nss-dns is allright. All you need to have is dns server with domain configurable servers.
Those are: - unbound (with dnssec-trigger autoconfigured) - dnsmasq - systemd-resolved - probably knot-resolver - bind (not more difficult to reconfigure runtime)
Maybe more. It is not about nss, because /etc/resolv.conf does not support any domain:server-ip tuples. It would work better with local cache. resolved is not the only possibility. Just use /etc/resolv.conf set to localhost and configure forwarders in your server from NM (or networkd).
On 9/28/20 5:43 PM, Florian Weimer wrote:
- Michael Catanzaro:
On Mon, Sep 28, 2020 at 5:18 pm, Florian Weimer fweimer@redhat.com wrote:
But the DNS view provided by the Red Hat VPN is what disables the centralized DNS resolvers in browsers in these configurations. The magic browser probe no longer fails with the change in DNS routing (which the proposal confusingly names “Split DNS”) because it goes out over the public Internet, where it is not filtered, unlike the Red Hat VPN.
Hm, I'm pretty sure this is a Firefox-specific issue, right? Fedora's Firefox is patched to use system DNS, so it shouldn't matter for us. I'm not aware of any other browser that ignores system DNS; at least, I'm fairly certain Chrome and Epiphany will both never do this.
It seems that you are right about Chromium:
| We have no plans to support this approach. We believe that our | deployment model is significantly different from Mozilla's, and as a | result canary domains won't be needed.
https://www.chromium.org/developers/dns-over-https
However, you wrote earlier that “split DNS” is not available over nss_dns, so I think Chromium is still impacted because it uses the same interfaces that nss_dns would use in this mode (i.e., not nss_resolve).
Thanks, Florian