
@poettering I'm confused by your most recent comment. If you review the contents of the most recent comment by @aigarius it shows that resolved does in fact have the DNS server addresses. He's just using google.com as an example to show the geo-located difference between his native connection and the vpn connection. I came to this bug because I have a similar situation and basically the exact same symptoms as described in @aigarius' most recent comment with an openconnect vpn configuration. It's clear from the output that systemd-resolved has the DNS server info for the DNS servers inside the VPN, but it's not updating the DNS cache to bring in the new DNS servers and thus having trouble resolving things inside the private VPN network that should resolve easily. And in fact do resolve easily if you point relevant commands at the correct interface/DNS server. A simple restart of systemd-resolved upon vpn connect/disconnect seems to fix the problem, but alas it really shouldn't be needed. Systemd-resolved should just be flushing the cache when a new DNS server is added. |
A simple restart of systemd-resolve upon vpn connect/disconnect does not really help.
The only reasonable workaround so far is the one provided by @snabb #6076 (comment) Edit: and the We need some way to make sure that the DNS servers provided by the VPN server are the only ones that should be used as long as the VPN connection stays active. Upd/Edited: Upd2:
Upd3:
According to https://www.freedesktop.org/software/systemd/man/systemd.network.html
Upd4: https://bugzilla.gnome.org/show_bug.cgi?id=783569#c26 And some are working on the NetworkManager to support the |
I had the same problem with DNS Leaks. I created a script that I wanted to share which solved my problems, in the background via Network Manager - no additional manual calls needed anymore. This is executed by Network Manager every time there is a connection change - In my case I check if the vpn connection id contains a certain substring, if yes I set the DNS Domain for the new VPN connection - and no DNS leaks any more.
|
First of all, like many other power users I ask myself why systemd-resolve is such a deaf piece of software that I need scripts to force my DNS server. Before systemd I used nslookup which named the server that resolved the host. Now I have to activate debugging to see the dns servers used. This is all way to complicated...I need to be able to easily verify if my VPN is leaking dns requests. Last , but not least, the network-manager integration seems not ready, because the scripts needed to update systemd-resolve cannot be executed. I guess the network-manager does not behave systemd-resolve friendly and therefore options are ignored. Nevertheless, I came close to what I expected using the steps @arno01 mentioned. The script combined with the dns domain in openvpn config forces my dns requests to pass my VPN. I checked it with (pretending systemd-resolve debug is turned on): Till then I start my VPN through a shortcut...asking for admin rights. |
With some drawbacks in more complicated configurations, I can confirm that the script of @jahnf works if you just stick to a single VPN. I tried making adaptions to deal with multiple VPN connections by letting it kick in on Anyway, better then nothing. Many thanks. |
@Forage I was able to setup two OpenVPN connections without exposing the ISP's DNS server. To avoid ISP's DNS server exposure with When running two or more OpenVPN's, you need to ensure you are not using But then, having Of course, if you either need to access only internal VPN resources or pass certain IP ranges through the VPN, you can use
|
I mean I can do all this but from a user perspective, in my VPN settings in network manager, under the IPv4 section, I explicitly set the DNS server to use my VPNs dns server, and yet systemd-resolved still is refusing to do it. That sounds exactly like a systemd-resolved bug to me. |
Dear people! I have exactly the same problem here.. Let's be honest guys! DNS servers are NOT EQUAL. There is a difference between THEORY and REALITY. I live in an unfortunate part of the world where DNS requests are hijacked.. So DNS probe from my VPN connection is different than that of my ISP provided DNS server. Not even this.. since ISP's in my country hijack DNS requests, they almost NEVER respect TTL's. Leading to unexpected results which can last up to days until they are fixed. Here is output of
As you can see, my VPN connection has assigned I have done this in three steps... First.. my openconnect server has DNS configuration as follows located in
Second I have modified configuration for Network Manager... Designating DNS servers manually:
And third step, I have instructed resolved to use some designated global name servers:
But even still, resolved would pick my local router's DNS server simply because it responds a little faster! And I have no option at all to disable this.. No option to exclude it.. Here is journal log when I try to resolve I just am a fan of systemd... But this optimization behavior of resolved comes with no configuration at all.. it comes with no way to exclude a DNS server, increase timeouts, disable this behavior or whatever. And the more I think about it.. The more I come to realize that I should either replace and disable resolved OR to nuke my ubuntu system, find some lonely linux distro which does not use systemd and just stay there... OR maybe we can come to some terms about how we can configure this, I would gladly submit a PR in time.
