On Wed, Sep 30, 2020 at 03:14:10PM +0200, Graham Leggett wrote:
I am required by these regulations and many other regulations in multiple jurisdictions to make sure my users comply. If you have gone out of your way to break secure operation on Fedora, we will have to ban the use of Fedora by our users. I do not want to do that.
Then don't ban them, and do your job instead?
The fact of the matter is that using out-of-the-box Fedora configurations *today* can leak "private" DNS queries, and if VPNs are in use, it is a virtual certainty.
To make Fedora "Compliant" using your definition, one already has to adjust the system configuration. This new approach, at worst, requires a slightly different configuration change to achieve the same results.
As I said, this is not a technical discussion. You need to defer this to compliance people, who I predict will simply tell you “comply”.
My $dayjob is headquartered in Europe and is in a _highly_ regulated, risk-adverse industry, with compliance officers coming out of the woodwork. Suffice it to say that what it means to "Comply" is highly context-sensitive.
But you are correct, this is not a problem that can be solved via technical means -- Many legitimate use cases have diametrically-opposed needs, and there is no way for Fedora to know out-of-the-box which use case should apply as the general default. Moreover, at the granularity of specific DNS lookups, the general default can easily be wrong.
- Solomon