Hi,
I have noticed recent NM has connection.dnsovertls property. So far only
systemd-resolved can use such property. But I am lost somehow. DNS over
TLS requires two things to connect securely. IP address of target and
also a SNI name of TLS certificate. That is needed to ensure I am not
connecting to man in the middle, but to service I want. Of course
trusted CA certificate must provide such certificate.
Now I have traveled on train and realized everyone in the same carriage
can see all my DNS queries. So I would like to use DNS over TLS on
airports or mass transit devices, any public places in general. But I
don't think it is necessary on my home or work networks, where I trust
no unwanted observer watches all my steps. So per-connection setting
would be great. However, what servers should it use, when I set
per-connection setting to true?
I think NM does not accept manual setting of TLS name per each IP. So I
am unable to enter it in NM connection setting. Is there some way, how
can I tell systemd-resolve to sometime use predefined set of DNS over
TLS servers, including the service name? But other time accept anything
DHCP supplies and do not insist on using DNS over TLS. Of course there
has to be way to direct network specific domains to local servers from
DHCP (or manual), not to global DoT upstream.
Is anything like that already implemented? Is the current state in
NetworkManager-1.38.4 known to be incomplete and only work in progress?
Is it already formulated somewhere as a vision, how it should work once
it is finished?
Cheers,
Petr
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
