Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Michael Catanzaro:

> On Mon, Sep 28, 2020 at 4:39 pm, Florian Weimer <fweimer@xxxxxxxxxx>
> wrote:
>> My understanding is that the DNS request routing in systemd-resolved
>> effectively disables any security mechanisms on the VPN side, and
>> instructs most current browsers to route DNS requests to centralized
>> DNS
>> servers for all requests (i.e., overriding what came from both the VPN
>> and DHCP).
>
> No... certainly not. Previously, VPNs only worked properly if you have
> exactly one VPN, and it's configured to receive all traffic. Using a 
> VPN that receives traffic only for resources on its network, or using
> multiple VPNs at once, would result in DNS leaks. In fact, making VPNs 
> work properly is the *only* reason I'm involved in this. I was
> frustrated to see that Fedora sometimes sent my requests for internal 
> Red Hat resources to my public VPN's DNS server instead of Red Hat's
> DNS servers. See [1] for a comparison between previous and new
> behavior.

But the DNS view provided by the Red Hat VPN is what disables the
centralized DNS resolvers in browsers in these configurations.  The
magic browser probe no longer fails with the change in DNS routing
(which the proposal confusingly names “Split DNS”) because it goes out
over the public Internet, where it is not filtered, unlike the Red Hat
VPN.

Thanks,
Florian
-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux