On Thu, Sep 10, 2020 at 06:37:56PM -0700, John M. Harris Jr wrote: > On Thursday, September 10, 2020 4:42:24 AM MST Zbigniew Jędrzejewski-Szmek > wrote: > > On Thu, Sep 10, 2020 at 01:27:30PM +0200, alciregi@xxxxxxxxxx wrote: > > > > > On Thu, 2020-09-10 at 12:06 +0200, Eugene Syromiatnikov wrote: > > > > > > > > > > > > > These DNS addresses are bundled upstream in systemd. And they are > > > > > used > > > > > in the event of a misconfiguration of your network settings, isn't > > > > > it? > > > > > However they are easily customizable in /etc/systemd/resolved.conf > > > > > (FallbackDNS option) > > > > > > > > > > > > It's about the distribution's default setting, not a configuration > > > > possibility. > > > > > > > > > "Which servers are used (or any at all) as a fallback is a compile-time > > > as well as a runtime option. If you don't like the upstream defaults, > > > then please work with downstream to pick different options or make the > > > choices locally in your configuration files." > > > > > > As a concerned user, you can configure the FallbackDNS option in > > > /etc/systemd/resolved.conf and put whatever DNS you prefer. Google and > > > so on will never be contacted. > > > > > > Obviously the distribution can put different DNS in systemd at compile > > > time, or provide a default resolved.conf file where FallbackDNS is > > > uncommented and filled. > > > > > > Exactly. With my maintainer hat on: this is a non-issue. We consider > > current defaults (a working fallback configuration out of the box that > > has a very minor information leak) better than the proposed (a non-working > > fallback configuration). If you need to, provide the trivial two-line > > dropin file to override this locally. > > Zbyszek, > > I'm definitely not suggesting something that is "non-working". That said, not > having any DNS servers configured indicates that remote lookup should not be > used, not that a random DNS server should be picked by the resolver itself. > When there are no DNS servers, the expected behavior is that no external > servers are used for lookup. There are no environments where remote lookup SHOULD NOT not be used. There are remote environments where it MUST NOT be used, and environments where it is expected to work. For the former, just emptying /etc/resolv.conf is a halfway measure that doesn't do enough so strong filtering with namespaces or routing must be provided anyway. In the second case, we want to have working networking (even if your local crappy dns router forgets to attach a dns server to the dhcp lease or such). Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx