15 Apr
2020
15 Apr
'20
10:26 a.m.
On Wed, Apr 15, 2020 at 5:06 pm, Lennart Poettering mzerqung@0pointer.de wrote:
If RH VPN configures "redhat.com" as search domain for their VPN then this means all redhat.com traffic is automatically pulled over to the VPN and will not be routed elsewhere anymore.
In particular: current behavior is that redhat.com queries will leak to public DNS if the user connects to the public VPN first, which is the usual case, especially for anyone who configures public VPN to autoconnect on startup. So the status quo is really not secure at all. Yes, it will break the sinkholing for lookalike domains, but on balance I would say that getting the right DNS queries to the right servers is more important for security overall.