Announcement
Collapse
No announcement yet.
Fedora 33 Planning To Enable Systemd-Resolved By Default
Collapse
X
-
I am assuming this will break my own private DNS server and my own domain... so have to disable this in kickstart for good. I do not want a caching nameserver when I run my own DNS.
- Likes 2
-
Originally posted by Espionage724 View PostI can't be bothered to look it up
- Likes 2
Leave a comment:
-
Originally posted by doublez13 View Post
It's pretty nice to have a resolver that supports DNS over TLS natively available.
Leave a comment:
-
Guest repliedOriginally posted by CommunityMember View Post
Can you share the RHBZ# on the bug you opened on the issue?
- Likes 2
Leave a comment:
-
Originally posted by flux242 View Posti had to disable Systemd-Resolved years ago because it was leaking dns in case of a vpn connection
- Likes 1
Leave a comment:
-
Originally posted by Veerappan View PostIt also doesn't work with local network searches:
e.g.:
1. I have some DNS servers set up using dnsmasq on my home network.
2. My router uses those DNS servers for all static DHCP-based clients.
3. The machines on my network are configured with 'search mydomain.net' in /etc/resolv.conf so that I can easily resolve any hostname on the network without typing in a fully-qualified DNS name (I was sick of keeping /etc/hosts files synchronized between all of my machines).
4. systemd-resolved refuses to resolve any local names by appending the search suffix and querying my DNS servers. I've had to disable an otherwise workable DNS resolver because they refuse to fix this issue. https://github.com/systemd/systemd/issues/2514
- Likes 1
Leave a comment:
-
It also doesn't work with local network searches:
e.g.:
1. I have some DNS servers set up using dnsmasq on my home network.
2. My router uses those DNS servers for all static DHCP-based clients.
3. The machines on my network are configured with 'search mydomain.net' in /etc/resolv.conf so that I can easily resolve any hostname on the network without typing in a fully-qualified DNS name (I was sick of keeping /etc/hosts files synchronized between all of my machines).
4. systemd-resolved refuses to resolve any local names by appending the search suffix and querying my DNS servers. I've had to disable an otherwise workable DNS resolver because they refuse to fix this issue. https://github.com/systemd/systemd/issues/2514
- Likes 2
Leave a comment:
-
SystemD is a secret project born in the secret chambers of NSA. Mark my words
- Likes 2
Leave a comment:
-
Originally posted by Spam View PostWhat problem is resolvd fixing?
you dont have a tool modifying stuff in the admin directory (discovered DNS servers/domain),
settings can be provided by the network link configuration.
Many more I guess.
- Likes 2
Leave a comment:
-
From proposal :
When systemd-resolved is enabled, users who use multiple VPNs at the same time will notice that DNS requests are now sent to the correct DNS server by default. Previously, this scenario would result in embarrassing "DNS leaks" and, depending on the order that the VPN connections were established, possible failure to resolve private resources. These scenarios will now work properly. For example, consider the scenario of Distrustful Denise, who (quite reasonably) does not trust her ISP. Denise uses a public VPN service, public-vpn.example.com, to hide her internet activity from her ISP, but she also needs to use her employer's corporate VPN, corporation.example.com, in order to access internal company resources while working from home. Using the Network panel in System Settings, Denise has configured her employer's VPN to "use this connection only for resources on its network." Distrustful Denise expects that her employer's VPN will receive all traffic for corporation.example.com, and no other traffic. And while this mostly works in Fedora 32, she discovers that it does not work properly for DNS:- If Denise connects to public-vpn.example.com first and corporation.example.com second, she is unable to access internal company resources. All DNS requests are sent to public-vpn.example.com's DNS server, so she is unable to resolve names for internal company websites.
- If Denise connects to corporation.example.com first and public-vpn.example.com second, then she is able to access internal company resources. However, it only works because all her DNS requests are sent to corporation.example.com's DNS server. Sadly for Distrustful Denise, her employer discovers that she has been making some embarrassing DNS requests that she had expected to go through public-vpn.example.com instead.
Whichever VPN Denise connects to first receives all DNS requests because glibc's nss-dns module is not smart enough to split the requests. /etc/resolv.conf is just a list of DNS servers to try in order, and NetworkManager has no plausible way to decide which to list first, because both ways are broken, so it just prefers whichever was connected first. And if one server fails to respond, then the next server in the list will be tried, likely resulting in a DNS leak. In contrast, when systemd-resolved is enabled, it will send each DNS request only to the correct DNS server. The DNS server that will be used for each tun interface can be inspected using the resolvectl tool.
Migrating away from /etc/resolv.conf will also avoid an annoying footgun with this legacy file: only the first three listed nameservers are respected. All further nameservers are silently ignored. NetworkManager adds a warning comment when writing more than three nameservers to this file, but it cannot do any better than that.
- Likes 12
Leave a comment:
Leave a comment: