Can the Meltdown and Spectre vulnerabilities affect also computers with encrypted home directory and usage of a VPN service? In Other words, would hackers still be able to steal passwords when encrypted transmissions and VPN services are implemented?
Ubuntu – Meltdown and Spectre when using encryption and VPN
Securityvpn
Related Solutions
From your configuration, your dnsmasq installation is getting the list of DNS servers to use from /etc/resolv.conf
. By default, dnsmasq tries to favor using DNS servers that are up, but will only send a given request to a single DNS server. This can cause problems if you have multiple DNS servers that can/will only serve certain queries.
I believe you can solve this issue by making sure you have a DNS server on your LAN (the one you use when you aren't connected to the VPN) set up in /etc/resolv.conf
, as well as the DNS server on the corporate network you want to use over the VPN.
Then, you will need to edit /etc/default/dnsmasq
and add or edit the DNSMASQ_OPTS=
line to include --all-servers
.
If you are still unable to get DNS queries with this setup, copy the resolv.conf file you created during the steps above to another location, like ~/resolv.conf
, set /etc/resolv.conf
up with nameserver 127.0.0.1
and set the following option in /etc/dnsmasq.conf
:
resolv-file=/home/your_username/resolv.conf
That should configure your system to query your dnsmasq installation for DNS, and it will in turn use both your local DNS server and the VPN DNS server for every query.
Edit: You can find the DNS servers you are currently using for a particular connection using the nmcli
tool. For finding the DNS servers used by my wireless connection, I used the following syntax:
nmcli dev list iface wlan0 | grep IP4.DNS
If you run this command while you are not connected to your VPN, and then again when you are connected and are able to resolve your corporate addresses, you should get your list of DNS servers off and on the VPN. I hope this helps.
Edit 2: Looking at your routing tables, it appears your VPN administrator has set you up to route all your traffic through the VPN while you're connected (your default gateway changes to a VPN address). Since both of your DNS servers are public addresses, and neither have a specific route set up while you are on the VPN, you are trying to do normal DNS lookups through the VPN and that is what is failing.
You may have a couple ways to make this work, depending on your VPN setup:
If the VPN will allow you to access the internet through the corporate network, but not perform DNS queries to servers on the internet, add routes to your DNS servers like so:
sudo route add -host 83.255.245.11 gw 192.168.0.1
, andsudo route add -host 193.150.193.150 gw 192.168.0.1
after connecting to the VPN.If the VPN will not allow you to access the internet through the corporate network, you will need to change the default gateway settings on your computer to point at 192.168.0.1 after you connect to the VPN. In this case, you will want to set up your usual default gateway and then add network routes to access VPN-only equipment.
You may need to whittle down your routing table in the connected-to-the-VPN case shown in your second pastebin to the following:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
10.100.0.0 10.100.0.105 255.255.255.0 UGH 0 0 0 tun0
10.100.0.105 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Then, add routes as you need to in order to access the corporate equipment. In the routing table shown above I have assumed a /24 network on the VPN, which may be incorrect. You'll have to set the mask appropriately.
Discuss it with the people who set up VPN for you.
This is commonly known as split routing, where the VPN tunnel will be used for resources that is inside the corporate network, whilst default gateway will be used for the rest. This is usually easier than filtering by service. Commonly, the corporation will have some kind of internal plan over the network that makes it easy to provide split routing.
You should check if it's permitted in your organization. Not all organizations allows split routing, because they for instance want to do data loss prevention on your traffic.
Best Answer
Yes.
Disk encryption protects against access to the disk when it is not in use, for instance if someone steals your computer. VPN protects against anyone sniffing the wire.
Meltdown and Spectre can give attackers local access to the data, before it is encrypted.
For the system to use any kind of information, it more or less has to be available in un-encrypted form. Whenever it is available in un-encrypted form any attacker with superuser access to the computer can copy it at will.