Add details about DNS leakage with NetworkManager for #59

jonathanio · jonathanio · commit 27a3d647d5d6 · 2019-05-19T19:07:10.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,8 +19,8 @@ features.
 - Change the handling of DOMAIN to support mutiple class, with a change in the
   way the values are processed and added to systemd-resolved (@adq)
 - Updated the documentation in a number of areas, including a new section
-  specifically on DNS Leakage, links to the DBus commands, and spelling
-  corrections, etc.
+  specifically on DNS Leakage, links to the DBus commands, NetworkManager and
+  DNSSEC issues, and spelling corrections, etc.
 - Now recommended using the `up-restart` option in the configuration files to
   ensure that `update-systemd-resolved` is re-run when the connection only
   partially restarts (i.e connection restarts, but not the TUN/TAP device).
diff --git a/README.md b/README.md
@@ -264,7 +264,30 @@ responsible for routing all queries, and so both links will get all requests.
 How to manage the DNS settings of other links while the VPN is operational is
 outside the scope of this script at this time.
 
-## DNSSEC Issues
+## Known Issues
+
+There are a number of known issues relating to some third-party servers and
+services:
+
+### NetworkManager
+
+LP1671606:https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1671606
+LP1688018:https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1688018
+
+There is currently a regression with versions of NetworkManager 1.2.6 or later
+(see [LP#1671606][LP1671606] and [LP#1688018][LP1688018]) which means that it
+will automatically set all normal network interfaces with `~.` for DNS routing.
+This means that even if you set `dhcp-option DOMAIN-ROUTE .` for your VPN
+connection, you will still leak DNS queries over potentially insecure networks.
+
+issue-59:https://github.com/jonathanio/update-systemd-resolved/issues/59
+
+If you are concerned by potentially leaking DNS on systems which use
+NetworkManager, you may need to configure an [additional script][issue-59]
+into NetworkManager which change the domain routing settings on all non-VPN
+interfaces.
+
+### DNSSEC Issues
 
 ```shell
 $ systemd-resolve eu-central-1.console.aws.amazon.com
