On Wed, Apr 15, 2020 at 1:38 pm, Florian Weimer <fweimer(a)redhat.com>
wrote:
Not sure if that's compatible with the new split DNS model
because
VPN1
could simply start pushing longer names in the scope of VPN2, thus
hijacking internal traffic there (and this sort of hijacking is
exactly
what a DNS sinkhole against typosquatting would need).
You deserve bonus points for thinking like an attacker and exploring
the security model, but let's assume the configured VPNs are trusted.
Otherwise the user is screwed no matter what. ;)