Hi, There is currently a large thread in devel discussing the implementation of systemd-resolved for resolving DNS. As part of that I read this:
This is not the reality I live in though. New-style high level programming languages tend to avoid being just a wrapper around C APIs. And thus they implement minimal DNS clients themselves, ignoring the LLMNR, mDNS and so on.
Not just for DNS. For SMTP, HTTP, etc.
The modern way of coding apps is minimal marginally-compliant and secure built-in network client (so things sort of work on the dev system and in CI/CD unit tests), with the OS interposing a full-featured protocol proxy in “production” deployments.
For me, the implication of that is that I am no longer in control of DNS, etc. If some program has hard coded DNS servers, they bypass everything and just ignore system settings. Am I understanding correctly?
If I'm not, great, I'm happy. If I am, though, how do I take back control? I have turned off NetworkManager control of DNS and use a simple caching resolver, knot-resolver. Am I OK, since all DNS access has to go through that resolver, with my configured DNS servers?
In particular, I'm thinking about firefox, since as part of that thread it emerged that browsers are including their own DNS clients with things like DOH and DOT. Before I start knot-resolver, firefox cannot reach the web. Is that an indication that it does, in fact, use my DNS resolver?
On Tue, 29 Sep 2020 08:29:33 -0700 stan via users wrote:
There is currently a large thread in devel discussing the implementation of systemd-resolved for resolving DNS.
I hope I'll still be able to disable and mask systemd-resolved by the time they finish all their improvements.
On 2020-09-29 23:29, stan via users wrote:
For me, the implication of that is that I am no longer in control of DNS, etc. If some program has hard coded DNS servers, they bypass everything and just ignore system settings. Am I understanding correctly?
You're not understanding it correctly.
There are FallbackDNS servers defined. But, these are only used in the event that a user fails to configure DNS servers or a broken DHCP server fails to supply DNS servers to the system.
If I'm not, great, I'm happy. If I am, though, how do I take back control?
FWIW, systemd-resolved.service is enabled by default starting in F33. I believe an upgrade to F33 will also enable this.
However, you can always easily restore the previous behavior with Network Manager: sudo rm -f /etc/resolv.conf sudo ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf sudo systemctl disable --now systemd-resolved.service sudo systemctl mask systemd-resolved.service sudo systemctl reboot
On 9/29/20 8:29 AM, stan via users wrote:
This is not the reality I live in though. New-style high level programming languages tend to avoid being just a wrapper around C APIs. And thus they implement minimal DNS clients themselves, ignoring the LLMNR, mDNS and so on.
Not just for DNS. For SMTP, HTTP, etc.
This is kind of a silly statement. There isn't a standard library for smtp and http clients although there are libraries like libcurl.
The modern way of coding apps is minimal marginally-compliant and secure built-in network client (so things sort of work on the dev system and in CI/CD unit tests), with the OS interposing a full-featured protocol proxy in “production” deployments.
For me, the implication of that is that I am no longer in control of DNS, etc. If some program has hard coded DNS servers, they bypass everything and just ignore system settings. Am I understanding correctly?
Just because they implement a DNS client doesn't mean they ignore the system settings or have hard-coded servers.
In particular, I'm thinking about firefox, since as part of that thread it emerged that browsers are including their own DNS clients with things like DOH and DOT. Before I start knot-resolver, firefox cannot reach the web. Is that an indication that it does, in fact, use my DNS resolver?
DOT doesn't bypass your DNS servers and Firefox has DOH disabled by default in Fedora.
On Wed, 30 Sep 2020 05:25:13 +0800 Ed Greshko ed.greshko@greshko.com wrote:
On 2020-09-29 23:29, stan via users wrote:
For me, the implication of that is that I am no longer in control of DNS, etc. If some program has hard coded DNS servers, they bypass everything and just ignore system settings. Am I understanding correctly?
You're not understanding it correctly.
There are FallbackDNS servers defined. But, these are only used in the event that a user fails to configure DNS servers or a broken DHCP server fails to supply DNS servers to the system.
If I'm not, great, I'm happy. If I am, though, how do I take back control?
FWIW, systemd-resolved.service is enabled by default starting in F33. I believe an upgrade to F33 will also enable this.
However, you can always easily restore the previous behavior with Network Manager: sudo rm -f /etc/resolv.conf sudo ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf sudo systemctl disable --now systemd-resolved.service sudo systemctl mask systemd-resolved.service sudo systemctl reboot
Thanks, I can rest easy.
On Tue, 29 Sep 2020 14:55:28 -0700 Samuel Sieb samuel@sieb.net wrote:
On 9/29/20 8:29 AM, stan via users wrote:
This is not the reality I live in though. New-style high level programming languages tend to avoid being just a wrapper around C APIs. And thus they implement minimal DNS clients themselves, ignoring the LLMNR, mDNS and so on.
Not just for DNS. For SMTP, HTTP, etc.
This is kind of a silly statement. There isn't a standard library for smtp and http clients although there are libraries like libcurl.
The modern way of coding apps is minimal marginally-compliant and secure built-in network client (so things sort of work on the dev system and in CI/CD unit tests), with the OS interposing a full-featured protocol proxy in “production” deployments.
For me, the implication of that is that I am no longer in control of DNS, etc. If some program has hard coded DNS servers, they bypass everything and just ignore system settings. Am I understanding correctly?
Just because they implement a DNS client doesn't mean they ignore the system settings or have hard-coded servers.
In particular, I'm thinking about firefox, since as part of that thread it emerged that browsers are including their own DNS clients with things like DOH and DOT. Before I start knot-resolver, firefox cannot reach the web. Is that an indication that it does, in fact, use my DNS resolver?
DOT doesn't bypass your DNS servers and Firefox has DOH disabled by default in Fedora.
Thank you.
-
Ed Greshko -
Samuel Sieb -
stan -
Tom Horsley