Open nothingmuch opened 2 months ago
I'm using the command below as a workaround on ubuntu:
nft -a list chain inet mullvad output |grep "dport 53 reject" |awk '{print $NF}' |xargs -n1 nft delete rule inet mullvad output handle
mullvad dns set custom 127.0.0.1
mullvad connect
nft -a list chain inet mullvad output |grep "dport 53 reject" |awk '{print $NF}' |xargs -n1 nft delete rule inet mullvad output handle
Is it a bug?
I have checked if others have reported this already
Current Behavior
Upon upgrading mullvad-cli 2023.6 from nixos, my local DNS recursive resolver stopped working. I did not examine what changed from the previous version, but simply add the whitelisting mark to all DNS traffic so that it is accepted using the mark rule before being explicitly dropped in the filters mullvad adds when the VPN is connected.
Expected Behavior
When configuring a custom DNS server with an address on one of the host's interfaces, mullvad should not interfere with the operations of the DNS server, it should be able to send DNS traffic through the VPN.
Since allowing DNS traffic by default is a a potential privacy leak and a local DNS server is not necessarily a recursive resolver, may only use DoH, etc, the current behavior should remain the default IMO as it is safer, so to be precise, the bug is really that there's no setting or mechanism to disable this behavior when it is appropriate to do so.
Steps to Reproduce
on NixOS, enable systemd-resolved, unbound, nftables, and mullvad-vpn. ignore DHCP DNS, setting the DNS server through resolved to 127.0.0.1 (unbound).
All DNS queries will end in SERVFAIL because unbound is unable to send DNS traffic through the wg-mullvad interface.
The following is excerpted from my machine configuration also includes the workaround I have been using since upgrading.
Failure Logs
No response
Operating system version
NixOS unstable (eventually will be 24.05)
Mullvad VPN app version
2023.6
Additional Information