* Michael Catanzaro:
On Mon, Sep 28, 2020 at 4:39 pm, Florian Weimer
<fweimer(a)redhat.com>
wrote:
> My understanding is that the DNS request routing in systemd-resolved
> effectively disables any security mechanisms on the VPN side, and
> instructs most current browsers to route DNS requests to centralized
> DNS
> servers for all requests (i.e., overriding what came from both the VPN
> and DHCP).
No... certainly not. Previously, VPNs only worked properly if you have
exactly one VPN, and it's configured to receive all traffic. Using a
VPN that receives traffic only for resources on its network, or using
multiple VPNs at once, would result in DNS leaks. In fact, making VPNs
work properly is the *only* reason I'm involved in this. I was
frustrated to see that Fedora sometimes sent my requests for internal
Red Hat resources to my public VPN's DNS server instead of Red Hat's
DNS servers. See [1] for a comparison between previous and new
behavior.
But the DNS view provided by the Red Hat VPN is what disables the
centralized DNS resolvers in browsers in these configurations. The
magic browser probe no longer fails with the change in DNS routing
(which the proposal confusingly names “Split DNS”) because it goes out
over the public Internet, where it is not filtered, unlike the Red Hat
VPN.
Thanks,
Florian
--
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill