* Michael Catanzaro:
On Mon, Sep 28, 2020 at 5:18 pm, Florian Weimer fweimer@redhat.com wrote:
But the DNS view provided by the Red Hat VPN is what disables the centralized DNS resolvers in browsers in these configurations. The magic browser probe no longer fails with the change in DNS routing (which the proposal confusingly names “Split DNS”) because it goes out over the public Internet, where it is not filtered, unlike the Red Hat VPN.
Hm, I'm pretty sure this is a Firefox-specific issue, right? Fedora's Firefox is patched to use system DNS, so it shouldn't matter for us. I'm not aware of any other browser that ignores system DNS; at least, I'm fairly certain Chrome and Epiphany will both never do this.
It seems that you are right about Chromium:
| We have no plans to support this approach. We believe that our | deployment model is significantly different from Mozilla's, and as a | result canary domains won't be needed.
https://www.chromium.org/developers/dns-over-https
However, you wrote earlier that “split DNS” is not available over nss_dns, so I think Chromium is still impacted because it uses the same interfaces that nss_dns would use in this mode (i.e., not nss_resolve).
Thanks, Florian