[BUG] DNS leaking with systemd-resolved #47
Description
Describe the bug
DNS requests still leak through the physical interface's servers on Ubuntu 18.04 with PVPN DNS Leak Protection enabled.
When connecting to PVPN, the CLI tool will modify the systemd-resolved config in an effort to route DNS traffic to the PVPN DNS server, 10.8.8.1. However, it seems to do this with the Global config, not the tun0 interface. Here are outputs of several systemd-resolve --status runs, altered and snipped for brevity.
No VPN
Global
DNS Domain: my.lan
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
...
test
Link 3 (wlp2s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.xx.xx.x # <- My local network DNS
DNS Domain: ~.
my.lan
...
ProtonVPN
Global
DNS Servers: 10.8.8.1
DNS Domain: my.lan
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
...
test
Link 31 (tun0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlp2s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.xx.xx.x
DNS Domain: ~.
my.lan
...
Third-party VPN
Global
DNS Domain: my.lan
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
...
test
Link 32 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.yyy.yyy.1 # <- VPN provider's DNS server
DNS Domain: ~.
Link 3 (wlp2s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.xx.xx.x
DNS Domain: ~.
my.lan
...
I currently have two other VPN providers and they both handle the systemd-resolved config in about the same way. The PVPN method is different and results in my regular DNS servers appearing in DNS leak tests.
Modifying the systemd-resolved config myself after connecting to PVPN temporarily fixes the issue until I disconnect.
$ sudo systemd-resolve --interface tun0 --set-dns 10.8.8.1 --set-domain ~.
$ systemd-resolve --interface wlp2s0 --revert
# Disconnect and reconnect the physical network to restore DNS to wlp2s0 after disconnecting PVPN.
To Reproduce
Steps to reproduce the behavior:
$ protonvpn c -f- Go to dnsleaktest.com and see your real DNS servers appear in the test results.
Expected behavior
My guess is that you'd want the PVPN CLI to set the DNS server on the tun0 interface, not in the Global config.
Error Messages
Just a few debug messages showing I have DNS Leak Protection enabled.
2019-11-24 19:19:39,685 — protonvpn-cli — DEBUG — manage_dns:573 — DNS Leak Protection is enabled
2019-11-24 19:19:39,686 — protonvpn-cli — DEBUG — manage_dns:579 — resolv.conf backed up
2019-11-24 19:19:39,687 — protonvpn-cli — DEBUG — manage_dns:587 — Removed existing DNS Servers
2019-11-24 19:19:39,688 — protonvpn-cli — DEBUG — manage_dns:595 — Added ProtonVPN or custom DNS
Desktop (please complete the following information):
- OS: Ubuntu 18.04
- Python Version: 3.6.8
- ProtonVPN-CLI Version: 2.1.1
Additional context
I noticed that the CLI tool relies on directly modifying the resolv.conf file in place, so this may not be a trivial fix. The third-party VPN client does not modify the resolv.conf file, and I wish I could find exactly how it does it.
Thanks for the hard work!