search

jonathanio / update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus.
Other
761 stars 94 forks source link

Scripts runs but results in a DNS leak on Ubuntu 21.10, it does not remove existing DNS servers. #98

Closed ioogithub closed 1 year ago

ioogithub commented 2 years ago

I am attempting to use this script with a systemd service and a config file from the oepnvpn provider modified according to the instructions.

I used the Stub Resolver. The systemd-resolved.service is enabled and running.

When I start the Open VPN service: systemctl start openvpn-client@ovpn.service I get:

Mar 08 22:51:33 ubuntu openvpn[871]: /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1552 x.x.x.x 255.255.0.0 init
Mar 08 22:51:33 ubuntu openvpn[1080]: <14>Mar  8 22:51:33 update-systemd-resolved: Link 'tun0' coming up
Mar 08 22:51:33 ubuntu openvpn[1082]: <14>Mar  8 22:51:33 update-systemd-resolved: Adding IPv4 DNS Server x.x.x.x
Mar 08 22:51:33 ubuntu openvpn[1083]: <14>Mar  8 22:51:33 update-systemd-resolved: SetLinkDNS(4 1 2 4 10 9 0 1)

When I do a ~/dnsleaktest.sh I get a DNS leak. I can confirm on any of the www DNS leak webpages.

Before the script I had two DNS entries which came from the DHCP router. The script successfully removed the second one and replaced it with the correct OpenVPN DNS server however it left the first one (the primary one) in place.

The down part of the script however works as expected. It removed the OpenVPN DNS servers successfully with a: systemctl start openvpn-client@ovpn.service

Update: I ran another series of subsequent tests. These time, the script did not remove the existing DNS servers it just added the OpenVPN DNS servers at the end of the list. Again a DNS leak. The down script again functioned as expected and successfully removed the OpenVPN DNS servers.

System info:

systemd 248 (248.3-1ubuntu8.2)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: gatewayIPV4
       DNS Servers:  gatewayIPV4 gatewayIPV6
        DNS Domain: lan

Link 6 (tun0)
Current Scopes: DNS
     Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: x.x.x.x
oem@ubuntu:~$
tomeon commented 1 year ago

Possible duplicate of #85. Also, though it doesn't look like you are using NetworkManager, see this example script from #59 for a means of removing the +DefaultRoute attribute from non-VPN interfaces.

tomeon commented 1 year ago

@ioogithub -- closing this; please reopen if this remains an issue. Please take a look at https://github.com/jonathanio/update-systemd-resolved#dns-leakage for information on preventing DNS leakage. Note also that update-systemd-resolved only manages the DNS settings associated with your VPN's interface; it should not touch settings for (e.g.) your eth0 interface. If your eth0 settings change when bringing the VPN up or down, it's probably coming from somewhere other than update-systemd-resolved.