[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Fedora 33 System-Wide Change proposal: systemd-resolved
From:       Michael Catanzaro <mcatanzaro () gnome ! org>
Date:       2020-09-01 14:22:49
Message-ID: 1AHZFQ.GL1FHUPNRFVO () posteo ! net
[Download RAW message or body]


On Tue, Sep 1, 2020 at 8:17 am, Nico Kadel-Garcia <nkadel@gmail.com> 
wrote:
> Hiding it inside yet another systemd structure without following the
> existing standards is, sadly, typical of systemd. It also puts at risk
> restricted environments where providing no DNS is deliberately used to
> restrict outbound network use, such as virtual machines or chroot
> cages without an enabled /etc/resolv.conf. That includes the "mock"
> build environment where "pip install" is kept network disabled by the
> lack of DNS.

So open up /etc/systemd/resolved.conf and set FallbackDNS= (set it to 
nothing). That will override fallback to Cloudflare or Google. Then 
you're done.

Realistically, this fallback is unlikely to ever be used anyway, so it 
doesn't matter very much. And if you're operating a restricted 
environment and you don't know how to configure DNS, you likely have 
bigger problems than systemd....

> It will also completely screw up VPN setups where
> out-of-band DNS servers break internal versus external service access
> management.

No it won't. systemd is not going to use a fallback DNS server if your 
VPN provides its own DNS. It's not stupid. This is very easily verified 
simply by typing 'resolvectl' and seeing what DNS servers it has 
configured for a particular tun interface.

Michael

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]