|
Hey guys, is it possible to use systemd, but not resolved? I mean, could I go back using nslookup and other simple tools even systemd does all its other jobs? |
godfuture, of course. Don't run systemd-resolved service and edit nsswitch.conf to use resolv.conf instead. |
Just lost a whole morning of work because of systemd-resolved. Most DNS lookups were working fine over my VPNs DNS server (openconnect VPN), but there was one address which systemd-resolved was very aggressive about looking up with my ISPs DNS server (fresh up-to-date Ubuntu 18.04 install). Things worked fine for the first day or so, but now this one address just simply won't resolve correctly. When I see here that people are running huge scripts to fix something like this, my first thought was "Do I even really need to run systemd-resolved if it's going to be this difficult to do the simple job of using my VPNs DNS server reliably? What do I gain here that I didn't have before with just NetworkManager?" @godfuture, I followed the accepted solution here - https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu. DNS now behaves much more sanely and reliably and nslookup has become useful again too. |
It is configured with only those 2 available servers. Only those 2 servers must be available to it. I explicitly specified just 2 servers, it must respect the configuration. If for some reason it also wants to use other servers - it at least must show them in the
I'm not sure what that exactly means, all my DNS traffic must flow to those 2 configured servers only.
I don't need a routing domain, those are global DNS servers because I want all DNS traffic to flow through it exclusively. |
I see, check again that resolution you see with tcpdump is done by |
The very reason I'm here is because long ago I have experienced exactly the same symptoms like other people in this post. Given this issue was closed and people deny there is a bug - I don't see how creating another one would change anything 🤷 .
It contacts |
I insist that piling onto this issue report with additional questions or support requests isn't going to be useful.
systemd-resolved sends your DNS exactly where it is told to do so. It's not systemd-resolved's fault that you (or other software on your computer) have told it to do something that's not what you want. In your case, my guess -- without seeing the output of
We need to see the output of the So I see zero evidence of a bug -- it's much more likely just a misconfiguration -- although for us to be sure, you would need to post the output of |
OK, one correction: I didn't know about |
|
Please do not report any bugs here against distros that do not provide resolvectl, but do provide systemd-resolve, as that means your distro is really old, and we only track issues related to current upstream systemd versions here, see submission form. |
Lennart, not everyone uses the latest distros, most "ordinary" end-users and, of course, enterprise users prefer stable LTS distros. We use computers for work and entertainment, not for hacking.
so "~." exists for both eth0 and tun0, but only enterprise 192.168.160.1 DNS can resolve the internal resources. |
Please understand that this is a bug tracker for upstream issues. For older systemd versions please contact your downstream distro. It's pointless to post issues here about really old versions here. It frustrates both you and me, and wastes both our time. Thank you for understanding. |
Well you've definitely messed up your systemd-resolved configuration such that internal names may be resolved by either DNS server: you probably want tun0's DNS to resolve requests for It might also indicate a messed up your /etc/resolv.conf such that systemd-resolved is not the only present server. I am just guessing there, but that might explain the difference in behavior between ping (which probably uses nsswitch) and host (which looks at /etc/resolv.conf directly). Notice that your problem is totally unrelated to the last user who commented here, and also unrelated to the original bug report. There are simply too many inventive ways to misconfigure your DNS for us to handle every possible misconfiguration in this one issue report. I'm going to suggest it's probably time to lock this issue. |
@zerkms I suppose you use split tunnel VPN. I get two DNS servers from our company in a split-tunnel DNS setup aswell. This is what I did. Does that help you? When I am connected to our company VPN I am now resolving everything through VPN. I have doublechecked with Wireshark to see if I am leaking any DNS, but I couldnt find anything yet.
Disconnect from VPN, and the default resolver is now on wlan0
|
@sliddjur I use ipsec, there is no dedicated interface in my implementation: all traffic flows through one and the only physical interface. |
This issue is closed, but when I tried to use OpenVPN 2.4.7 on Ubuntu 20.04, this issue still causes DNS leaks. After some troubleshooting, I realized that I had to do all of the following:
Only after all three steps, openvpn finally stops leaking DNS. In
This is such a pain to do something simple. I want to point out that none of these were needed before systemd-resolved was introduced. Is there any plans to fix this? |
No, it would need to be fixed by the openvpn developers, not by systemd-resolved. systemd-resolved only sends your DNS exactly where you tell it to, so there is nothing to fix. If you don't tell it what you want, it cannot do what you want. Your post is good documentation of how to manually tell systemd-resolved where your DNS is intended to go if you want to manually configure openvpn. Alternatively, if you are a desktop user, you could use NetworkManager-openvpn, which would take care of all of this for you automatically. |
Thanks. Let me try to find out if OpenVPN is fixing this. |
Hi @mcatanzaro one thing I want to point out is that, OpenVPN is not the only VPN client experiencing this issue. Others such as FortiClient have the same problem. Is it right to say that multiple VPN clients are broken and the issue is caused by those VPN clients themselves and not by systemd-resolved? |
Fixes: systemd#17588 systemd#17512 Prompted-by: systemd#17529 (Also relevant: systemd#6076)
Fixes: systemd#17588 systemd#17512 Prompted-by: systemd#17529 (Also relevant: systemd#6076)
I put together some docs in #17678 that explain in detail what VPN should do to get the right config into systemd-resolved. PTAL. |
I'm surprised this is still a problem in 2020, since systemd-resolved has been default in Ubuntu for four years now, but yes, every VPN client that does not know how to configure systemd-resolved is going to be broken. Thanks for documenting how to do this, Lennart! |
Fixes: systemd#17588 systemd#17512 Prompted-by: systemd#17529 (Also relevant: systemd#6076)
Wow, so I've just found this and have been wondering why I've had so many problems with ivpn. Time to go back to nordvpn. |
Something is not working properly AFAIK,
systemd-resolve --status
but making a dns request (in this case a simple ping www.google.com) causes:
As we talk about privacy setup, and as DNS request are not encrypted, letting them go to the VPN server without passing trough the tun0 is pretty much as bad as requesting to the ISP, as they are easy to intercept from the ISP. also i find very strange this different behavior based on the destination ip, am i triggering some edge case? |
To avoid routing the VPN traffic itself via TUN device, some route-based VPNs install a bypass route via physical interface for the VPN server's IP address. You might want to assign a second (maybe private) IP address to the VPN server that you use as DNS server address. |
ok, this make a lot of sense and i guess a simple routing table cannot handle my case as it does not know the protocol, or at least the destination port. |
Submission type
systemd version the issue has been seen with
Used distribution
Because of the Internet regulation, ISP's DNS server can not resolve some domian correctly( for example www.google.com www.youtube.com ). Under normal conditions, we use vpn and set the vpn as default internet gateway when needed to access above website.
When I start to use Ubuntu 17.04, It is found that when connected to vpn, all internet package transfer through vpn except domain name resolve. Infact, VPN server had tell correct DNS server IP address through DHCP. But systemd-resolve still use ISP's polluted resolve.
At /etc/resolv.conf, I found that DNS resolve had be taken over by systemd-resolve. There can't find any easy way to tell systemd-resolve to use a specified DNS server, or disable any DNS server according " systemd-resolve --help ".
Willing to accept guidance to correct my use of systemd-resolve,
If you can, Please add some necessary feature to systemd-resolve to solve such problem,
In case of bug report: Expected behaviour you didn't see
In case of bug report: Unexpected behaviour you saw
In case of bug report: Steps to reproduce the problem
The text was updated successfully, but these errors were encountered: