Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I don't think my description is misleading....

On Mon, Sep 28, 2020 at 5:28 pm, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
* The change disables protection mechanisms built into corporate VPNs
  that require them to observe all DNS traffic. Now this may sound
rather weak as far as countermeasures go, but DNS-based mechanisms are
  the only thing you have got if you do not enforce a client-side
  approach (ugh, no thanks), or disable split tunneling (i.e., default
  route over the VPN; frequently not possible with current VPN usage
  levels and virtual company meetings over video link).

Correct. If you want to observe all DNS traffic, that is no longer possible by default unless you also handle routing all traffic. I'd argue that's a good change. From a system design perspective, that's just how DNS ought to work.

I don't think it would be smart for employees to voluntarily opt-in to sending all DNS to their employer anyway... there's little benefit to the employee, and a lot of downside. Importantly, if you're looking in your network settings and you see a checkbox that says "Use this connection only for resources on its network," a reasonable user *expects* that the connection will *really* only be used for resources on its network, not that it will be used for everything except DNS, which randomly goes to who knows where depending on what else you're connected to. Our design must try to avoid this failure case: "Sadly for Distrustful Denise, her employer discovers that she has been making some embarrassing DNS requests that she had expected to go through public-vpn.example.com instead."

Of course, it's still possible to get the old behavior if you really want to, but it will now require custom configuration not available via GUI, and nobody really wants to opt-in to that behavior, so it's not likely to be used except in managed corporate systems. If you're using a managed system, you're probably surveilled anyway, so better assume nothing is safe.

* There is no real protocol for sharing internal domains, so
  systemd-resolved cannot know all of them, and resolving some of them
  will fail or receive unexpected resolution results (probably
observable for some jboss.org subdomains for Red Hatters, but I don't
  work in that area, so I don't have a good example at hand).

Yes, that's true. And there's not currently any good solution to that without resorting to the command line.

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux