F22 System Wide Change: Default Local DNS Resolver

Neal Becker ndbecker2 at gmail.com
Tue Jan 13 15:47:56 UTC 2015 

Paul Wouters wrote:

> On Tue, 13 Jan 2015, Neal Becker wrote:
> 
>> How will this impact the following (common) situation?
>>
>> I carry my linux laptop between home and work.  When at work, I need to use
>> my employer's dns to lookup names of (non-public) local machines.
> 
> When connecting to work, dnssec-trigger will probe the DHCP obtained
> resolver and use it when it works (well enough to support DNSSEC)
> 
> If your work's public DNS view is unsigned, then your
> corporate DNS server can lie all it want and we'll believe it.
> 
> If your work's public DNS view is signed, then your internal view better
> be signed with that key too, or else we'll mis-detect it as an attack.
> 
> If you connect via VPN to your work, the VPN client should receive the
> domain and nameservers via the VPN options, and configure a forward
> inside your resolver. (libreswan IPsec supports this and I use it daily
> when connecting to the RedHat VPN :)
> 
> NetworkManager should allow for a connection property based on network
> identification where you can configure overrides.
> 
> DNSSEC in general will make split view DNS much harder to maintain. We
> are not introducing this problem - we just have to try and cope with it.
> 
> Paul

Just tried it on f21.  Did:
sudo systemctl enable dnssec-triggerd.service
sudo systemctl start dnssec-triggerd.service

host slashdot.org:
[ works fine ]

Now a local machine:

host nbecker7
host nbecker7
Host nbecker7 not found: 3(NXDOMAIN)
[nbecker at nbecker1 ~]$ tail /var/log/messages
tail /var/log/messages
Jan 13 10:32:55 nbecker1 dnssec-trigger-script: ok removed 0 rrsets, 0 messages 
and 0 key entries
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Global forwarders: 10.33.41.30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get: 
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to 
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to 
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not send queries 
for probe
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Connection provided zone 
'hughes.com' (insecure): 10.33.41.30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: ok 


but if I unplug enet cable, and replug, it seems no longer working for local 
hosts.

host nbecker7.hughes.com
Host nbecker7.hughes.com not found: 3(NXDOMAIN)

I'm guessing I need to manually configure /etc/unbound/unbound.conf?

No clue why behavior changed after unplug/replug enet cable.

I did NOT try logout/login or reboot.



-- 
-- Those who don't understand recursion are doomed to repeat it

More information about the devel mailing list