Fixing issue 9011: DNS leakage when only one DNS server is set

[alimirjamali]

Fixes QubesOS/qubes-issues#9011
Details in Github comments and forum link

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.57%. Comparing base (5153704) to head (c5a2b76).

❗ Current head c5a2b76 differs from pull request most recent head 6473a28

Please upload reports for the commit 6473a28 to get more accurate results.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #505   +/-   ##
=======================================
  Coverage   70.57%   70.57%           
=======================================
  Files           3        3           
  Lines         469      469           
=======================================
  Hits          331      331           
  Misses        138      138           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[qubesos-bot]

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024062200-4.3&flavor=pull-requests

Test run included the following:

• Fixing issue 9011: DNS leakage when only one DNS server is set #505 (6473a28)
• Add NoDisplay=true #507 (83f6142)
• Tests extend/reorganize qubes-core-admin#601 (QubesOS/qubes-core-admin@14b5612)
• Force use of software rendering qubes-gui-agent-linux#214 (QubesOS/qubes-gui-agent-linux@8ba08ec)
• Enable software-rendering by default #506 (cde71d9)

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024062115-4.3&flavor=update

• system_tests_extra

  • TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
    self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0

• system_tests_network_updates

  • TC_00_Dom0Upgrade_whonix-gateway-17: test_001_update_check (failure)
    self.assertTrue(self.app.domains[0].... AssertionError: '' is not true

• system_tests_devices

  • TC_00_List_whonix-workstation-17: test_001_list_loop_mounted (failure)
    AssertionError: Device test-inst-vm:loop0 (/tmp/test.img) should no...

Failed tests

8 failures

• system_tests_pvgrub_salt_storage

  • TC_41_HVMGrub_fedora-40-xfce: test_000_standalone_vm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

  • TC_41_HVMGrub_fedora-40-xfce: test_010_template_based_vm (error)
    qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

• system_tests_extra

  • [unstable] TC_00_QVCTest_fedora-40-xfce: test_020_webcam (failure + cleanup)
    AssertionError: 'qubes-video-companion webcam' exited early (0): b'...

  • TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
    self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0

• system_tests_network_updates

  • TC_00_Dom0Upgrade_whonix-gateway-17: test_001_update_check (failure)
    self.assertTrue(self.app.domains[0].... AssertionError: '' is not true

  • [unstable] TC_10_QvmTemplate_debian-12-xfce: test_010_template_install (failure)
    AssertionError: libvirt event impl drain timeout

• system_tests_devices

  • TC_00_List_whonix-workstation-17: test_001_list_loop_mounted (failure)
    AssertionError: Device test-inst-vm:loop0 (/tmp/test.img) should no...

• system_tests_splitgpg

  • TC_10_Thunderbird_whonix-workstation-17: test_020_send_receive_inline_with_attachment (failure)
    dogtail.tree.SearchError: descendent of [application | Thunderbird]...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/103633#dependencies

6 fixed

• system_tests_basic_vm_qrexec_gui

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_220_audio_play_pulseaudio (failure)
    AssertionError: too short audio, expected 10s, got 8.64043083900226...

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_221_audio_rec_muted_pulseaudio (error)
    Cannot process volume group qubes_dom0...

• system_tests_extra

  • TC_00_QVCTest_whonix-gateway-17: test_020_webcam (failure)
    self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0

  • TC_00_QVCTest_whonix-workstation-17: test_020_webcam (failure + cleanup)
    AssertionError: 'qubes-video-companion webcam' exited early (0): b'...

• system_tests_network_updates

  • TC_10_QvmTemplate_whonix-gateway-17: test_010_template_install (failure)
    AssertionError: libvirt event impl drain timeout

• system_tests_basic_vm_qrexec_gui_zfs

  • TC_20_AudioVM_Pulse_debian-12-xfce-pool: test_223_audio_play_hvm (failure)
    AssertionError: only silence detected, no useful audio data

Unstable tests

• system_tests_update

  update2/Failed (1/5 times with errors)

  • job 103358 # Test died: command 'script -c 'qubes-vm-update --max-concurrency=...

• system_tests_basic_vm_qrexec_gui

  TC_20_AudioVM_Pulse_whonix-workstation-17/test_220_audio_play_pulseaudio (2/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 101758 AssertionError: too short audio, expected 10s, got 8.73532879818594...
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_222_audio_rec_unmuted_pulseaudio (2/3 times with errors)

  • job 101109 AssertionError: only silence detected, no useful audio data
  • job 101758 AssertionError: too short audio, expected 10s, got 9.36446712018140...
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_223_audio_play_hvm (2/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 102413 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_252_audio_playback_audiovm_switch_hvm (1/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...

• system_tests_pvgrub_salt_storage

  TC_41_HVMGrub_debian-12-xfce/test_000_standalone_vm (2/3 times with errors)

  • job 101773 qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
  • job 102428 qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
  StorageFile/test_001_non_volatile (1/3 times with errors)

  • job 101124 subprocess.CalledProcessError: Command '/usr/lib/qubes/destroy-snap...
  TC_41_HVMGrub_debian-12-xfce/test_010_template_based_vm (2/3 times with errors)

  • job 101773 qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
  • job 102428 qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...

• system_tests_extra

  TC_00_QVCTest_whonix-workstation-17/test_010_screenshare (1/3 times with errors)

  • job 101116 self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0
  TC_00_QVCTest_debian-12-xfce/test_020_webcam (2/3 times with errors)

  • job 101116 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
  • job 102420 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
  TC_00_QVCTest_fedora-40-xfce/test_020_webcam (1/3 times with errors)

  • job 101765 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
  TC_00_QVCTest_whonix-gateway-17/test_020_webcam (1/3 times with errors)

  • job 102420 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
  TC_00_QVCTest_whonix-workstation-17/test_020_webcam (2/3 times with errors)

  • job 101116 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
  • job 102420 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...

• system_tests_usbproxy

  TC_20_USBProxy_core3_whonix-gateway-17/test_070_attach_not_installed_front (1/3 times with errors)

  • job 101101 qubesusbproxy.core3ext.QubesUSBException: Device attach failed: 202...

• system_tests_network_updates

  TC_00_Dom0Upgrade_whonix-gateway-17/test_006_update_flag_clear (1/3 times with errors)

  • job 101123 Error: Failed to download metadata for repo 'test': Cannot download...
  TC_10_QvmTemplate_debian-12-xfce/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...
  TC_10_QvmTemplate_fedora-40-xfce/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...
  TC_10_QvmTemplate_whonix-gateway-17/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...
  TC_11_QvmTemplateMgmtVM_debian-12-xfce/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...
  TC_11_QvmTemplateMgmtVM_fedora-40-xfce/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...
  TC_11_QvmTemplateMgmtVM_whonix-gateway-17/test_010_template_install (1/3 times with errors)

  • job 101123 AssertionError: qvm-template failed: Downloading 'qubes-template-de...

• system_tests_dispvm

  TC_20_DispVM_fedora-40-xfce/test_100_open_in_dispvm (2/3 times with errors)

  • job 101764 AssertionError: './open-file test.txt' failed with ./open-file test...
  • job 102419 AssertionError: './open-file test.txt' failed with ./open-file test...

• system_tests_basic_vm_qrexec_gui_zfs

  TC_00_Basic/test_120_start_standalone_with_cdrom_dom0 (1/2 times with errors)

  • job 101113 AssertionError: 1 != 0 : b'Timeout waiting for dom0:loop6 device to...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_220_audio_play_pulseaudio (1/2 times with errors)

  • job 101113 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_222_audio_rec_unmuted_pulseaudio (1/2 times with errors)

  • job 101113 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_223_audio_play_hvm (1/2 times with errors)

  • job 101113 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_252_audio_playback_audiovm_switch_hvm (1/2 times with errors)

  • job 101113 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...

