libnmc-base: don't set DNS priority when importing Wireguard connections (!901) · Merge requests · NetworkManager / NetworkManager

The source project of this merge request has been removed.

Michael Catanzaro requested to merge (removed):mcatanzaro/wg-import-dns-priority into main Jun 18, 2021

This is actually trying too hard to prevent DNS leaks, breaking normal expected use of split DNS. Let systemd-resolved handle sending our DNS queries to the right place instead.

It's true that NetworkManager is trying to emulate the behavior of wg-quick here, and wg-quick uses 'resolvconf -x' to attempt to set "exclusive" DNS. But with systemd-resolved this is implemented by setting a ~~. routing domain for the Wireguard interface. That is a really big hammer already, since Domain=~~. overrides +DefaultRoute, ensuring most DNS queries can only go to other interfaces with Domain=~. NetworkManager follows systemd-resolved's recommended convention by only applying Domain=~. to other "privacy VPNs" since 1.26.6. Setting DNS priority only prevents domain-specific "leaks", which are almost always desired. For example, it prevents using both the Wireguard VPN and a corporate VPN at the same time.

Note that all of the justification behind !688 (closed) applies here as well.

Fixes #585 (closed)

libnmc-base: don't set DNS priority when importing Wireguard connections

Merge request reports