Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mo, 28.09.20 16:39, Florian Weimer (fweimer@xxxxxxxxxx) wrote:

> * Michael Catanzaro:
>
> > If you're running mail servers or VPN servers, you can probably
> > configure the DNS to your liking, right? Either enable DNSSEC support
> > in systemd-resolved, or disable systemd-resolved. I'm not too
> > concerned about this....
>
> What about end users who just enable a VPN client?
>
> My understanding is that the DNS request routing in systemd-resolved
> effectively disables any security mechanisms on the VPN side, and
> instructs most current browsers to route DNS requests to centralized DNS
> servers for all requests (i.e., overriding what came from both the VPN
> and DHCP).

That's not precisely true. resolved maintains DNS server info
per-interface, i.e. your vpn will have one set of servers attached to
them, and your main interface another. We then try to route lookups to
these servers following some logic that tries to make the best of what
is known. Specifically, you can configure "routing" domains for each
iface, which will bind traffic within some domain onto such
interface. If none is configured then this is implicitly populated by
the search domains configured along with the DNS server info, if that
exists. If for some lookup no such routing domain is known then we'll
send traffic to the DNS servers of all interfaces in parallel, using
the first positive/last negative reply.

This emphasizes that DNS lookups should just work, and provides —
unlike nss-dns/resolv.conf — a way how in VPN setups you can route
your lookups explicitly to avoid they leak to the wrong networks.

You can also specify "." as routing domain on some iface btw, which
has the affect of routing all traffic preferable to that iface taking
it away from all others (except those which also have routing domains
configured for the relavant domains).

So, yes, you have tight control where things go, and can configure
this per domain. For example you can tell resolved to route redhat.com
queries to the RH VPN iface, and everything else to internet.

Previously, in the status pre-resolved all you could do is
all-or-nothing. Either everything goes to VPN or all goes to main
iface. (You can get this behaviour by resolved too, via the "."
routing domain if you like).

But it's a bit unfair to claim things where a step back while they are
actually a step forward, since we have the routing infra now.

I have the suspicion the main issue you are having is that we default
to "all in parallel" if in doubt about lookups, while you want "vpn
always wins" if in doubt about lookups. I am think our approach is
more robust which is why we took it.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux