On Thu, Apr 16, 2020 at 4:18 pm, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
Trusted for what? I would expect corporate VPNs doing such tricks to monitor the user's internet traffic. Which does not mean the user is fully screwed with such VPN if he for example uses hardcoded configuration of a caching nameserver.
In Florian's scenario, one of the VPNs is actively malicious. E.g. public-vpn.example.com tries to hijack DNS for subdomain.corporation.example.com. It might actually be a realistic attack scenario, but it's not something we should attempt to mitigate.
Anyway this goes both ways. As explained many times already, without systemd-resolved, the VPN you connect to first gets all the DNS queries currently. Normally users connect to public VPN first, then corporate VPN second. That's broken. Splitting the DNS is just the right thing to do. If you want the corporate VPN to see everything, then do not check "use this VPN only for resources on its network" and it will get everything (but then it needs to have capacity to really handle everything!).
Michael _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
