Potential DNS leak with Wireguard + iwd + resolvconf

To: debian-user <debian-user@lists.debian.org>
Subject: Potential DNS leak with Wireguard + iwd + resolvconf
From: Celejar <celejar@gmail.com>
Date: Wed, 30 Mar 2022 16:05:09 -0400
Message-id: <[🔎] 20220330160509.4fe9110e4ce8b82024360dc5@gmail.com>

Hi,

My wireless interface is controlled via iwd
(EnableNetworkConfiguration=true, NameResolvingService=resolvconf), and
I have a wireguard VPN used to remotely access my private network,
managed via e/n/i / ifupdown (using wg-quick).
In /etc/wireguard/wg0.conf, I have a "DNS=xxx.xxx.xxx.xxx" line,
pointing to a nameserver I run within my private network (reachable
through the wireguard tunnel).

When I connect to a wireless network (using DHCP,
handled by iwd, as above), /etc/resolv.conf gets populated with the
standard:

nameserver nnn.nnn.nnn.nnn
search a.b.c

When I then do "ifup wg0", my specified nameserver xxx.xxx.xxx.xxx is
*prepended* to the above lines, so I end up with the following
in /etc/resolv.conf:

nameserver xxx.xxx.xxx.xxx
nameserver nnn.nnn.nnn.nnn
search a.b.c

This seems wrong, and a potentially serious DNS leak: if my nameserver
xxx.xxx.xxx.xxx ever goes down, then nameserver nnn.nnn.nnn.nnn will be
automatically queried, which may be undesirable.

My understanding is that the VPN configuration should be *replacing* the
pre-VPN /etc/resolv.conf, rather then *prepending* the new nameserver to
it. Am I misunderstanding things, have I misconfigured things, or is
this indeed a (serious) bug?

-- 
Celejar

Reply to:

Prev by Date: Re: Predictable Network Interface Names
Next by Date: Re: startx xauth fails after upgrade to Bullseye 11.3
Previous by thread: Surgical instruments supply
Next by thread: Upgrade from Buster to Bullsye: what to do about source.list for buster-backports
Index(es):
- Date
- Thread