On Mon, Sep 28, 2020 at 4:39 pm, Florian Weimer <fweimer@xxxxxxxxxx>
wrote:
My understanding is that the DNS request routing in systemd-resolved
effectively disables any security mechanisms on the VPN side, and
instructs most current browsers to route DNS requests to centralized
DNS
servers for all requests (i.e., overriding what came from both the VPN
and DHCP).
No... certainly not. Previously, VPNs only worked properly if you have
exactly one VPN, and it's configured to receive all traffic. Using a
VPN that receives traffic only for resources on its network, or using
multiple VPNs at once, would result in DNS leaks. In fact, making VPNs
work properly is the *only* reason I'm involved in this. I was
frustrated to see that Fedora sometimes sent my requests for internal
Red Hat resources to my public VPN's DNS server instead of Red Hat's
DNS servers. See [1] for a comparison between previous and new behavior.
Now, we do currently have the one bug where NetworkManager doesn't
configure systemd-resolved properly [2], but we only know of one
affected user, and that's going to be fixed. Your VPNs will probably
work properly in F33 with no configuration changes.
[1] https://fedoraproject.org/wiki/Changes/systemd-resolved#Split_DNS
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1863041
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
