On Wed, 2020-04-15 at 10:02 -0500, Michael Catanzaro wrote:
On Wed, Apr 15, 2020 at 1:38 pm, Florian Weimer fweimer@redhat.com wrote:
Not sure if that's compatible with the new split DNS model because VPN1 could simply start pushing longer names in the scope of VPN2, thus hijacking internal traffic there (and this sort of hijacking is exactly what a DNS sinkhole against typosquatting would need).
You deserve bonus points for thinking like an attacker and exploring the security model, but let's assume the configured VPNs are trusted. Otherwise the user is screwed no matter what. ;)
Trusted for what? I would expect corporate VPNs doing such tricks to monitor the user's internet traffic. Which does not mean the user is fully screwed with such VPN if he for example uses hardcoded configuration of a caching nameserver.