From owner-freebsd-net@FreeBSD.ORG Sun Apr 19 00:18:09 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C533BA46 for ; Sun, 19 Apr 2015 00:18:09 +0000 (UTC) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id B22837D9 for ; Sun, 19 Apr 2015 00:18:09 +0000 (UTC) Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128]) (authenticated bits=0) by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t3J0I2bb006180 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sat, 18 Apr 2015 17:18:03 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be yuri.doctorlan.com Message-ID: <5532F439.8070506@rawbw.com> Date: Sat, 18 Apr 2015 17:18:01 -0700 From: Yuri User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "net@freebsd.org" Subject: resolvconf(8) always leaves original DNS server in the list, allowing DNS requests to leak Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Apr 2015 00:18:09 -0000 I am looking at this typical situation: the VPN app creates and sets up tap0 interface meant to be the new default route. Then it calls this command: > echo " > nameserver > domain > " | resolvconf -a tap0 Problem: /etc/resolv.conf now looks like this: > nameserver > nameserver The old DNS server is left at the last position. This means that in cases when the new server fails, DNS resolution falls back on the old server, therefore allowing DNS requests to leak. I looked through the resolvconf man page, and can't find any way that application can replace the old DNS server there. It can only add the new one for some interface, and in the end remove it. The new server "overrides" the old one, but still leaves the old one there. This creates the situation when DNS leaks to the old server. I would like to suggest the new option: > -x Make the new DNS server exclusive. With this option resolvconf(8) will replace the old server with the new one. This will require resolvconf to have some more logic. Yuri