Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NM: Make DNS settings the maximum to avoid DNS leak fallback
NM has atrocious defaults. In the current situation, if you're connected to OpenVPN/WireGuard (full tunnel, default gateway), DNS may go outside of the VPN if the hostname only resolves in e.g. a DHCP provided dns server. This is determined with the ipv4/ipv6 dns-priority setting and the dns-search setting. We have to ensure that the dns-priority gets a negative value, from nm-settings: DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles We thus make the following change if full tunnel/default gateway: - Set the DNS priority: nmcli con modify eduVPN ipv4.dns-priority -2147483648 (int32 min) nmcli con modify eduVPN ipv6.dns-priority -2147483648 (int32 min) - Include the ~. DNS search domain: nmcli con modify eduVPN ipv4.dns-search "~." nmcli con modify eduVPN ipv6.dns-search "~." Modifying the DNS search domain to ~. is needed according to https://systemd.io/RESOLVED-VPNS/. This doc also states it's good to set never-default to no (even if it doesn't do much), which we already did for OpenVPN. Let's do the same for WireGuard. Note that this only seems to happen with systemd-resolved which is the default on Fedora. E.g. Openresolv resolvconf is not affected
- Loading branch information