On Thu, Apr 16, 2020 at 4:18 pm, Tomas Mraz <tmraz(a)redhat.com> wrote:
Trusted for what? I would expect corporate VPNs doing such tricks to
monitor the user's internet traffic. Which does not mean the user is
fully screwed with such VPN if he for example uses hardcoded
configuration of a caching nameserver.
In Florian's scenario, one of the VPNs is actively malicious. E.g.
public-vpn.example.com tries to hijack DNS for
subdomain.corporation.example.com. It might actually be a realistic
attack scenario, but it's not something we should attempt to mitigate.
Anyway this goes both ways. As explained many times already, without
systemd-resolved, the VPN you connect to first gets all the DNS queries
currently. Normally users connect to public VPN first, then corporate
VPN second. That's broken. Splitting the DNS is just the right thing to
do. If you want the corporate VPN to see everything, then do not check
"use this VPN only for resources on its network" and it will get
everything (but then it needs to have capacity to really handle
everything!).
Michael