resolvconf(8) always leaves original DNS server in the list, allowing DNS requests to leak
Yuri
yuri at rawbw.com
Sun Apr 19 08:40:56 UTC 2015
On 04/19/2015 00:30, Rui Paulo wrote:
> What you want requires scoped routing and scoped DNS, meaning that the network
> stack must have knowledge of what domain names a specific VPN DNS server
> resolves. The resolv.conf file is completely unsuitable for this purpose.
>
> The solution you offer is just a hack to avoid the "leak" of DNS domain names
> and doesn't really solve the bigger problem. What if the VPN DNS server
> doesn't resolve google.com?
Actually, resolvconf does support DNS scoping, at least roughly. It has
"-p" (private) flag, and in such case it only resolves domains listed in
resolv.conf. And scoped routing is supported by OpenVPN.
There is the distinction between the corporate VPN, and personal
("home") use VPN. Usually DNS in the latter one is resolving everything.
Such VPN is designed to be exclusive and to protect privacy. This is the
one I am mostly talking about. The current resolvconf works okay in the
case of the corporate VPN. In such case "-p" flag and the list of
corporate domains should be used.
Yuri
More information about the freebsd-net
mailing list