Date: Sat, 18 Apr 2015 23:38:39 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 199529] [security/openvpn] Added client.up/client.down to port to help prevent DNS leaks Message-ID: <bug-199529-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199529 Bug ID: 199529 Summary: [security/openvpn] Added client.up/client.down to port to help prevent DNS leaks Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: mandree@FreeBSD.org Reporter: yuri@rawbw.com Flags: maintainer-feedback?(mandree@FreeBSD.org) Assignee: mandree@FreeBSD.org Created attachment 155712 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155712&action=edit patch OpenVPN suffers from DNS leaks. Currently port leaks DNS all the time if user connects by running 'openvpn spec.ovpn'. client.up/client.down that are supposed to be used for DNS resolution adjustment weren't even included in the port. This patch does two things: 1. Adds client.up/client.down to the port 2. Fixes client.up: removes '-p' option, because the new DNS doesn't take effect for when 'private' DNS added. In case of VPN DNS shouldn't be private CAVEAT: Even with this patch some DNS queries still fall through to the old server (left on the second position in /etc/resolv.conf). I am not sure if there is the cure for that, except for disabling resolvconf(8) altogether. Also, pkg-message is long, much longer than 80 characters, but I think it is much more important to have user informed about the correct command line to prevent DNS leaks than to keep the line within 80 characters. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-199529-13>