Date: Sat, 18 Apr 2015 17:18:01 -0700 From: Yuri <yuri@rawbw.com> To: "net@freebsd.org" <net@freebsd.org> Subject: resolvconf(8) always leaves original DNS server in the list, allowing DNS requests to leak Message-ID: <5532F439.8070506@rawbw.com>
next in thread | raw e-mail | index | archive | help
I am looking at this typical situation: the VPN app creates and sets up tap0 interface meant to be the new default route. Then it calls this command: > echo " > nameserver <new-DNS-server> > domain > " | resolvconf -a tap0 Problem: /etc/resolv.conf now looks like this: > nameserver <new-DNS-server> > nameserver <old-DNS-server> The old DNS server is left at the last position. This means that in cases when the new server fails, DNS resolution falls back on the old server, therefore allowing DNS requests to leak. I looked through the resolvconf man page, and can't find any way that application can replace the old DNS server there. It can only add the new one for some interface, and in the end remove it. The new server "overrides" the old one, but still leaves the old one there. This creates the situation when DNS leaks to the old server. I would like to suggest the new option: > -x Make the new DNS server exclusive. With this option resolvconf(8) will replace the old server with the new one. This will require resolvconf to have some more logic. Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5532F439.8070506>