Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2020-10-01 at 09:03 -0500, Michael Catanzaro wrote:
> On Thu, Oct 1, 2020 at 3:32 pm, Marius Schwarz <fedoradev@xxxxxxxxxxxx> 
> wrote:
> > I think, he meant the systemd-resolved fiallback to Cloudflare and
> > Google. Is that in the fedora build? If so, i suggest to patch it out.
> > That will fix the issue for me in perspective of the GDPR.
> 
> Unless you explain this *very* clearly, I'm going to ignore it, because 
> it seems farfetched. Fedora is not operating its own DNS server or 
> collecting any sort of DNS-related data from you.
> 
> We are not going to patch out fallback to Cloudflare or Google because 
> it is a non-issue. Fallback only happens when you have zero other DNS 
> servers configured. When was the last time you connected to a network 
> and there's no DHCP, no nothing? The number of users without some other 
> working DNS is probably under 0.1%. Even then, I think you also have to 
> disable NetworkManager for systemd-resolved to ever use its fallback 
> DNS, because NetworkManager will configure a ~. DNS domain, causing 
> systemd-resolved to never use its global DNS settings. (I think. That's 
> my reading of the manpage. Testing welcome from anyone who wants to 
> confirm that.)
> 
> So (if I'm right) we are talking about the exceeding rare combination 
> of (a) no DNS set by DHCP, and also (b) user manually disabled 
> NetworkManager. If you're really going to do (b) you will probably also 
> disable systemd-resolved, right? Or make the one-line config file 
> change to remove the fallback DNS? Or just manually set some DNS 
> server? Seriously, this is a silly thing to worry about.
> 
> Finally, in the extremely unlikely event you do somehow wind up with 
> Cloudflare and Google DNS, then you should *celebrate*, because they 
> have extremely strong privacy policies for their DNS. Unless you think 
> they are just lying about their data collection practices -- which they 
> are not -- you have nothing to worry about from their DNS [1][2]. In 
> contrast, your ISP is probably selling your DNS queries to advertisers. 
> If you disagree, doesn't matter, because you're probably never going to 
> see this fallback.

Michael,
I think the issue here is not Google DNS vs ISP DNS, but internal DNS
vs spilling it out to Google/Cloudflare.

That said,
if it really is an internal DNS and there are strong policies around it
I assume that the perimeter or the local machine firewall will be
configured to block UDP packets to port 53 to any other external
servers ...

This leaves out only some machines or some cases where a
misconfiguration may cause this fallback to kick in. The occurrence is
probably rare enough not to be a problem in practice at least from the
pov of GDPR.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux