Bug #410
plugin for resolvconf breaks dig and nslookup
Description
The formating of the entries in /etc/resolv.conf that are inserted by charon break dig and nslookup.
Example:
Server pushes 192.168.178.48 and 192.168.178.6 as dns resolvers to the VPN initiator.
This makes charon on the initiator side insert the following in /etc/resolv.conf:
nameserver 192.168.178.48 nameserver # nameserver by nameserver strongSwan, nameserver from nameserver nfs-server nameserver 192.168.178.6
The strings in between the IPs break dig and nslookup.
"dig" says the following when you try to resolve any domain name:
$ dig google.de dig: parse of /etc/resolv.conf failed
"nslookup" says something similiar:
$ nslookup google.de nslookup: parse of /etc/resolv.conf failed
How to Fix:
Remove the strings in between the IPs
Example:
proper content of /etc/resolv.conf:
nameserver 192.168.178.48 nameserver 192.168.178.6 $ dig google.de dig google.de ; <<>> DiG 9.9.2-P2 <<>> google.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28180 ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 4, ADDITIONAL: 5 <Here more proper output> nslookup google.de Server: 192.168.178.48 Address: 192.168.178.48#53 Non-authoritative answer: Name: google.de Address: 109.193.193.45 <more proper output>
Associated revisions
History
#1 Updated by Tobias Brunner over 5 years ago
- File 0001-resolve-Put-comment-on-a-separate-line-when-using-re.patch 0001-resolve-Put-comment-on-a-separate-line-when-using-re.patch added
- Description updated (diff)
- Status changed from New to Feedback
- Assignee set to Tobias Brunner
nameserver 192.168.178.48 nameserver # nameserver by nameserver strongSwan, nameserver from nameserver nfs-server nameserver 192.168.178.6
Hm, that looks very odd. man resolvconf says:
...the information must be provided to resolvconf on its standard input in the format of the resolv.conf(5) file. Each line in the file must be terminated by a newline.
What man resolv.conf has to say about comments is this:
Lines that contain a semicolon (;) or hash character (#) in the first column are treated as comments.
What we actually send to resolvconf is this (using your values):
nameserver 192.168.178.48 # by strongSwan, from nfs-server
So since comments at the end of a line are probably not valid, resolvconf might interpreted these as additional name servers.
The attached patch puts the comment on a separate line right before the nameserver directive. Hopefully, this fixes the issue.
#2 Updated by Noel Kuntze over 5 years ago
The patch fixes the behaviour of both tools and resolv.conf contains
nameserver 192.168.178.48 nameserver 192.168.178.6
as expected.
#3 Updated by Tobias Brunner over 5 years ago
- Category changed from charon to libhydra
- Status changed from Feedback to Closed
- Target version set to 5.1.1
- Resolution set to Fixed
Thanks for testing. Since comments seem to get ignored there is not really a point in adding any.
The associated commit fixes the issue.
resolve: Remove comment when using resolvconf(8)
Since comments in resolv.conf are only valid at the beginning of a line
resolvconf(8) seems to have started treating any text after
'nameserver <ip>' as additional IP addresses for name servers.
Since it ignores comments, and we can easily remove the added servers
again, there is no point to add any.
Fixes #410.