IKEv2 leaks DNS - Ethernet Only

I find this really interesting. I configured a standard IKEv2 setup on the Firebox, downloaded the default generated installation scripts, and went about testing the connections on both my work laptop and my home desktop.

Both computers route all internet traffic properly. However I noticed the Desktop ignored the DNS servers provided by the VPN adapter. All nslookup queries went to my home fios.gateway router. At first I thought it was an issue exclusive to my desktop (not domain joined, maybe a custom setting somewhere...etc). After a brief revelation, I took my work laptop next to my fios router, and plugged it in via Ethernet. Refreshed the IKEv2 tunnel...bam. DNS leaks the same as my desktop.

Being savvy enough, I ran Get-NetIPInterface and got the following:

Capture

The IPv4 InterfaceMetric of the IKEv2 adapter is 25. That weighs more heavily than the metrics on both IPv4/IPv6 on the Wi-Fi adapters, which is why I was able to query DNS through the tunnel when connected on my laptop. Interestingly it also beats the primary Ethernet IPv4 metric (4230) - but the IPv6 Ethernet metric is 5, clearly higher than the IKEv2. Even though it's disconnected for IPv6, and that my fios router doesn't even have an IPv6 network setup...DNS queries still leak to the fios router when on Ethernet. On my desktop, the Ethernet IPv6 was defined as 25 by Windows, which matched the 25 metric on IKEv2. Unfortunately it still beat out my VPN for DNS queries.

The two obvious solutions are:
1) Disable IPv6 entirely on the Ethernet adapter, or
2) Set the metric manually on the IKEv2 adapter to be higher than 5.

Each resolve the issue but while I as the network admin can fix this...it seems a bit of a stretch that I should have to manually configure these settings by default. Is Watchguard aware of this issue? If not, I might suggest adding a metric weight parameter into the powershell scripts that the firebox generates.

Still seems odd that even though I have no IPv6 lan, the metric weight wins over and tells Windows to leak to my IPv4 queries.

Comments

  • Every version of Windows from Vista on up has its network stack prioritized to use IPv6 FIRST, then IPv6. I have had some butt-biters because of that when pseudo-clients replaced their routers and installed ones that had IPv6 enabled. At one client, it wreaked havoc on a Windows 2012 R2 domain because its DHCP answered before the server could. I despise clients that do stuff without asking! And, yes, they too cheap to buy a WatchGuard firewall.

    Gregg Hill

Sign In to comment.