Static route when specify DNS Server and DNS leak in VPN

  • Hi.
    This behavior is on LibreELEC and OpenELEC on Raspberry Pi 2, I don't know if it happens also on others system.
    I don't know why but when I specify DNS (then DNS Server not obtained from the DHCP) by default the system put specific routes of these DNS address into routing table.

    This is the route print of LibreELEC when IP fields (IP, subnet mask, default gateway, DNS...) are given by DHCP (so DNS Servers automatically obtained from DHCP):

    Code
    LibreELEC:~ # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
    192.168.1.0     *               255.255.255.0   U     0      0        0 eth0


    This is the route print of LibreELEC when I manual configure DNS Servers (8.8.8.8 and 8.8.4.4 in this case):

    Code
    LibreELEC:~ # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
    8.8.4.4         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    8.8.8.8         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    192.168.1.0     *               255.255.255.0   U     0      0        0 eth0


    As you can see the 8.8.8.8 and 8.8.4.4 (DNS Servers) have their specific routes...

    On my experience this behavior is in OpenELEC 6.x and LibreELEC (Jarvis 16.1) v7.0.2 and also LibreELEC (Krypton) v7.90.004 and next versions.
    I know how to remove that routes, but my question is why the system put these unsefull routes?
    How can say to OS to do not put the DNS Servers route when manually assign DNS Server?

    In a VPN environment this give a DNS leak because the traffic to DNS Servers will go via eth0 (default) and not via the tun0 interface (VPN interface) and on my experience there is a very strange behavior: also if I remove these routes the system (LibreELEC / OpenELEC) will still and always uses these routes for DNS lookup, so the DNS query will go "directly" to DNS Servers (via eth0 interface) not using the VPN tunnel (via tun0 interface); I have checked this strange behavior with "netstat": there are established connection to DNS from eth0 and not from tun0!

    This is the route print of LibreELEC when I manual configure DNS Servers (8.8.8.8 and 8.8.4.4 in this case) and when OpenVPN is up:

    Code
    LibreELEC:~ # route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.3.200.254    0.0.0.0         UG    0      0        0 tun0
    8.8.4.4         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    8.8.8.8         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    10.3.200.0      *               255.255.255.0   U     0      0        0 tun0
    159.122.133.197 192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
    192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
    192.168.1.1     *               255.255.255.255 UH    0      0        0 eth0

    As you can see, also if the VPN connection is UP and the default gateway (destination) is via VPN, the DNS routes are there and the connection to DNS goes via eth0 interface and not via tun0......

    This the netstat:

    Code
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    udp        0      0 192.168.1.65:44941      google-public-dns-a.google.com:domain ESTABLISHED 294/connmand
    udp        0      0 192.168.1.65:47546      google-public-dns-b.google.com:domain ESTABLISHED 294/connmand
    udp        0      0 192.168.1.65:35954      google-public-dns-a.google.com:domain ESTABLISHED 294/connmand
    udp        0      0 192.168.1.65:58527      google-public-dns-b.google.com:domain ESTABLISHED 294/connmand

    As you can see, ESTABLISHED connections to the DNS Servers are via eth0 and not via tun0.
    This happens also if I manual remove the DNS entry for the routing table ("route del 8.8.8.8" and "route del 8.8.4.4"): the "connmand" process will always goes directly (using eth0) and not via VPN (using tun0).
    If I kill the "connmand" process (with PID 294 in this case), the "connmand" process will automatically starts again and the DNS connection, however, will always goes directly (using eth0) and not via VPN (using tun0).

    I think this is a wrong behavior of connman.

    Any solutions / patch?
    Thanks!

    Edited once, last by outcave (November 17, 2016 at 2:52 PM).

  • Hi Milhouse, I'm sorry but the behavior is the same:
    Before:

    After your release: