F23 System Wide Change: Default Local DNS Resolver

Tomas Hozza thozza at redhat.com
Wed Jun 17 11:10:34 UTC 2015 

On 12.06.2015 19:17, Paul Wouters wrote:
> On 06/12/2015 12:53 PM, Dan Williams wrote:
>>> b) Broken networks:
>>> Some networks are so broken that even without captive portal they are not able
>>> to deliver DNSSEC data to the clients.
>>>
>>> In that case will try tunnel to other DNS servers on the Internet (Fedora
>>> Infra or public DNS root) and use them. Naturally, local/internal domains need
>>> to be available.
>>
>> While I don't actually care, this might well be a sticking point for
>> many people since their DNS information is going to an untrusted (to
>> them) DNS server.  Yeah, I tend to trust Fedora, but not everyone will.
>> Can the tunnel be turned off, or the broken servers whitelisted, or is
>> the answer here to just "dnf remove dnssec-trigger"?
> 
> The fallbacks are configured in /etc/dnssec-trigger/dnssec-triggerd.conf
> 
> # Provided by fedoraproject.org, #fedora-admin
> # It is provided on a best effort basis, with no service guarantee.
> ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
> tcp80:  140.211.169.201
> ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
> tcp80:  66.35.62.163
> ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
> tcp80:  152.19.134.150
> ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64
> :AA:87:E6:F2
> tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9
> 
>>> Can we integrate on one place (e.g. by calling into dnssec-trigger) instead
>>> overwriting /etc/resolv.conf independently?
>>
>> This is the real issue.  It sounds like What you're proposing is to make
>> dnssec-trigger into the "DNS broker".  The previous solutions
>> (resolvconf, NetworkManager, etc) have all failed for various reasons.
>> Touching/changing something so fundamental to the system, as you've
>> probably discovered, can be hard...
> 
> But it must be done for security reasons.
> 
>> systemd-resolved might have a chance here, since it's small and pretty
>> simple, but they don't have an external API and don't seem interested in
>> creating one any time soon which severely limits it's usefulness.
> 
> And last I looked it did not support DNSSEC. I'm also weary about systemd-resolved basically marshalling DNS via DBUS.
> 
>> If this is indeed what you're proposing, then lets have a discussion
>> about dnssec-trigger+unbound in that context, I do have some thoughts to
>> contribute here.
> 
> I believe we selected dnssec-trigger because it was the UI/daemon that worked. A better native integration into either
> NM or Gnome would be preferred.

I had the same idea before, but given that there is not only NM, but
also other projects that intend to do the same thing as NM and even
replace it in some environments (e.g. systemd-networkd) I don't think
it makes sense to implement the same thing in each and every of these.

I changed my mind and think that having one component implementing the
functionality and communicating with the network configuration software
that is used on the specific platform is a better approach. Although
dnssec-trigger may not be ideal as final solution, it is a good for
start and as a proof of concept of how to do client side DNSSEC
validation properly.

Tomas

> Paul
> 

-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                 http://cz.redhat.com

More information about the devel mailing list