On Fri, Sep 11, 2020 at 01:55:54AM -0700, John M. Harris Jr wrote: > On Thursday, September 10, 2020 10:38:51 PM MST Zbigniew Jędrzejewski-Szmek > wrote: > > On Thu, Sep 10, 2020 at 06:37:56PM -0700, John M. Harris Jr wrote: > > > > > On Thursday, September 10, 2020 4:42:24 AM MST Zbigniew Jędrzejewski-Szmek > > > > wrote: > > > > > > > On Thu, Sep 10, 2020 at 01:27:30PM +0200, alciregi@xxxxxxxxxx wrote: > > > > > > > > > > > > > On Thu, 2020-09-10 at 12:06 +0200, Eugene Syromiatnikov wrote: > > > > > > > > > > > > > > > > > > > > > > > > These DNS addresses are bundled upstream in systemd. And they are > > > > > > > used > > > > > > > in the event of a misconfiguration of your network settings, > > > > > > > isn't > > > > > > > it? > > > > > > > However they are easily customizable in > > > > > > > /etc/systemd/resolved.conf > > > > > > > (FallbackDNS option) > > > > > > > > > > > > > > > > > > > > > > > > It's about the distribution's default setting, not a configuration > > > > > > possibility. > > > > > > > > > > > > > > > > > > > > "Which servers are used (or any at all) as a fallback is a > > > > > compile-time > > > > > as well as a runtime option. If you don't like the upstream defaults, > > > > > then please work with downstream to pick different options or make > > > > > the > > > > > choices locally in your configuration files." > > > > > > > > > > As a concerned user, you can configure the FallbackDNS option in > > > > > /etc/systemd/resolved.conf and put whatever DNS you prefer. Google > > > > > and > > > > > so on will never be contacted. > > > > > > > > > > Obviously the distribution can put different DNS in systemd at > > > > > compile > > > > > time, or provide a default resolved.conf file where FallbackDNS is > > > > > uncommented and filled. > > > > > > > > > > > > > > > > Exactly. With my maintainer hat on: this is a non-issue. We consider > > > > current defaults (a working fallback configuration out of the box that > > > > has a very minor information leak) better than the proposed (a > > > > non-working > > > > fallback configuration). If you need to, provide the trivial two-line > > > > dropin file to override this locally. > > > > > > > > > Zbyszek, > > > > > > I'm definitely not suggesting something that is "non-working". That said, > > > not having any DNS servers configured indicates that remote lookup > > > should not be used, not that a random DNS server should be picked by the > > > resolver itself. When there are no DNS servers, the expected behavior is > > > that no external servers are used for lookup. > > > > > > There are no environments where remote lookup SHOULD NOT not be used. There > > are remote environments where it MUST NOT be used, and environments where > > it is expected to work. For the former, just emptying /etc/resolv.conf is a > > halfway measure that doesn't do enough so strong filtering with namespaces > > or routing must be provided anyway. In the second case, we want to have > > working networking (even if your local crappy dns router forgets to attach > > a dns server to the dhcp lease or such). > > When you have no configured DNS servers, remote lookup SHOULD NOT be used. > Only local domain resolution should be used. This is how it has been for > decades, and there's no reason to change this. That's expected functionality. > > We have working networking even without DNS. If there are no DNS servers > configured, no remote DNS servers should ever be contacted by the resolver. You position is very clear. Let's agree to disagree. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
