DNS handling was Re: default DNS caching name server on Fedora ?

Paul Wouters pwouters at redhat.com
Wed Jun 20 20:42:58 UTC 2012

People have might missed it before, but Fedora does a lot now with
handling the various DNS manglings it can encounter in the wild.

If you install dnssec-trigger from rawhide, then your DNS will be
automatically configured using DNSSEC and with as much security as
possible, while detecting hotspots and telling you when you are
temporarilly using insecure DNS (eg to authenticate a hotspot)

dnssec-trigger uses two web pages run by the fedora infrastructure team
to do this. One page to trigger redirects on port 80, and one page to
detect port 80 mangling.

Upon connecting to a new network, dnssec-trigger performs a full test
of the DNS server supplied by the DHCP server. If it supports DNSSEC,
it is used to forward all queries. If not, then a free port 53 is probed
to see if unbound should do all recursing itself. If that is broken or
blocked, it will attempt to talk raw DNS over port 80, or DNS wrapped
in SSL over port 443 to three DNS resolvers run by Fedora (you can see
these configurations in /etc/dnssec-trigger/dnssec-triggerd.conf). If
that also fails, then it will warn you and give you a choice between
going insecure or only using already cached DNS.

It will also try to connect to fedoraproject.org/static/hotspot.html
and detect if you are hotspotted. It will popup a warning for you to
login to the hotspot with a new browser window. Once the hotspot.html
page looks "normal", we know you authenticated (clicked OK, or paid)
and DNS is reprobed to see if we now can do DNSSEC.

We are trying to work under a lot of different scenario's, including
hotspots that break DNS, hotspots intercepting all port 53, hotspots
counting in you doing port 80 traffic to do an http redirect, etc etc.

This is currently mostly done by dnssec-triggerd, which reconfigures
unbound on the fly. When going "insecure", it rewrites resolv.conf
to point to the DHCP obtained DNS, but when it is secure, it will point
DNS to where unbound will answer.

And as I said in my previous email, when you bring up a VPN using
openswan, it deals with the specific domain and its name servers for you
dynamically as well. But vpnc does not yet support this.

What I would like to do next is to tie network manager and
dnssec-trigger more closely together, so we don't have to do tricks like
making resolv.conf immutable to prevent others from bypassing DNSSEC
security by rewriting that file.

Install dnssec-trigger, start the dnssec-trigger panel application and
please give me feedback! Especially when you experience dns failures at
hotspots. There are so many different kinds of broken dns out there, I'm
sure we need to do more inventive things to make it work for everyone.


More information about the devel mailing list