diff --git a/0001-dhcp-interface-parsing.patch b/0001-dhcp-interface-parsing.patch
new file mode 100644
index 0000000..071736c
--- /dev/null
+++ b/0001-dhcp-interface-parsing.patch
@@ -0,0 +1,158 @@
+From 810d243f3ebfe46e78024b239da19ac0cf150801 Mon Sep 17 00:00:00 2001
+From: Jonathan Kang <jonathan121537@gmail.com>
+Date: Thu, 6 Jul 2017 16:20:25 +0800
+Subject: [PATCH 1/2] dhcp/dhclient: improve "interface" statement parsing
+
+In commit d405cfd9089f9552969e6a3e1a1c4550fc3c1695, parsing "interface"
+statement is introduced. But it leads to uncommplete parsing of the
+"request" entry, if one of the lines in "request" entry is prefixed with
+word "interface". For example, the default configuration of openSUSE
+distribution:
+
+request subnet-mask, broadcast-address, routers,
+	rfc3442-classless-static-routes,
+	interface-mtu, host-name, domain-name, domain-search,
+	domain-name-servers, nis-domain, nis-servers,
+	nds-context, nds-servers, nds-tree-name,
+	netbios-name-servers, netbios-dd-server,
+	netbios-node-type, netbios-scope, ntp-servers;
+
+Fixes: d405cfd9089f9552969e6a3e1a1c4550fc3c1695
+
+https://bugzilla.opensuse.org/show_bug.cgi?id=1047004
+https://mail.gnome.org/archives/networkmanager-list/2017-July/msg00015.html
+(cherry picked from commit 3646ed083dda590de1e991915048905b8c784cdd)
+(cherry picked from commit 7200906a6202285a97969fea8dea86d5dce9cddf)
+---
+ src/dhcp/nm-dhcp-dhclient-utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/dhcp/nm-dhcp-dhclient-utils.c b/src/dhcp/nm-dhcp-dhclient-utils.c
+index 216319b..28c290c 100644
+--- a/src/dhcp/nm-dhcp-dhclient-utils.c
++++ b/src/dhcp/nm-dhcp-dhclient-utils.c
+@@ -296,7 +296,8 @@ nm_dhcp_dhclient_create_config (const char *interface,
+ 				continue;
+ 
+ 			if (   !intf[0]
+-			    && g_str_has_prefix (p, "interface")) {
++			    && g_str_has_prefix (p, "interface")
++			    && !in_req) {
+ 				if (read_interface (p, intf, sizeof (intf)))
+ 					continue;
+ 			}
+-- 
+2.9.3
+
+From 3f2821e1d95c0acb6aebd7d91ae5457c1739b664 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 10 Jul 2017 11:40:43 +0200
+Subject: [PATCH 2/2] dhcp/tests: add test parsing dhclient config
+
+(cherry picked from commit 0c23191b01fb0582d8f3d470f463afdabc2fdf46)
+(cherry picked from commit beeb8df9ac93ad432c9533362d862c0c2466cd5e)
+---
+ src/dhcp/tests/test-dhcp-dhclient.c | 70 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 62 insertions(+), 8 deletions(-)
+
+diff --git a/src/dhcp/tests/test-dhcp-dhclient.c b/src/dhcp/tests/test-dhcp-dhclient.c
+index 40a3e07..3c9760a 100644
+--- a/src/dhcp/tests/test-dhcp-dhclient.c
++++ b/src/dhcp/tests/test-dhcp-dhclient.c
+@@ -66,17 +66,16 @@ test_config (const char *orig,
+ 	                                      &new_client_id);
+ 	g_assert (new != NULL);
+ 
+-#if DEBUG
+-	if (   strlen (new) != strlen (expected)
+-	    || strcmp (new, expected)) {
+-		g_message ("\n- NEW ---------------------------------\n"
++	if (!nm_streq (new, expected)) {
++		g_message ("\n* OLD ---------------------------------\n"
+ 		           "%s"
+-		           "+ EXPECTED ++++++++++++++++++++++++++++++\n"
++		           "\n- NEW -----------------------------------\n"
+ 		           "%s"
+-		           "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n",
+-		           new, expected);
++		           "\n+ EXPECTED ++++++++++++++++++++++++++++++\n"
++		           "%s"
++		           "\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n",
++		           orig, new, expected);
+ 	}
+-#endif
+ 	g_assert_cmpstr (new, ==, expected);
