On Thu, 2020-10-01 at 09:03 -0500, Michael Catanzaro wrote: > On Thu, Oct 1, 2020 at 3:32 pm, Marius Schwarz <fedoradev@xxxxxxxxxxxx> > wrote: > > I think, he meant the systemd-resolved fiallback to Cloudflare and > > Google. Is that in the fedora build? If so, i suggest to patch it out. > > That will fix the issue for me in perspective of the GDPR. > > Unless you explain this *very* clearly, I'm going to ignore it, because > it seems farfetched. Fedora is not operating its own DNS server or > collecting any sort of DNS-related data from you. > > We are not going to patch out fallback to Cloudflare or Google because > it is a non-issue. Fallback only happens when you have zero other DNS > servers configured. When was the last time you connected to a network > and there's no DHCP, no nothing? The number of users without some other > working DNS is probably under 0.1%. Even then, I think you also have to > disable NetworkManager for systemd-resolved to ever use its fallback > DNS, because NetworkManager will configure a ~. DNS domain, causing > systemd-resolved to never use its global DNS settings. (I think. That's > my reading of the manpage. Testing welcome from anyone who wants to > confirm that.) > > So (if I'm right) we are talking about the exceeding rare combination > of (a) no DNS set by DHCP, and also (b) user manually disabled > NetworkManager. If you're really going to do (b) you will probably also > disable systemd-resolved, right? Or make the one-line config file > change to remove the fallback DNS? Or just manually set some DNS > server? Seriously, this is a silly thing to worry about. > > Finally, in the extremely unlikely event you do somehow wind up with > Cloudflare and Google DNS, then you should *celebrate*, because they > have extremely strong privacy policies for their DNS. Unless you think > they are just lying about their data collection practices -- which they > are not -- you have nothing to worry about from their DNS [1][2]. In > contrast, your ISP is probably selling your DNS queries to advertisers. > If you disagree, doesn't matter, because you're probably never going to > see this fallback. Michael, I think the issue here is not Google DNS vs ISP DNS, but internal DNS vs spilling it out to Google/Cloudflare. That said, if it really is an internal DNS and there are strong policies around it I assume that the perimeter or the local machine firewall will be configured to block UDP packets to port 53 to any other external servers ... This leaves out only some machines or some cases where a misconfiguration may cause this fallback to kick in. The occurrence is probably rare enough not to be a problem in practice at least from the pov of GDPR. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
