Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mi, 15.04.20 10:48, Florian Weimer (fweimer@xxxxxxxxxx) wrote:

> > As I understand the terminology the "stub resolver" in systemd-resolved
> > refers to the thing that listens on 127.0.0.53 and that won't do
> > anything clever with single label queries because it will expect
> > it is answering DNS queries - that is exactly the way that Ubuntu
> > uses it.
>
> Well, the whole thing is a stub resolver externally, even if it doesn't
> speak DNS with applications.  It has to perform upstream server
> selection and search list processing in some way.  The search list
> processing turns into the responsibility of the local client
> (application) only on the DNS interface.

Yes, resolved is a stub resolver only. And it is so regardless which
interface you use to talk to it.

The local listener on 127.0.0.53:53 is not a fully featured DNS server
either because of that. It does stuff real DNS servers don't do (such
as LLMNR, merging in /etc/hosts and stuff, such as the scope routing
and so on), and we will say NOTIMPL to a vareity of requests that you
can send to a real DNS server but that make no sense for a local
resolving stub.

Yes, this means if you have some special "dig" command line with all
kinds of special options there's a good chance systemd-resolved will
refuse your request, because that option is not implemented. It tries
to make this discoverable as much as that is possible, by returned the
most appropriate error (the error vocabulary isn't too verbose
howerver) and by logging about it to syslog.

Note that when you talk to resolved via the DNS protocol it will not
do search list processing for you, it leaves that to the client as
this was always handled, in order to not do it twice. If you talk to
resolved via the bus API (i.e. over nss-resolve or so) then it will to
the search list stuff server side. Beaviour in these two cases is
slightly different, as mentioned elsewhere, as resolved never leaks
unqualified names to upstream servers as they are.

> Actually, Fedora's current NetworkManager/OpenVPN behavior depends on
> this because it lists the original system name server in
> /etc/resolv.conf after the ones received over OpenVPN.  This means that
> with randomized/parallel queries, you might try to resolve internal
> domains over the public Internet, and get unwanted/unusable result.

NM can tell resolved the full DNS info with per-interface info, so
that resolved can merge the view of the world on each (see other mail)

> > I think so long as the VPN interface has ~redhat.co in it's search
> > list then queries for that domain will be forced to the servers for
> > that interface if that's what is required?
>
> Does OpenVPN log the list of these domains somewhere?  Or do they have
> to be configured manually?

Most other distributions (and even BSDs) provide a tool called
"resolvconf" that various subsystems that provide DNS server info call
when they learn some new DNS severs or DNS servers known go
away. OpenVPN is a subsystem with DNS info, hence on most distros it
will already be hooked up to "resolvconf" to provide the DNS data at
the right moment. The various existing implementations of "resolvconf"
usually take this info, sort it somehow and write it to
/etc/resolv.conf. systemd now implements its own version of the tool
which uses the information in a smarter way.

Long story short: if OpenVPN is configured like it already is on other
distros then we should have excellent behaviour as resolved will learn
about the DNS servers correctly with the right metadata we need to do
our per-interface magic.

> >> Will the built-in DNS server still support DNSSEC without validation,
> >> passing through the records if they are requested by the client over the
> >> DNS interface?  The section above is not clear.
> >
> > I don't think so no. I happen to have a query to hand which fails
> > validation due to a bug in systemd-resolved and I get SERVFAIL when
> > querying 127.0.0.53 even with +cdflag on the dig command.
>
> Ugh.  That will have to be fixed, otherwise it will break DANE/TLSA and
> other DNSSEC-mandatory functionality on upgrades: the system used to
> have a DNSSEC-clean path to the outside world, and after the switch to
> systemd-resolved, it won't.

Do we do DANE/TLSA by default anywhere in Fedora? I mean, we
realistically cannot because DNSSEC sucks in most DNS servers...

But yeah, clients that want to do full DNSSEC need to talk directly to
upstream DNS servers.

There's a feature request to switch to a special pass-through-proxy
mode in resolved as soon as some of the more special DNSSEC features
are turned on in an incoming DNS client packet on the stub. it's
something to think about, but having been on the other end of DNSSEC I
am a bit afraid it just makes things worse: i.e. writing a DNS client
that can deal with servers that expose completely different behaviour
depending on some flags in the headers is extremely hard. i.e. think
about this: if you send a regular DNS packet to resolved it would
process it natively, answer from its cache, do its LLMNR, mDNS,
/etc/hosts magic and whatever else it does. But as soon as you turn on
that DNSSEC bit resolved would just proxy through without any of this,
without caching, any processing, without the other information
sources. A client trying to make sense of such a server will be
utterly confused since without the bit set it will be exposed to
resolved's behaviour and quirks and its view of the world and with the
bit set it will be exposed to some upstream server's view of the world
and its quirks and behaviours, which are likely very very
different... Hence so far my take on it was: if you want real, fully
featured DNS with all weird, strange options then talk to upstream
directly, don't bother with resolved's internal stub, it's not built
for that.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux