Static route when specify DNS Server and DNS leak in VPN

outcave · September 2, 2016 at 12:57 PM

Hi.
This behavior is on LibreELEC and OpenELEC on Raspberry Pi 2, I don't know if it happens also on others system.
I don't know why but when I specify DNS (then DNS Server not obtained from the DHCP) by default the system put specific routes of these DNS address into routing table.

This is the route print of LibreELEC when IP fields (IP, subnet mask, default gateway, DNS...) are given by DHCP (so DNS Servers automatically obtained from DHCP):

Code

LibreELEC:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

This is the route print of LibreELEC when I manual configure DNS Servers (8.8.8.8 and 8.8.4.4 in this case):

Code

LibreELEC:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
8.8.4.4         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
8.8.8.8         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

As you can see the 8.8.8.8 and 8.8.4.4 (DNS Servers) have their specific routes...

On my experience this behavior is in OpenELEC 6.x and LibreELEC (Jarvis 16.1) v7.0.2 and also LibreELEC (Krypton) v7.90.004 and next versions.
I know how to remove that routes, but my question is why the system put these unsefull routes?
How can say to OS to do not put the DNS Servers route when manually assign DNS Server?

In a VPN environment this give a DNS leak because the traffic to DNS Servers will go via eth0 (default) and not via the tun0 interface (VPN interface) and on my experience there is a very strange behavior: also if I remove these routes the system (LibreELEC / OpenELEC) will still and always uses these routes for DNS lookup, so the DNS query will go "directly" to DNS Servers (via eth0 interface) not using the VPN tunnel (via tun0 interface); I have checked this strange behavior with "netstat": there are established connection to DNS from eth0 and not from tun0!

This is the route print of LibreELEC when I manual configure DNS Servers (8.8.8.8 and 8.8.4.4 in this case) and when OpenVPN is up:

Code

LibreELEC:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.3.200.254    0.0.0.0         UG    0      0        0 tun0
8.8.4.4         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
8.8.8.8         192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
10.3.200.0      *               255.255.255.0   U     0      0        0 tun0
159.122.133.197 192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.1     *               255.255.255.255 UH    0      0        0 eth0

As you can see, also if the VPN connection is UP and the default gateway (destination) is via VPN, the DNS routes are there and the connection to DNS goes via eth0 interface and not via tun0......

This the netstat:

Code

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 192.168.1.65:44941      google-public-dns-a.google.com:domain ESTABLISHED 294/connmand
udp        0      0 192.168.1.65:47546      google-public-dns-b.google.com:domain ESTABLISHED 294/connmand
udp        0      0 192.168.1.65:35954      google-public-dns-a.google.com:domain ESTABLISHED 294/connmand
udp        0      0 192.168.1.65:58527      google-public-dns-b.google.com:domain ESTABLISHED 294/connmand

As you can see, ESTABLISHED connections to the DNS Servers are via eth0 and not via tun0.
This happens also if I manual remove the DNS entry for the routing table ("route del 8.8.8.8" and "route del 8.8.4.4"): the "connmand" process will always goes directly (using eth0) and not via VPN (using tun0).
If I kill the "connmand" process (with PID 294 in this case), the "connmand" process will automatically starts again and the DNS connection, however, will always goes directly (using eth0) and not via VPN (using tun0).
I think this is a wrong behavior of connman.

Any solutions / patch?
Thanks!

outcave · September 13, 2016 at 8:37 AM

Hi.
No news about this???

Thanks

hollol · September 16, 2016 at 12:03 PM

Same behavior for me.

**chewitt** · September 22, 2016 at 9:54 AM Official Post

Purely for the sake of experimentation, someone should self-build an image that drops this patch:

LibreELEC.tv/connman-01-do-not-cleanup-routes.patch at master · LibreELEC/LibreELEC.tv · GitHub

outcave · November 17, 2016 at 1:08 PM

Hi.
Not any news about that?

Thanks.

**milhouse** · November 18, 2016 at 12:56 AM

Quote from chewitt

Purely for the sake of experimentation, someone should self-build an image that drops this patch:

LibreELEC.tv/connman-01-do-not-cleanup-routes.patch at master · LibreELEC/LibreELEC.tv · GitHub

Build #1117z: RPi2

outcave · November 18, 2016 at 6:07 AM

Thanks Milhouse.
Will be included also for Odroid C-2?

**milhouse** · November 18, 2016 at 6:17 AM

Quote from outcave

Thanks Milhouse.
Will be included also for Odroid C-2?

I thought you had an RPi2 (based on your first post). This build is just for you to test @chewitts theory.

outcave · November 18, 2016 at 7:37 AM

I'm using both RPI2 and Odroid C2.
I will test it. Hope will be available also for Odroid C2.
Thanks.

outcave · November 18, 2016 at 4:23 PM

Hi Milhouse, I'm sorry but the behavior is the same:
Before:

Code

##############################################
#                 LibreELEC                  #
#            http://libreelec.tv             #
##############################################


LibreELEC (official) Version: 7.0.2
LibreELEC:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.147.1   0.0.0.0         UG    0      0        0 wlan0
8.8.4.4         192.168.147.1   255.255.255.255 UGH   0      0        0 wlan0
8.8.8.8         192.168.147.1   255.255.255.255 UGH   0      0        0 wlan0
192.168.147.0   *               255.255.255.0   U     0      0        0 wlan0
192.168.147.1   *               255.255.255.255 UH    0      0        0 wlan0
LibreELEC:~ #

Display More

After your release:

Code

##############################################
#                 LibreELEC                  #
#            http://libreelec.tv             #
##############################################


LibreELEC (community) Version: devel-20161118005334-#1117z-gd9713af
LibreELEC git: d9713afba3239e3c5a740770a10f45954bd21734
LibreELEC:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.147.1   0.0.0.0         UG    0      0        0 wlan0
8.8.4.4         192.168.147.1   255.255.255.255 UGH   0      0        0 wlan0
8.8.8.8         192.168.147.1   255.255.255.255 UGH   0      0        0 wlan0
192.168.147.0   *               255.255.255.0   U     0      0        0 wlan0
192.168.147.1   *               255.255.255.255 UH    0      0        0 wlan0

Display More