On Tue, Sep 29, 2020 at 3:43 PM Lennart Poettering mzerqung@0pointer.de wrote:
On Di, 29.09.20 04:03, John M. Harris Jr (johnmh@splentity.com) wrote:
Search domains on VPNs are an indicator that these domains are handled by the VPN, that's why we use them also as routing domains. But this doesn't mean it's the *only* routing domains we use. We use the ones you configure, primarily. But since the concept didn't previously exist we make the best from what we have.
If you really must send DNS queries to both (which defeats the purpose of 'Split DNS'), then it may be better to just use the DNS server of the VPN when connected to VPN, then only check the LAN interface when the response is NXDOMAIN.
As mentioned in this thread already: this policy makes sense for some cases but not for others.
For example, if I have my laptop in my home wifi, connected to RH VPN, then there are some names resolvable only via the local DNS. Specifically: my router's, my printer's and my NAS' address. And there are other names only resolvable via RH VPN. systemd-resolved for the first time gives me a chance for this to just work: it will send requests to both the RH DNS servers and the local ones, and uses the first successful reply, or the last failed reply. And that's quite frankly awesome, because that *never* worked before.
So sending the requests to all available DNS servers in absence of better routing info is a great enabler: it makes DNS "just work" for many cases, including my own, and I doubt it's a particularly exotic one.
It is not an exotic one, but this behavior was in the past considered a vulnerability (information disclosure) [0]. Are we re-introducing it? I guess yes, and it can be that the benefits of it outweigh the vulnerability, but we should be explicit about it in our release notes.
[0]. CVE-2018-1000135 https://bugzilla.redhat.com/show_bug.cgi?id=1558238
Key, take-away here:
- Ideally we'd just route company DNS traffic to VPN, and everything else to local LAN DNS. But that requires explicit routing info to be configured, we cannot auto-detect this info (beyond some minor inference from the search domains)
Do we know which fedora shipped VPNs work well with split-dns and which will lead to leaking the web sites accessed?
regards, Nikos