On Mo, 28.09.20 10:28, Paul Wouters (paul@xxxxxxxxx) wrote: > This is better thant it was five years ago. I'm glad some things were > at least successfully conveyed in the Brno meeting. However, this still > leaks queries meant for the LAN or VPN onto the wide internet and is Classic resolv.conf cannot communicate to us where what should be routed. There's no per-domain syntax. People have different usecases when they have multiple interfaces with multiple sets of DNS data around. We cannot guess which one of the two ifaces is the one to trust without explicit help. Thing is: your LAN connection might be your trusted home network, or some untrusted cafe wifi. your VPN connection might be your trusted home VPN or the VPN to your company where you'd rather not send all DNS traffic. resolved cannot possibly guess what the trust level of ifaces and their DNS servers is, and if we'd priorize one clearly over the other we are likely getting it wrong: if we send all DNS traffic exclusively to the VPN then you lose resolveability of your local LAN names, such as the router or print config UI. If we send all DNS traffic exclusively to the local router's DHCP lease configured DNS server you'd of course lose the ability to resolve company private names. So what did we opt to do? We think that working DNS is better than non-working DNS: so in absence of any further config info we'll look up names on all interfaces and use the first positive or the last negative answer. This behaviour doesn't bother too much with the security issue, i.e. everyting outside the local laptop is consider equally trusted or untrusted. But it maximizes the chance that things just work. And that's a inherently a *good* thing, the thing i care about the most. Now, of coruse it would be better to only send to the VPN what really needs to be sent to the VPN, and conversely send to the local DHCP-supplied DNS only what shall be sent there. For that we need routing info. We'll synthesize some from search domains, if they are configured, but beyond that we require you to configure them manually. Summary: we support routing if queries, you can configure that explicitly now, and if you don't you at least have the biggest chance that things "just work". Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
