On Mo, 22.02.21 09:45, Michael Catanzaro (mcatanzaro@xxxxxxxxx) wrote: 65;6201;1c > On Mon, Feb 22, 2021 at 12:05 pm, Tomasz Torcz <tomek@xxxxxxxxxxxxxx> wrote: > > 3) Configure DNS resolvers if you want to use DNS. > > Or dig deeper: why cloud-init disabled DNS on your installation? > > I'm pretty sure cloud-init just doesn't know how to configure > systemd-resolved at all. So I suspect this is a cloud-init bug. See: > https://pagure.io/fedora-server/issue/10. > > I have no strong opinion on whether the fallback should have been removed or > not. The fallback was only hiding the real problem, after all. BTW, just to say this clearly. I think this argument is bogus and very user unfriendly. I think it's generally better to complain to the logs and still make things work automatically with a fallback than to just say "Nope, I was given invalid configuration and now I refuse to work". Because originally this is what resolved did: we had a last-resort fallback to provide DNS via a bunch of public DNS servers if nothing else is available, and we log if we are given invalid config. We use the fallback only as ultimate fallback, when the other option is to not work at all. The thing is that if DNS is fucked, then this is a pretty nasty problem: you need an extremely high level of understanding computers to be able to fix this. And you can't even get help, because, well, your DNS is down, you are not getting online. Hence, it's inherently a *good* thing to have a fallback in place, and I think it's a disserve to users to turn this off, as it makes systems much harder to fix. And yeah, call me a hypocrite, but if I have the choice between having no Internet at all or using some public DNS servers for DNS, and leaking a tiny bit of information to those DNS server providers then I am definitely preferring to have Internet, thank you very much. One could even go further: the privacy level using those public DNS servers might actually be higher than using the DHCP-provided ones in many cases, simple because we can use DoT on the former (admittedly not yet the default in resolved though, but hopefully soon), but almost never can on the latter, and what's worse the latter are usually provided by crappy edge networks like Internet Cafés and such where the fact we send stuff unencrypted is just awful. Now, Fedora made its choice here, and I'll accept that, but I still think it's a bad one, that trades a misunderstood concept of privacy against a major step forward in userfriendliness. i.e. I am not sure it's a good choice to limit Fedora's userspace needlessly to people who can fix their DNS configuration. It's a pretty tiny elite group of people to be in after all... (Oh, and I don't appreciate those people at all, who claim that "resolved sends all DNS lookups" to Google because it's a lie, we never did that, we only did that in case no better DNS configuration was available, i.e. as *last* *resort*, one step before giving up entirely). Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
