Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 29, 2020 at 4:06 pm, Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> wrote:
It is not an exotic one, but this behavior was in the past considered
a vulnerability (information disclosure) [0]. Are we re-introducing
it? I guess yes, and it can be that the benefits of it outweigh the
vulnerability, but we should be explicit about it in our release
notes.

[0]. CVE-2018-1000135 https://bugzilla.redhat.com/show_bug.cgi?id=1558238

If all I knew about this was what Lennart just wrote, I would be very concerned, because preventing DNS leaks is very important. But Lennart is not considering that NetworkManager is not going to configure systemd-resolved to operate like this. Lennart's described behavior only applies if you give systemd-resolved absolutely no information for how to route the DNS. But NetworkManager will not do that, it will do the right thing. E.g. if you have one "primary VPN" configured that accepts all traffic, your DNS goes to that VPN. It's not going to leak DNS queries to your router or to your ISP. If you have a VPN that only accepts traffic on its own network, it gets that DNS and not more. This is way better than the status quo prior to systemd-resolved where unexpected behavior was the norm.

In particular, if you have a VPN that does not select "use this connection only for resources on its network," then NetworkManager will configure a DNS domain ~. corresponding to the VPN's tun interface. All DNS goes there and only there unless it matches another search domain.

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux