From owner-freebsd-net@FreeBSD.ORG  Sun Apr 19 08:40:56 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 913E487F
 for <freebsd-net@freebsd.org>; Sun, 19 Apr 2015 08:40:56 +0000 (UTC)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 7CFB4B60
 for <freebsd-net@freebsd.org>; Sun, 19 Apr 2015 08:40:56 +0000 (UTC)
Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net
 [50.184.63.128]) (authenticated bits=0)
 by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t3J8esPU051979
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Sun, 19 Apr 2015 01:40:55 -0700 (PDT) (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be
 yuri.doctorlan.com
Message-ID: <55336A15.3050905@rawbw.com>
Date: Sun, 19 Apr 2015 01:40:53 -0700
From: Yuri <yuri@rawbw.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Rui Paulo <rpaulo@me.com>, freebsd-net@freebsd.org
Subject: Re: resolvconf(8) always leaves original DNS server in the list,
 allowing DNS requests to leak
References: <5532F439.8070506@rawbw.com> <4525101.OcnIUfWoXM@akita>
In-Reply-To: <4525101.OcnIUfWoXM@akita>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Apr 2015 08:40:56 -0000

On 04/19/2015 00:30, Rui Paulo wrote:
> What you want requires scoped routing and scoped DNS, meaning that the network
> stack must have knowledge of what domain names a specific VPN DNS server
> resolves.  The resolv.conf file is completely unsuitable for this purpose.
>
> The solution you offer is just a hack to avoid the "leak" of DNS domain names
> and doesn't really solve the bigger problem.  What if the VPN DNS server
> doesn't resolve google.com?

Actually, resolvconf does support DNS scoping, at least roughly. It has 
"-p" (private) flag, and in such case it only resolves domains listed in 
resolv.conf. And scoped routing is supported by OpenVPN.

There is the distinction between the corporate VPN, and personal 
("home") use VPN. Usually DNS in the latter one is resolving everything. 
Such VPN is designed to be exclusive and to protect privacy. This is the 
one I am mostly talking about. The current resolvconf works okay in the 
case of the corporate VPN. In such case "-p" flag and the list of 
corporate domains should be used.


Yuri