On Mo, 28.09.20 16:39, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > * Michael Catanzaro: > > > If you're running mail servers or VPN servers, you can probably > > configure the DNS to your liking, right? Either enable DNSSEC support > > in systemd-resolved, or disable systemd-resolved. I'm not too > > concerned about this.... > > What about end users who just enable a VPN client? > > My understanding is that the DNS request routing in systemd-resolved > effectively disables any security mechanisms on the VPN side, and > instructs most current browsers to route DNS requests to centralized DNS > servers for all requests (i.e., overriding what came from both the VPN > and DHCP). That's not precisely true. resolved maintains DNS server info per-interface, i.e. your vpn will have one set of servers attached to them, and your main interface another. We then try to route lookups to these servers following some logic that tries to make the best of what is known. Specifically, you can configure "routing" domains for each iface, which will bind traffic within some domain onto such interface. If none is configured then this is implicitly populated by the search domains configured along with the DNS server info, if that exists. If for some lookup no such routing domain is known then we'll send traffic to the DNS servers of all interfaces in parallel, using the first positive/last negative reply. This emphasizes that DNS lookups should just work, and provides — unlike nss-dns/resolv.conf — a way how in VPN setups you can route your lookups explicitly to avoid they leak to the wrong networks. You can also specify "." as routing domain on some iface btw, which has the affect of routing all traffic preferable to that iface taking it away from all others (except those which also have routing domains configured for the relavant domains). So, yes, you have tight control where things go, and can configure this per domain. For example you can tell resolved to route redhat.com queries to the RH VPN iface, and everything else to internet. Previously, in the status pre-resolved all you could do is all-or-nothing. Either everything goes to VPN or all goes to main iface. (You can get this behaviour by resolved too, via the "." routing domain if you like). But it's a bit unfair to claim things where a step back while they are actually a step forward, since we have the routing infra now. I have the suspicion the main issue you are having is that we default to "all in parallel" if in doubt about lookups, while you want "vpn always wins" if in doubt about lookups. I am think our approach is more robust which is why we took it. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
