On Tue, Sep 29, 2020 at 3:43 PM Lennart Poettering <mzerqung(a)0pointer.de> wrote:
On Di, 29.09.20 04:03, John M. Harris Jr (johnmh(a)splentity.com) wrote:
> > Search domains on VPNs are an indicator that these domains are handled
> > by the VPN, that's why we use them also as routing domains. But this
> > doesn't mean it's the *only* routing domains we use. We use the ones
> > you configure, primarily. But since the concept didn't previously exist
> > we make the best from what we have.
>
> If you really must send DNS queries to both (which defeats the purpose of
> 'Split DNS'), then it may be better to just use the DNS server of the VPN
when
> connected to VPN, then only check the LAN interface when the response is
> NXDOMAIN.
As mentioned in this thread already: this policy makes sense for some
cases but not for others.
For example, if I have my laptop in my home wifi, connected to RH VPN,
then there are some names resolvable only via the local
DNS. Specifically: my router's, my printer's and my NAS' address. And
there are other names only resolvable via RH VPN. systemd-resolved for
the first time gives me a chance for this to just work: it will send
requests to both the RH DNS servers and the local ones, and uses the
first successful reply, or the last failed reply. And that's quite
frankly awesome, because that *never* worked before.
So sending the requests to all available DNS servers in absence of
better routing info is a great enabler: it makes DNS "just work" for
many cases, including my own, and I doubt it's a particularly exotic
one.
It is not an exotic one, but this behavior was in the past considered
a vulnerability (information disclosure) [0]. Are we re-introducing
it? I guess yes, and it can be that the benefits of it outweigh the
vulnerability, but we should be explicit about it in our release
notes.
[0]. CVE-2018-1000135
https://bugzilla.redhat.com/show_bug.cgi?id=1558238
Key, take-away here:
1. Ideally we'd just route company DNS traffic to VPN, and everything
else to local LAN DNS. But that requires explicit routing info to
be configured, we cannot auto-detect this info (beyond some minor
inference from the search domains)
Do we know which fedora shipped VPNs work well with split-dns and
which will lead to leaking the web sites accessed?
regards,
Nikos