On Tue, Sep 29, 2020 at 3:43 PM Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > > On Di, 29.09.20 04:03, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote: > > > > Search domains on VPNs are an indicator that these domains are handled > > > by the VPN, that's why we use them also as routing domains. But this > > > doesn't mean it's the *only* routing domains we use. We use the ones > > > you configure, primarily. But since the concept didn't previously exist > > > we make the best from what we have. > > > > If you really must send DNS queries to both (which defeats the purpose of > > 'Split DNS'), then it may be better to just use the DNS server of the VPN when > > connected to VPN, then only check the LAN interface when the response is > > NXDOMAIN. > > As mentioned in this thread already: this policy makes sense for some > cases but not for others. > > For example, if I have my laptop in my home wifi, connected to RH VPN, > then there are some names resolvable only via the local > DNS. Specifically: my router's, my printer's and my NAS' address. And > there are other names only resolvable via RH VPN. systemd-resolved for > the first time gives me a chance for this to just work: it will send > requests to both the RH DNS servers and the local ones, and uses the > first successful reply, or the last failed reply. And that's quite > frankly awesome, because that *never* worked before. > > So sending the requests to all available DNS servers in absence of > better routing info is a great enabler: it makes DNS "just work" for > many cases, including my own, and I doubt it's a particularly exotic > one. It is not an exotic one, but this behavior was in the past considered a vulnerability (information disclosure) [0]. Are we re-introducing it? I guess yes, and it can be that the benefits of it outweigh the vulnerability, but we should be explicit about it in our release notes. [0]. CVE-2018-1000135 https://bugzilla.redhat.com/show_bug.cgi?id=1558238 > > Key, take-away here: > > 1. Ideally we'd just route company DNS traffic to VPN, and everything > else to local LAN DNS. But that requires explicit routing info to > be configured, we cannot auto-detect this info (beyond some minor > inference from the search domains) Do we know which fedora shipped VPNs work well with split-dns and which will lead to leaking the web sites accessed? regards, Nikos _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
