* Michael Catanzaro:
"Fedora 33 uses systemd-resolved for name resolution. Most users
will
not notice any difference, but VPN users will benefit from safer
defaults that ensure DNS requests are sent to the same network that
would receive the corresponding traffic, avoiding unexpected DNS leaks
or failure to resolve internal domains."
I think this is rather misleading.
* The change disables protection mechanisms built into corporate VPNs
that require them to observe all DNS traffic. Now this may sound
rather weak as far as countermeasures go, but DNS-based mechanisms are
the only thing you have got if you do not enforce a client-side
approach (ugh, no thanks), or disable split tunneling (i.e., default
route over the VPN; frequently not possible with current VPN usage
levels and virtual company meetings over video link).
* There is no real protocol for sharing internal domains, so
systemd-resolved cannot know all of them, and resolving some of them
will fail or receive unexpected resolution results (probably
observable for some
jboss.org subdomains for Red Hatters, but I don't
work in that area, so I don't have a good example at hand).
Thanks,
Florian
--
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill