dnssec-trigger icon indicating copy to clipboard operation
dnssec-trigger copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

hotspot signon and wrong resolv.conf

Open duck-rh opened this issue 5 years ago • 4 comments

Quack,

I'm in a place requiring to accept rules on an internal site to be able to be routed outside. I used the 'hotspot_signon' and could not resolve the site.

The log shows the resolv.conf file is replaced but the content is not appropriate: the search path matches my previous location and the nameserver is 127.0.0.1 instead of being the currently DHCP-advertized IPs. I fixed the file manually, reprobed and all went well but after that but this is a strange bug; it's like the file was saved too early before NM generated one for the current WIFI. I'm traveling so I lack time for deeper analysis, sorry. Attaching logs.

Regards. \_o<

dnssec-trigger_login_portal_bug_2.log dnssec-trigger_login_portal_bug_2_nm.log dnssec-trigger_login_portal_bug_2_res.log

duck-rh avatar Feb 19 '20 09:02 duck-rh

The logs contain a lot of 'network not reachable' and similar errors. So, it simply cannot send to the network. Not sure what it does then, perhaps that is why you have the old state. (From a quick look at the logs).

wcawijngaards avatar Feb 19 '20 10:02 wcawijngaards

I took the whole logs of the day as it came up from suspend, so it possibly contains some noise because the old WIFI is not there I guess.

I was able to start doing things but now I cannot go home as unbound returns SERVFAIL for my DNSSEC-protected domain (except the apex for some reason, unbound cache maybe). DNSviz says everything's fine with it though.

I disconnected/reconnected to the WIFI to start over (saying that to be able to follow the logs).

dnssec-trigger-control status says it's all secure but with dig I cannot get the AD flag when testing the WIFI's DNS.

I then tried to switch back to insecure to go on doing stuff until I can find what's going on and that did not go well. In the logs we can see dnssec-trigger rewrites resolv.conf but later on the previous version is lost and cannot be restored. Attaching the continuation of the logs.

dnssec-trigger_login_portal_bug_3.log

duck-rh avatar Feb 19 '20 10:02 duck-rh

I think these two lines could be the problem:

Feb 19 19:01:46 Zushi dnssec-trigger-script[37807]: Cannot restore '/etc/resolv.conf' from '/run/dnssec-trigger/resolv.conf.backup': No such file or directory Feb 19 19:01:47 Zushi dnssec-trigger-script[37883]: Cannot back up '/etc/resolv.conf' as '/run/dnssec-trigger/resolv.conf.backup': No such file or directory

The directory /run/dnssec-trigger/ does not exist? Or /etc/resolv.conf does not exist, but that seems unlikely.

wcawijngaards avatar Feb 20 '20 08:02 wcawijngaards

@wcawijngaards /etc/resolv.conf did exist. As for /run/dnssec-trigger/ I did not meddle with it and when I reported #3 it existed too.

I cannot come back to this place where I detected the bug until next year. I'll let you know if I stumble on it again. It seems the information in the logs are not sufficient to debug this situation, so if you wish me to collect other data please tell me.

duck-rh avatar Feb 28 '20 05:02 duck-rh