Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 28 Sep 2020, Michael Catanzaro wrote:

I don't think it would be smart for employees to voluntarily opt-in to sending all DNS to their employer anyway... there's little benefit to the employee, and a lot of downside.

Again, it is not up to systemd to limit valid use cases.

Perhaps Listen or read to Paul Vixie, father of many Bind software releases:

https://www.youtube.com/watch?v=ZxTdEEuyxHU

https://www.theregister.com/2018/10/23/paul_vixie_slaps_doh_as_dns_privacy_feature_becomes_a_standard/

There are use cases for and against routing all DNS over your VPN. If
systemd wants to play system resolver, it needs to be able to be
configured for either use case. You don't get to limit our use cases.

network settings and you see a checkbox that says "Use this connection only for resources on its network," a reasonable user *expects* that the connection will *really* only be used for resources on its network, not that it will be used for everything except DNS, which randomly goes to who knows where depending on what else you're connected to. Our design must try to avoid this failure case: "Sadly for Distrustful Denise, her employer discovers that she has been making some embarrassing DNS requests that she had expected to go through public-vpn.example.com instead."

See my previous email with respect to RFC 8598. There is a standard
for this. We supported this in libreswan with unbound before we even
forked from openswan, 10 years ago. I had also patched openvpn when Red
Hat swithced VPN service type but it seems that patch got lost along
the way.

Of course, it's still possible to get the old behavior if you really want to, but it will now require custom configuration not available via GUI

Again, this mentality of "power users can fend for themselves" and "only
our own use cases matter".

, and nobody really wants to opt-in to that behavior

Some people like using a "DNS firewall", or have their VPN admins
require it. Don't map use cases only on your own desired use cases.
I can't really stress this enough, as it is constantly coming up
within systemd projects.

 * There is no real protocol for sharing internal domains, so
   systemd-resolved cannot know all of them, and resolving some of them
   will fail or receive unexpected resolution results (probably
   observable for some jboss.org subdomains for Red Hatters, but I
 don't
   work in that area, so I don't have a good example at hand).

Yes, that's true. And there's not currently any good solution to that without resorting to the command line.

See above. libreswan IPsec VPNs has supported this for 10+ years. No
commandline required.

Paul
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux