-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf, Mullvad doesn't detect that it cannot modify system DNS settings #1952
Comments
Have you checked if |
I hadn't thought of that, but
Edit: here are my configs
(and now I unrelatedly realise that I need to rename everywhere.conf to 00-everywhere.conf, because the later file probably takes priority) |
Oh, and this is whilst you are connected, right? This seems bad - does DNS actually work? Because it shouldn't. You could send a problem report via the app so that we may read the daemon logs, otherwise I can try and reproduce the issue on my own. |
Yes, this is when connected and https://am.i.mullvad.net/ gives a warning on failing to check for DNS leaks (and this particular IP being blacklisted apparently) and DNS works. I sent a problem report referencing this issue with optional email as my name at myname dot info, but I don't know if it would be more helpful to reproduce the issue locally. |
Would you mind testing to see whether any of the global DNS servers in your config are reachable? |
Times out, however 149.112.112.112:853 works as far as I can tell, I don't know any |
We currently do not block DNS-over-TLS, so that is why everything continues to work normally. I will however investigate why the daemon silently fails to set the appropriate DNS config for |
With a default install with Gnome and
And
So I cannot reproduce the reported issue. I tried this with both NetworkManager and just a plain DHCPCD service. Are you using systemd's networkd by any chance? Is there any other config that I should be aware of? I can imagine that there's some config option that would force DNS over TLS, then the daemon's RPCs to add plain DNS servers to It might be the case that the daemon should verify if the config it's trying to set is actually set, via DBus. But for now, I still can't reproduce the issue. |
I am using NetworkManager. So you don't get a DNS leak on https://am.i.mullvad.net/ detected? What does your I get the same result with |
I thought about this a bit more and remembered/found https://powerdns.org/useful-names/ which tells where they are receiving the DNS queries from and I see addresses belonging to Woodynet aka Quad9.
|
You are correct, mullvad's DNS servers will not be used. I presume this is due to This is probably the culprit here. As dirty as it may feel, I think disabling that setting until we support DNS over TLS in our tunnels (I'm not sure if we have any plans to do so). But this will still not fix the DNS leaks entirely. In this case, we'd probably need to either do what always ends in bloosdhed - record the current DNS config to a file and configure systemd-resolved exactly the way we want it, or we could update our firewall to block DNS over TLS. This still allows for DNS over HTTPS, which can still cause leaks (but it's far harder to block). Technically, we've designed the DNS config management systems to only apply the correct DNS config so that DNS works, not to prevent leaks from happening, the firewall is supposed to help with that. Of course, with DNS over TLS and DNS over HTTPS, that is no longer enough, so we'll have to investigate how best to deal with this. Personally, I feel this isn't as bad as leaking plain text DNS packets outside of the tunnel, and in this case, the encrypted DNS requests are still sent through the tunnel (otherwise DNS would time out). The leak of course here is that we aren't ensuring that your DNS requests are being sent to our servers, which is bad. Perhaps you personally have an opinion on where the line should be between enforcing privacy focused configuration and respecting what the user has personally configured? |
I am not sure on blocking DNS-over-TLS while it would be consistent with blocking normal DNS and the dedicated port helps. What I want to do is to have DNSSEC validation locally, so I don't have to trust Mullvad's DNS servers to do that and use trust-ad in resolv.conf as it was intented. Regarding DNS-over-HTTPS, I am currently not aware of any implementation of it that performs DNSSEC validation locally (without chaining either systemd-resolved or unbound to do that) so on computers I see it kind of as a step backwards. I guess the best case scenario for me would be having custom DNS (#473) and if I opted to use Mullvad's DNS servers, the app could possibly perform a DNS test and show a warning about Mullvad's DNS not being used and giving an option to not block connectivity. |
Now broken on Arch too. archlinux/svntogit-packages@e3dba1b Is there any workaround other than building systemd without the flag? On my PC I just get "Failed to set system DNS" and Mullvad goes into blocking state. There is no tun0 to do |
Oh and trying to report the error from the app fails as well. It asks me to hit disconnect on the main screen, but I already disconnected and disabled "Always require VPN". |
I didn't understand your comments earlier, but now updating I wonder if that is a different issue from this though and I am not sure if I should close this issue for it being upstream or somehow fixed by a newer systemd version, but that fix probably isn't in too many stable releases of distributions with systemd. |
Oh, you are probably right about my issue being different then. I saw in logs that Mullvad tried to parse the resolved symlinked /etc/resolv.conf as a static /etc/resolv.conf and failed to parse the file. Then I found this issue and saw Arch's changelog so I thought it might be the same issue. |
It seems like a different issue. I'll have a look at it. I presume you have configured your system to use systemd-resolved? Are there any other alterations that I should be aware of? |
Can reproduce it, will look into it. Looks like the systemd-resolved interface broke and we're falling back to managing DNS via writing directly to |
If it helps, I’ve got a similar problem of the client failing to change dns servers (on Archlinux, with /etc/resolv.conf symlinked to /run/systemd/resolve/stub-resolv.conf as well). Logs from
And content from /etc/resolv.conf (from line 16):
After removing the last two lines, it worked fine. Removing only of |
And as what changed between the versions was |
Removing |
Not for me, as any change to /etc/resolv.conf gets immediately reverted as soon as (or just before) the VPN is started, so still fails with that same error. |
Well, if I enter disconnected state ( Edit: This small one-liner works for me:
But granted, it is a bit of a hack, this should get better with the next release. 🤞 |
I believe it's falling back to managing DNS via Is it really necessary to parse resolv.conf for systemd-resolved if you already check for the symlink and can interact through dbus? Additionally it only checks ipv4 and not ipv6. |
I've created a PR in the upstream resolv-conf library that fixes the issue of trust-ad, I've tested a build with my PR and mullvad-daemon shows that systemd-resolved is being used to manage DNS. hickory-dns/resolv-conf#22 Although this doesn't address the original bug of this thread. |
Issue report
Operating system: Debian Testing
App version: 2020.5
Issue description
If
/etc/resolv.conf
is a symlink pointing to/run/systemd/resolve/stub-resolv.conf
which is systemd-resolved's file not including search domains, Mullvad doesn't alert about it being unable to modify system DNS settings and connects normally while/etc/resolv.conf
is unmodified. This doesn't happen whenresolv.conf
is either a normal file or a symlink somewhere else such as/usr/lib/systemd/resolv.conf
which doesn't includesearch
domains in which case Mullvad blocks connection saying that it couldn't manage system's DNS settings.Steps to reproduce:
resolv.conf
can be modified.sudo rm /etc/resolv.conf && sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
ln -l /etc/resolv.conf && cat /etc/resolv.conf
/etc/resolv.conf
should probably be a normal file and contain Mullvad's DNS resolvers.nameserver 127.0.0.53
I hope this report is beneficial to you as I am unsure whether I should leave this unreported as from my point of view this is a workaround to #473 while #473 (comment) gives me an impression that you would consider this as a DNS leak bug.
The text was updated successfully, but these errors were encountered: