On Mon, Sep 28, 2020 at 11:56 am, Paul Wouters <paul(a)nohats.ca> wrote:
And that's why DNS-Over-TLS (DoT) and DNS-over-HTTPS (DoH) are
now
being deployed. And why browsers are, contrary to Michael Catanzaro's
wrong claim, overriding the system DNS already. See Mozilla's TRR
program
https://wiki.mozilla.org/Trusted_Recursive_Resolver and
Google's chrome
https://www.chromium.org/developers/dns-over-https
Florian just linked to that same
chromium.org page as evidence that
Chrome is not ignoring system DNS. :) Indeed, if you read the page,
they're only using DNS over HTTPS (DoH) if system DNS matches a
hardcoded list of providers that support DoH. So I believe I'm correct
to say that only Firefox is doing that... and we have already patched
Firefox to not do that.
Similarly, system-resolved will allow us to enable DNS over TLS (DoT)
systemwide for supported providers. That's not enabled in F33, but I
think we should flip the default for F34.
What we do not need is systemd-resolved making up its own
incompatible
and unsuspected protocols.
Now I'm lost. What are you talking about...?
Better standardization for captive portals seems good, but I'm not sure
what this has to do with the systemd-resolved change?