diff options
| -rw-r--r-- | docs/changelog.rst | 1 | ||||
| -rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 7 |
2 files changed, 6 insertions, 2 deletions
diff --git a/docs/changelog.rst b/docs/changelog.rst index 60f756f8..6fd052a8 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -19,6 +19,7 @@ Bugfixes - `#9191 <https://0xacab.org/leap/bitmask-dev/issues/9191>`_: workaround for missing libs needed for qtwebengine. - `#9171 <https://0xacab.org/leap/bitmask-dev/issues/9171>`_: fix a bug in bootstrap that avoided more than one user to login. - `#9165 <https://0xacab.org/leap/bitmask-dev/issues/9165>`_: deprecate pyqt5-webkit, use qtwebengine instead. +- `#9137 <https://0xacab.org/leap/bitmask-dev/issues/9137>`_: fix issues with dns resolution with systemd-resolved (mostly ubuntu 17.10). Misc ~~~~ diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 9be9a61a..ee838164 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -628,7 +628,7 @@ def firewall_start(args): enable_ip_forwarding() # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", - "--dest", "127.0.1.1,127.0.0.1", "--dport", "53", + "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53", "--jump", "ACCEPT") # rewrite all outgoing packets to use VPN DNS server # (DNS does sometimes use TCP!) @@ -637,10 +637,13 @@ def firewall_start(args): ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp", "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") # enable masquerading, so that DNS packets rewritten by DNAT will - # have the correct source IPs + # have the correct source IPs. Apply masquerade only to the NAMESERVER, + # we don't want to apply it to the localhost dns resolver. ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE") ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE") # allow local network traffic |