Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set a proper default value for services.resolved.fallbackDns #114114

Closed
sagehane opened this issue Feb 23, 2021 · 5 comments · Fixed by #272946
Closed

Set a proper default value for services.resolved.fallbackDns #114114

sagehane opened this issue Feb 23, 2021 · 5 comments · Fixed by #272946
Labels
6.topic: nixos

Comments

@sagehane
Copy link
Contributor

Issue description

services.resolved.fallbackDns is empty as a default value, and has the description of:

A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. If this option is empty, a compiled-in list of DNS servers is used instead.

The "compiled-in list" seems to be:

1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4
2606:4700:4700::1111 2001:4860:4860::8888
2606:4700:4700::1001 2001:4860:4860::8844

This means that if somebody wanted to intentionally set the list to an empty value, the person will need to try some workarounds.

Proposed solution

Just set the compiled value as the default value, and stop relying on the compiled-in list.

This affects 20.03, 20.09, and unstable versions of at least 21.05pre271444.9816b99e71c.
@stale
Copy link

stale bot commented Aug 28, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Aug 28, 2021
@fightingdreamer
Copy link

services.resolved.fallbackDns set to empty value is not empty, it affects 21.05.

For me it's security issue, I don't want my server to contact public DNS without being explicitly allowed to do so.

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 15, 2021
@sagehane
Copy link
Contributor Author

Relevant upstream issue: systemd/systemd#494.
Looks like they don't care to change it.

This value only seems to be used as a last resort when the config.networking.nameservers isn't set and "if none could be learnt via dhcp or ppp".

@solbu
Copy link

solbu commented Mar 28, 2022

Relevant upstream issue: systemd/systemd#494. Looks like they don't care to change it.

Oh, he cares.
He cares so much and has a strong oppinion on how this should be done that he refuses to change it.

Don't mistake Poetterings answer for not caring. He cares deeply.

@benaryorg
Copy link
Contributor

benaryorg commented Dec 8, 2023
edited
Loading

Note that overriding default values is indeed possible using a single foo= statement with no value. In fact this would be supported by the NixOS module if it weren't for the default being injected on an empty list.

This would be a breaking change for a select few I assume, but rewriting the type of services.resolved.fallbackDns to be types.nullOr (types.listOf types.str) and setting the default value to null and changing the optionalString logic to be != null then providing [] as a value (from a user perspective) would set the config value to FallbackDNS= which would override the upstream behaviour to use no fallback servers.

As a stopgap measure you can use this in your config, but being able to use this without extraConfig would be nice considering there is an actual option for this kind of thing.

services.resolved.extraConfig =
''
  FallbackDNS=
'';

Edit: gonna send a pull request

@benaryorg benaryorg mentioned this issue Dec 8, 2023
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6.topic: nixos
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/resolved: Allow upstream fallback override benaryorg/nixpkgs
5 participants
@veprbl @fightingdreamer @solbu @benaryorg @sagehane