F22 System Wide Change: Default Local DNS Resolver
Neal Becker
ndbecker2 at gmail.com
Tue Jan 13 15:47:56 UTC 2015
Paul Wouters wrote:
> On Tue, 13 Jan 2015, Neal Becker wrote:
>
>> How will this impact the following (common) situation?
>>
>> I carry my linux laptop between home and work. When at work, I need to use
>> my employer's dns to lookup names of (non-public) local machines.
>
> When connecting to work, dnssec-trigger will probe the DHCP obtained
> resolver and use it when it works (well enough to support DNSSEC)
>
> If your work's public DNS view is unsigned, then your
> corporate DNS server can lie all it want and we'll believe it.
>
> If your work's public DNS view is signed, then your internal view better
> be signed with that key too, or else we'll mis-detect it as an attack.
>
> If you connect via VPN to your work, the VPN client should receive the
> domain and nameservers via the VPN options, and configure a forward
> inside your resolver. (libreswan IPsec supports this and I use it daily
> when connecting to the RedHat VPN :)
>
> NetworkManager should allow for a connection property based on network
> identification where you can configure overrides.
>
> DNSSEC in general will make split view DNS much harder to maintain. We
> are not introducing this problem - we just have to try and cope with it.
>
> Paul
Just tried it on f21. Did:
sudo systemctl enable dnssec-triggerd.service
sudo systemctl start dnssec-triggerd.service
host slashdot.org:
[ works fine ]
Now a local machine:
host nbecker7
host nbecker7
Host nbecker7 not found: 3(NXDOMAIN)
[nbecker at nbecker1 ~]$ tail /var/log/messages
tail /var/log/messages
Jan 13 10:32:55 nbecker1 dnssec-trigger-script: ok removed 0 rrsets, 0 messages
and 0 key entries
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Global forwarders: 10.33.41.30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get:
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get:
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: http_probe_create_get:
Network is unreachable
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not UDP send to
ip 2001:503:ba3e::2:30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: [31187] error: could not send queries
for probe
Jan 13 10:32:56 nbecker1 dnssec-trigger-script: Connection provided zone
'hughes.com' (insecure): 10.33.41.30
Jan 13 10:32:56 nbecker1 dnssec-triggerd: ok
but if I unplug enet cable, and replug, it seems no longer working for local
hosts.
host nbecker7.hughes.com
Host nbecker7.hughes.com not found: 3(NXDOMAIN)
I'm guessing I need to manually configure /etc/unbound/unbound.conf?
No clue why behavior changed after unplug/replug enet cable.
I did NOT try logout/login or reboot.
--
-- Those who don't understand recursion are doomed to repeat it
More information about the devel
mailing list