+ 
+ 	if (expected_new_client_id) {
+@@ -831,6 +830,60 @@ test_interface2 (void)
+ 	             NULL);
+ }
+ 
++static void
++test_config_req_intf (void)
++{
++	static const char *const orig = \
++		"request subnet-mask, broadcast-address, routers,\n"
++		"	rfc3442-classless-static-routes,\n"
++		"	interface-mtu, host-name, domain-name, domain-search,\n"
++		"	domain-name-servers, nis-domain, nis-servers,\n"
++		"	nds-context, nds-servers, nds-tree-name,\n"
++		"	netbios-name-servers, netbios-dd-server,\n"
++		"	netbios-node-type, netbios-scope, ntp-servers;\n"
++		"";
++	static const char *const expected = \
++		"# Created by NetworkManager\n"
++		"# Merged from /path/to/dhclient.conf\n"
++		"\n"
++		"\n"
++		"option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;\n"
++		"option ms-classless-static-routes code 249 = array of unsigned integer 8;\n"
++		"option wpad code 252 = string;\n"
++		"\n"
++		"request; # override dhclient defaults\n"
++		"also request subnet-mask;\n"
++		"also request broadcast-address;\n"
++		"also request routers;\n"
++		"also request rfc3442-classless-static-routes;\n"
++		"also request interface-mtu;\n"
++		"also request host-name;\n"
++		"also request domain-name;\n"
++		"also request domain-search;\n"
++		"also request domain-name-servers;\n"
++		"also request nis-domain;\n"
++		"also request nis-servers;\n"
++		"also request nds-context;\n"
++		"also request nds-servers;\n"
++		"also request nds-tree-name;\n"
++		"also request netbios-name-servers;\n"
++		"also request netbios-dd-server;\n"
++		"also request netbios-node-type;\n"
++		"also request netbios-scope;\n"
++		"also request ntp-servers;\n"
++		"also request ms-classless-static-routes;\n"
++		"also request static-routes;\n"
++		"also request wpad;\n"
++		"\n";
++
++	test_config (orig, expected,
++	             FALSE, NULL, FALSE,
++	             NULL,
++	             NULL,
++	             "eth0",
++	             NULL);
++}
++
+ /*****************************************************************************/
+ 
+ static void
+@@ -982,6 +1035,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/dhcp/dhclient/duids", test_duids);
+ 	g_test_add_func ("/dhcp/dhclient/interface/1", test_interface1);
+ 	g_test_add_func ("/dhcp/dhclient/interface/2", test_interface2);
++	g_test_add_func ("/dhcp/dhclient/config/req_intf", test_config_req_intf);
+ 
+ 	g_test_add_func ("/dhcp/dhclient/read_duid_from_leasefile", test_read_duid_from_leasefile);
+ 	g_test_add_func ("/dhcp/dhclient/read_commented_duid_from_leasefile", test_read_commented_duid_from_leasefile);
+-- 
+2.9.3
+
diff --git a/0002-dns-fix-domain-suffix-check.patch b/0002-dns-fix-domain-suffix-check.patch
new file mode 100644
index 0000000..f18105d
--- /dev/null
+++ b/0002-dns-fix-domain-suffix-check.patch
@@ -0,0 +1,108 @@
+From dd3531f120df2e9d249c6fddc062345c169db58e Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Fri, 14 Jul 2017 07:10:08 +0200
+Subject: [PATCH] dns: perform the public-suffix check only for the
+ hostname-derived domain
+
+The DNS manager drops from the search list domains that are public
+suffixes to prevent a possible domain hijack when using two-labels
+hostnames [1].
+
+This is a problem now that every single-label domain can be a TLD
+since this means that such domains can't be used in the search list.
+
+While it's useful to apply such restriction to the domain
+automatically derived from the system hostname, it seems wrong to drop
+domains specified by users in the configuration or provided by DHCP.
+
+This commit keeps the public-suffix check only for the
+hostname-derived domain
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=812394
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1404350
+(cherry picked from commit 5aa22ed8c9c1944f8843442912561dcec83a11b2)
+(cherry picked from commit e80163c713cdd911cb79036f3f7b629040297c58)
+---
+ src/dns/nm-dns-manager.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/dns/nm-dns-manager.c b/src/dns/nm-dns-manager.c
+index f443f34..952468e 100644
+--- a/src/dns/nm-dns-manager.c
++++ b/src/dns/nm-dns-manager.c
+@@ -158,12 +158,12 @@ G_DEFINE_TYPE (NMDnsManager, nm_dns_manager, NM_TYPE_EXPORTED_OBJECT)
+ #define NM_DNS_MANAGER_GET_PRIVATE(self) _NM_GET_PRIVATE(self, NMDnsManager, NM_IS_DNS_MANAGER)
+ 
+ static gboolean
+-domain_is_valid (const gchar *domain)
++domain_is_valid (const gchar *domain, gboolean check_public_suffix)
+ {
+ 	if (*domain == '\0')
+ 		return FALSE;
+ #if WITH_LIBPSL
+-	if (psl_is_public_suffix (psl_builtin (), domain))
++	if (check_public_suffix && psl_is_public_suffix (psl_builtin (), domain))
+ 		return FALSE;
+ #endif
+ 	return TRUE;
+@@ -312,7 +312,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src)
+ 		const char *search;
+ 
+ 		search = nm_ip4_config_get_search (src, i);
+-		if (!domain_is_valid (search))
++		if (!domain_is_valid (search, FALSE))
+ 			continue;
+ 		add_string_item (rc->searches, search);
+ 	}
+@@ -322,7 +322,7 @@ merge_one_ip4_config (NMResolvConfData *rc, NMIP4Config *src)
+ 			const char *domain;
+ 
+ 			domain = nm_ip4_config_get_domain (src, i);
+-			if (!domain_is_valid (domain))
++			if (!domain_is_valid (domain, FALSE))
+ 				continue;
+ 			add_string_item (rc->searches, domain);
+ 		}
+@@ -382,7 +382,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface)
+ 		const char *search;
+ 
+ 		search = nm_ip6_config_get_search (src, i);
+-		if (!domain_is_valid (search))
++		if (!domain_is_valid (search, FALSE))
+ 			continue;
+ 		add_string_item (rc->searches, search);
+ 	}
+@@ -392,7 +392,7 @@ merge_one_ip6_config (NMResolvConfData *rc, NMIP6Config *src, const char *iface)
+ 			const char *domain;
+ 
+ 			domain = nm_ip6_config_get_domain (src, i);
+-			if (!domain_is_valid (domain))
++			if (!domain_is_valid (domain, FALSE))
+ 				continue;
+ 			add_string_item (rc->searches, domain);
+ 		}
+@@ -923,7 +923,7 @@ merge_global_dns_config (NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
+ 	options = nm_global_dns_config_get_options (global_conf);
+ 
+ 	for (i = 0; searches && searches[i]; i++) {
+-		if (domain_is_valid (searches[i]))
++		if (domain_is_valid (searches[i], FALSE))
+ 			add_string_item (rc->searches, searches[i]);
+ 	}
+ 
+@@ -1055,9 +1055,9 @@ _collect_resolv_conf_data (NMDnsManager *self, /* only for logging context, no o
+ 		if (   hostdomain
+ 		    && !nm_utils_ipaddr_valid (AF_UNSPEC, hostname)) {
+ 			hostdomain++;
+-			if (domain_is_valid (hostdomain))
++			if (domain_is_valid (hostdomain, TRUE))
+ 				add_string_item (rc.searches, hostdomain);
+-			else if (domain_is_valid (hostname))
++			else if (domain_is_valid (hostname, TRUE))
+ 				add_string_item (rc.searches, hostname);
+ 		}
+ 	}
+-- 
+2.9.3
+
diff --git a/NetworkManager.spec b/NetworkManager.spec
index d8b8bcd..0de5a5d 100644
--- a/NetworkManager.spec
+++ b/NetworkManager.spec
@@ -82,7 +82,8 @@ Source1: NetworkManager.conf
 Source2: 00-server.conf
 Source3: 20-connectivity-fedora.conf
 
-#Patch1:
+Patch1: 0001-dhcp-interface-parsing.patch
+Patch2: 0002-dns-fix-domain-suffix-check.patch
 
 Requires(post): systemd
 Requires(preun): systemd
@@ -337,7 +338,8 @@ by nm-connection-editor and nm-applet in a non-graphical environment.
 %prep
 %setup -q -n NetworkManager-%{real_version}
 
-#%patch1 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 %if %{with regen_docs}
@@ -652,6 +654,8 @@ fi
 %changelog
 * Mon Jul 17 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:1.8.2-1
 - Update to 1.8.2 release
+- dhcp/dhclient: improve "interface" statement parsing
+- dns: fix public suffix check on search domains (rh #1404350)
 
 * Thu Jun 22 2017 Lubomir Rintel <lkundrak@v3.sk> - 1:1.8.0-6
 - device: don't change MTU unless explicitly configured (rh #1460760)