Re: Default 'fedora' hostname and failing split DNS VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/25/21 7:30 AM, Petr Menšík wrote:
Hi,

I would guess your domainname is not (none), and hostname -f value is
fedora.domain_failing.tld. One of fixes might be to change hostname of
the machine to not contain domains suffix. Then only explicitly
configured search would apply.

No:

# hostname -f
fedora


On 3/25/21 2:51 AM, Robert Marcano via devel wrote:
Currently I am connecting to a VPN that provides a few DNS search
entries. One of these domains on the search path is having DNS
resolution problems. This is not per se the the problem I am  writing
this email for.

The problem is that starting Firefox and Thunderbird take a long time,
it took time to detect the DNS resolution problem was the origin of
these timeouts. I am not using that domain that is having resolution
problems.
Would dig fedora.domain_failing.tld take long before VPN is
estabilished? Does it timeout when connecting or after connected?
Timeout might mean some of connection provided servers does not respond
or route to it does not work. Even searches should mean just more
packets, not visibly longer delay.

It doesn't take long because fedora.domain_failing.tld fails fast on the default network DNS, domain_failing.tld is a domain only available on the VPN

The real culprit is the default `fedora` hostname, instead of localhost.
Starting a Wireshark capture there are DNS searches for
fedora.domain_failing.tld, when starting Firefox and Thunderbird. The
presence of the search path on generated /etc/resolv.conf isn't the
cause of these DNS searches, I edited them out while the VPN was still
active.
Try not commenting it out, but override default system value in
/etc/resolv.conf:
search .

Even 'ping fedora' start doing these searches with the search paths
appended. 'ping localhost' doesn't do that. The only workaround to this
issue is to add fedora to the localhost entries on /etc/hosts.
That would be likely because localhost is in /etc/hosts, read by files
in nsswitch. But dns queries (if systemd-resolved is disabled) are
configured by /etc/resolv.conf.

This in some way is a DNS leak, even on a VPN with perfectly working DNS
resolution, the fedora name should not be searched on these domains
until I am using the fedora full hostname on these domains. Even worse
when simply starting applications like Firefox o Thunderbird.
Are you sure you do not have hostname set to FQDN? Have you tried
setting it to relative name (no dots)?

Maybe changing the default hostname to fedora wasn't a good idea after
all, or at least fedora should be added to the default /etc/hosts.
It should not be necessary unless fqdn is used as a hostname. "fedora"
value should be completely ok. But I guess even when connecting to VPN,
it should not timeout. DNS settings should be changed only after VPN is
connected and ready to forward packets. Are you sure no IP range
conflicts with used DNS servers?

Cheers,
Petr

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux