Barracuda VPN on Linux permanently and silently changes resolv.conf
I recently completed a contract for a large German company, who will remain nameless. Nice bunch, nothing wrong with them, and I would not want to embarrass them.
Said company provides to its remote staff a VPN, Barracuda VPN, and the VPN is available for Linux, which in my case means a Debian package.
I installed, never needed it, six months later contract complete uninstalled.
A few months after this, I stumbled across the fact that my resolv.conf had been altered, to that given below, and not reverted by uninstallation;
nameserver [German company DNS IP #1] nameserver [German company DNS IP #2] nameserver 127.0.0.1 nameserver ::1 search [an IP name from German company]
The VPN installer had prepended its DNS to resolve.conf
I may be wrong, but I understand resolv.conf uses servers in the order they are given, and uses only the first three servers.
(The final line, "search", causes any DNS IP name lookup which fails to be retried with the given IP name appended.)
These behaviours occur whether or not the VPN is active, and where resolv.conf was not reverted by uninstallation, continue occurring after the VPN is uninstalled.
I contacted Barracuda about this matter, explaining and questioning what had happened.
The initial reply was prompt, and asked for a serial number.
I replied I had never been given a serial number, just the package, and I had left the company concerned some months before (and of course, had only noticed this problem afterwards, as it is a silent and unexpected change).
There was no reply, but since then, I've received automated emails telling me I have a ticket, and that it is awaiting a serial number (to which I have replied, to no effect or response).
Barracuda have a second email address, for security issues. Email to this address has gone unanswered.
25 comments
[ 4.0 ms ] story [ 63.6 ms ] threadseems to me like you still have open ticket with them and some email exchange, so its not like they have sent a hitman to silence you...
I have replied to their auto-emails, and to the chap who asked for the serial number. Nothing ever came back.
The ticket is a red herring, I would say.
I may be wrong, but given the need for the serial number, Barracuda have chosen block all but paying customers, regardless of the issue. This type of behaviour I think is common in larger companies.
What it means for end users like you or me is the need to be warned by others about issues in the product.
As an aside, I think I recall security issues in their products - ah, mmm, searching finds a ten year old article, which speaks of long-lasting intentional SSH backdoors in multiple Barracuda products.
https://krebsonsecurity.com/2013/01/backdoors-found-in-barra...
Still, that was ten years ago - but OTOH, we have this astounding resolv.conf behaviour today.
So in the end, when I stumbled across it, I did change it back - but I had a malformed DNS config for the months before, by chance, finding the change.
That I could change it back isn't much use when I had no idea the change had occurred.
DNS should be modified when and only when it is running.
That is not the case here.
So no HIDS like Samhain or OSSEC in place?
Just an ordinary person, living in fear of VPN clients :-)
chattr +i /etc/resolv.conf
Not even root can then change it without removing the attribute (-i)
However HIDS are really nice to detect stuff like that...and they are not that complicated (OSSEC or samhain)
nameserver [German company DNS IP #1]
nameserver [German company DNS IP #2]
nameserver 127.0.0.1 nameserver
::1
search [an IP name from German company]
2. it is not a nasty habit, but a configuration. If you do not want it, you can configure systemd-resolved not to do this.
3. it is for a very good reasons, and there were written pages and pages about the issues, what those are; so when you understand why, you won't reconfigure (2) anyway.
If this is a real concern, I'd be more mindful of what's being given privilege. It's atypical to chase - going as far to remove bad actors
edit: Wrote this while still half asleep, tested - wrong lol. Keeping to prevent more folly
My corporate macbook was at its most stable when I had set /etc/hosts immutable and the corporate chef got stuck and nobody yelled at me. Of course, a couple months later I did a mac os update and some corporate spyware interfered with the gpu driver... would have been updated if chef had run in the past three weeks. Whoops.
I find it kind of baffling that as an IT contractor you've managed to go months without changing it since (:
Someone else mentioned making it immutable, which is not a bad idea if only editing it manually is what you want.
Next step if you still want it dynamic would making it owned by the designated user of the process making the changes you actually want (e.g. NetworkManager/systemd-networkd/netctl/whathaveyou).
Well, I run Tor on my system, and all traffic goes through that; all other outbound traffic is blocked. Tor provide DNS, so all I ever do with resolv.conf is point it at localhost and that's it.
We must also note that change interfered with the existing system configuration, by rendering one of the existing DNS servers unusable.