• system_tests_basic_vm_qrexec_gui_ext4

  TC_00_Basic/test_141_libvirt_objects_reconnect (1/3 times with errors)

  • job 101111 AssertionError: libvirt event impl drain timeout
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_220_audio_play_pulseaudio (1/3 times with errors)

  • job 101111 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_222_audio_rec_unmuted_pulseaudio (1/3 times with errors)

  • job 101111 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_debian-12-xfce-pool/test_223_audio_play_hvm (1/3 times with errors)

  • job 102415 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_223_audio_play_hvm (1/3 times with errors)

  • job 101111 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_252_audio_playback_audiovm_switch_hvm (1/3 times with errors)

  • job 101111 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...

• system_tests_basic_vm_qrexec_gui_xfs

  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_220_audio_play_pulseaudio (2/3 times with errors)

  • job 101112 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 101781 AssertionError: too short audio, expected 10s, got 8.33947845804988...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_222_audio_rec_unmuted_pulseaudio (2/3 times with errors)

  • job 101112 AssertionError: only silence detected, no useful audio data
  • job 101781 AssertionError: too short audio, expected 10s, got 8.17784580498866...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_223_audio_play_hvm (2/3 times with errors)

  • job 101112 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 101781 AssertionError: too short audio, expected 10s, got 7.71551020408163...
  TC_20_AudioVM_PipeWire_debian-12-xfce-pool/test_226_audio_playback_pipewire (1/3 times with errors)

  • job 102416 AssertionError: too short audio, expected 10s, got 8.31034013605442...
  TC_20_AudioVM_PipeWire_debian-12-xfce-pool/test_228_audio_rec_unmuted_pipewire (1/3 times with errors)

  • job 102416 AssertionError: too short audio, expected 10s, got 8.89784580498866...
  TC_20_AudioVM_PipeWire_fedora-40-xfce-pool/test_228_audio_rec_unmuted_pipewire (1/3 times with errors)

  • job 102416 AssertionError: too short audio, expected 10s, got 9.45630385487528...
  TC_20_AudioVM_PipeWire_debian-12-xfce-pool/test_250_audio_playback_audiovm_pipewire (1/3 times with errors)

  • job 102416 AssertionError: too short audio, expected 10s, got 7.48553287981859...
  TC_20_AudioVM_PipeWire_debian-12-xfce-pool/test_251_audio_playback_audiovm_pipewire_late_start (1/3 times with errors)

  • job 102416 AssertionError: too short audio, expected 10s, got 9.19612244897959...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_252_audio_playback_audiovm_switch_hvm (2/3 times with errors)

  • job 101112 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 102416 AssertionError: too short audio, expected 10s, got 6.77941043083900...

• system_tests_suspend

  suspend/ (3/5 times with errors)

  • job 102431 None
  • job 102443 None
  • job 103660 None
  suspend/Failed (3/5 times with errors)

  • job 102431 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  • job 102443 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  • job 103660 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  suspend/wait_serial (3/5 times with errors)

  • job 102431 # wait_serial expected: qr/2E8vz-\d+-/...
  • job 102443 # wait_serial expected: qr/2E8vz-\d+-/...
  • job 103660 # wait_serial expected: qr/2E8vz-\d+-/...

• system_tests_update@hw1

  update2/Failed (1/5 times with errors)

  • job 103358 # Test died: command 'script -c 'qubes-vm-update --max-concurrency=...

• system_tests_basic_vm_qrexec_gui@hw1

  TC_20_AudioVM_Pulse_whonix-workstation-17/test_220_audio_play_pulseaudio (2/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 101758 AssertionError: too short audio, expected 10s, got 8.73532879818594...
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_222_audio_rec_unmuted_pulseaudio (2/3 times with errors)

  • job 101109 AssertionError: only silence detected, no useful audio data
  • job 101758 AssertionError: too short audio, expected 10s, got 9.36446712018140...
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_223_audio_play_hvm (2/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 102413 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_whonix-workstation-17/test_252_audio_playback_audiovm_switch_hvm (1/3 times with errors)

  • job 101109 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...

• system_tests_suspend@hw1

  suspend/ (3/5 times with errors)

  • job 102431 None
  • job 102443 None
  • job 103660 None
  suspend/Failed (3/5 times with errors)

  • job 102431 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  • job 102443 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  • job 103660 # Test died: no candidate needle with tag(s) 'xscreensaver-prompt' ...
  suspend/wait_serial (3/5 times with errors)

  • job 102431 # wait_serial expected: qr/2E8vz-\d+-/...
  • job 102443 # wait_serial expected: qr/2E8vz-\d+-/...
  • job 103660 # wait_serial expected: qr/2E8vz-\d+-/...

• system_tests_basic_vm_qrexec_gui_btrfs

  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_220_audio_play_pulseaudio (1/3 times with errors)

  • job 101110 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_222_audio_rec_unmuted_pulseaudio (1/3 times with errors)

  • job 101110 AssertionError: only silence detected, no useful audio data
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_223_audio_play_hvm (1/3 times with errors)

  • job 101110 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  TC_20_AudioVM_Pulse_fedora-40-xfce-pool/test_225_audio_rec_unmuted_hvm (1/3 times with errors)

  • job 101782 AssertionError: too short audio, expected 10s, got 6.28875283446712...
  TC_20_AudioVM_Pulse_whonix-workstation-17-pool/test_252_audio_playback_audiovm_switch_hvm (2/3 times with errors)

  • job 101110 AssertionError: Command 'timeout 20s paplay --format=float32le --ra...
  • job 101782 AssertionError: pacat for test-inst-vm1 (xid 90) running(False) in ...

[marmarek]

• [unstable] suspend: Failed (test died + timed out)
  # Test died: command 'qvm-run -p sys-firewall "curl https://www.qub...

This looks to be broken by this PR. After suspend dnat-dns in sys-net looks like this:

	chain dnat-dns {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 10.139.1.1 udp dport 53 drop
		ip daddr 10.139.1.1 tcp dport 53 drop
		ip daddr 10.139.1.2 udp dport 53 drop
		ip daddr 10.139.1.2 tcp dport 53 drop
	}

Yet, DNS in sys-net is set:

[root@dom0 ~]# qvm-run -pu root sys-net resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign
Current DNS Server: 172.16.1.1
       DNS Servers: 172.16.1.1
        DNS Domain: testnet

Link 4 (vif5.0)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (ens6)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.16.1.1
       DNS Servers: 172.16.1.1
        DNS Domain: testnet

Link 6 (wls7)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
[root@dom0 ~]# qvm-run -pu root sys-net cat /etc/resolv.conf
# Generated by NetworkManager
search testnet
nameserver 172.16.1.1

My guess is the extra ifindex == 0 condition is to blame.

[alimirjamali]

My guess is the extra ifindex == 0 condition is to blame.

The ifindex 0 is to fetch the final DNS construction based on the of DNS values of all network interfaces according to their static or dynamic DHCP settings as well as their connection status. That is what ends in the systemd-resolved generated /etc/resolv.conf. Freedesktop specification does not explicitly mention this. I found about it via manual query of dbus and comparing the returned values with the actual /etc/resolv.conf content. So there should be another bug somewhere else that prevents system-resolved to reconstruct network settings after resume from suspend.

But for the time, removing ifindex == 0 condition will prevent the solution from breaking connectivity for most users. I will just amend the pull-request and force push it in few minutes. But I will leave the comments for further investigation.

I suggest a new Unit Test for further investigation. Put the system in sleep mode, Change upstream network parameters (DNS, Gateway, DHCP lease range, ...) , Then resume from sleep. The sys-net of the virtual machine should be able to connect to new upstream and apply the settings to have connectivity.

[ben-grande]

@alimirjamali can you please reword the commit message? Remove Fixing issue 9011 from the subject and put in the end of the body Fixes: LINKTOISSUE. I am not a Qubes developer to enforce this decision, but I'd be glad if this standard was followed for all commits. Qubes commit message guidelines links to another guide that shows an example with "Resolves: #123. Note that full link to URL is preferred rather than a #N as Qubes has multiple repositories and sometimes (rare) issues are opened in individual repositories rather than qubes-issues.

[alimirjamali]

can you please reword the commit message?

Done. Is it OK now?

[ben-grande]

Yes, thank you.