On Tue, Sep 29, 2020 at 4:06 pm, Nikos Mavrogiannopoulos
<nmav@xxxxxxxxxx> wrote:
It is not an exotic one, but this behavior was in the past considered
a vulnerability (information disclosure) [0]. Are we re-introducing
it? I guess yes, and it can be that the benefits of it outweigh the
vulnerability, but we should be explicit about it in our release
notes.
[0]. CVE-2018-1000135
https://bugzilla.redhat.com/show_bug.cgi?id=1558238
If all I knew about this was what Lennart just wrote, I would be very
concerned, because preventing DNS leaks is very important. But Lennart
is not considering that NetworkManager is not going to configure
systemd-resolved to operate like this. Lennart's described behavior
only applies if you give systemd-resolved absolutely no information for
how to route the DNS. But NetworkManager will not do that, it will do
the right thing. E.g. if you have one "primary VPN" configured that
accepts all traffic, your DNS goes to that VPN. It's not going to leak
DNS queries to your router or to your ISP. If you have a VPN that only
accepts traffic on its own network, it gets that DNS and not more. This
is way better than the status quo prior to systemd-resolved where
unexpected behavior was the norm.
In particular, if you have a VPN that does not select "use this
connection only for resources on its network," then NetworkManager will
configure a DNS domain ~. corresponding to the VPN's tun interface. All
DNS goes there and only there unless it matches another search domain.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
