Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2020-09-29 at 20:01 +0200, Lennart Poettering wrote:
> On Di, 29.09.20 13:56, Simo Sorce (simo@xxxxxxxxxx) wrote:
> 
> > On Tue, 2020-09-29 at 12:59 +0200, Lennart Poettering wrote:
> > > On Di, 29.09.20 03:49, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote:
> > > 
> > > > Search domains have absolutely nothing to do with routing. Search domains are
> > > > specifically used for resolving non-FQDN to FQDN. This isn't a reliable way to
> > > > see what domains are handled by a VPN, or by any DNS server.
> > > > 
> > > > The Red Hat VPN is a good example of this, as not every internal subdomain is
> > > > in search domains. That's the case for many VPNs, corporate or personal.
> > > 
> > > Please read what I wrote: we have nothing better. And no it's not a
> > > perfectly complete solution, I am aware of that. Configure the routes
> > > explicitly if you want, it's easy, and add the extra domains to the
> > > per-interface route and all will be jolly. If you don't, then things
> > > will still work, but mean that queries that aren't listed in any
> > > search domains will be sent to both the VPN and the main iface DNS,
> > > thus the RH VPN will work perfectly fine — only drawback is that
> > > those internal domains not listed as search domains might be seen on
> > > the internet. But what would expect here happens? If you don't tell us
> > > the routing we cannot do fully perfect routing to your wishes, you
> > > need to give us something.
> > > 
> > > Search domains on VPNs are an indicator that these domains are handled
> > > by the VPN, that's why we use them also as routing domains. But this
> > > doesn't mean it's the *only* routing domains we use. We use the ones
> > > you configure, primarily. But since the concept didn't previously exist
> > > we make the best from what we have.
> > 
> > I see conflicting information here from you and Michael Catanzaro.
> > 
> > You have mentioned quite a few times a fan out and leakage of name
> > searches on all interfaces, while Michael said in response to me that
> > if you do not select the magic option to do split DNS routing that all
> > queries should go to the VPN only, which is it ?
> 
> It might the latter. It's up to NM really: it depends what they tell
> resolved. If they default to associating the "." routing domain with a
> VPN this has the effect that all lookups will be preferably routed
> over that.
> 
> If they don't do that, and define no routing domains, then the
> interface it will be in the regular pool of ifaces where we send stuff
> for which no routing domain is defined anywhere.
> 
> So, I defer to Michael here: I didn't actually check what NM opted
> there. It might very well be that they default to configuring "." as
> routing domain for VPNs.

Ah thanks,
this is good to know, it is hard to figure out what is going on when
there is conflicting information.

If NM does configure resolved this way it is a better option as a default.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux