On Fri, 2020-10-02 at 00:50 +0200, Marius Schwarz wrote: > Am 01.10.20 um 19:36 schrieb Simo Sorce: > > That said, > > if it really is an internal DNS and there are strong policies around it > > I assume that the perimeter or the local machine firewall will be > > configured to block UDP packets to port 53 to any other external > > servers ... > > > > This leaves out only some machines or some cases where a > > misconfiguration may cause this fallback to kick in. The occurrence is > > probably rare enough not to be a problem in practice at least from the > > pov of GDPR. > you know, that you contradict yourself here? :) > > If the corp has blocked port 53 except for the internal dns server, how > should the fallback packet get out? It will not, that's the point, I do not see any contradiction. > I think, it's not important how often the default is used, it's the fact > that it's hidden and therefor surprising for the corp itself, > which makes it even more risky to run the os, than it's worth giving ( > or in your example not to give ) the 0.1% a fallback answere. I guess then corporations will immediately ban both Microsfot Windows and Apple MacOS because they connect to the respective motherships as well as dozen of other random IP addresses all the time ... > IRL admins who know about it, as we all do now, we can avoid the > problem. But for a company, which has to justify the surprising result > of a DP audit, it will not be an easy talk with the dp buero. Just for > the lols, I will ask our highest federal dp advocate tomorrow, what he > thinks about this. IRL any admin knows that there is the potential for a networked machine to connect to random place, if they have a concern about that they take appropriate measures to prevent it, either via firewalling or by enforcing specific configurations. I am not thrilled by this fallback either, but I think there are enough assurances that in any reasonably configured (and functional) network this fallback will not be triggered, and therefore there isn't a persistent privacy leak threat to be concerned about. But both mine and yours are opinions, and I am pretty sure Fedora will do what's needed if there is some judicial determination that binds this specific kind of issue one way or another. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
