Mullvad reoprts DNS leaks

[colemickens]

Given the example in the README, I would expect DNS to not leak (given that we write out resolv.conf that is bind-mounted in the netns, which is easily confirmed).

I've also gotten Mullvad to tell me that I wasn't leaking DNS multiple different times after clearing cookies, but that's not reliable either.

[colemickens]

This happens in Firefox, but not (so much?) in Chromium.

It's probably nsswitch.conf that's the culprit:

$ cat /etc/nsswitch.conf

hosts:     files mymachines mdns_minimal [NOTFOUND=return] reso
lve [!UNAVAIL=return] dns mdns myhostname

So it's trying systemd-resolved before "dns" (aka /etc/resolv.conf)... I probably need to be reconfiguing resolved... (inside the container?) and then symlinking /etc/resolv.conf -> stub-resolv

[colemickens]

Two issues identified fairly conclusively:

1. systemd-resolved is clobbering the resolv.conf inside the container whenever systemd-resolved is restarted. I'm wondering if this is specific to NixOS possibly?

2. nscd happily just leaks DNS across the netns boundary since it exposes a socket path that is passed through to the ip netns exec environment.

I can warn for the first, error on nscd running, but this feels fragile. Can't imagine the number of permutations ... (nscd or not) * (nm|conman|networkd) * (resolved or not) * (anything else I'm not even thinking of because my setup doesn't hit it...)

Seems like I'm not the first to notice. See the "DNS Hardening" section here: https://github.com/slingamn/namespaced-openvpn