* Michael Catanzaro: > On Mon, Sep 28, 2020 at 4:39 pm, Florian Weimer <fweimer@xxxxxxxxxx> > wrote: >> My understanding is that the DNS request routing in systemd-resolved >> effectively disables any security mechanisms on the VPN side, and >> instructs most current browsers to route DNS requests to centralized >> DNS >> servers for all requests (i.e., overriding what came from both the VPN >> and DHCP). > > No... certainly not. Previously, VPNs only worked properly if you have > exactly one VPN, and it's configured to receive all traffic. Using a > VPN that receives traffic only for resources on its network, or using > multiple VPNs at once, would result in DNS leaks. In fact, making VPNs > work properly is the *only* reason I'm involved in this. I was > frustrated to see that Fedora sometimes sent my requests for internal > Red Hat resources to my public VPN's DNS server instead of Red Hat's > DNS servers. See [1] for a comparison between previous and new > behavior. But the DNS view provided by the Red Hat VPN is what disables the centralized DNS resolvers in browsers in these configurations. The magic browser probe no longer fails with the change in DNS routing (which the proposal confusingly names “Split DNS”) because it goes out over the public Internet, where it is not filtered, unlike the Red Hat VPN. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx