New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolved: Don't use domain-limited DNS servers for other queries #3421
Comments
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Jun 28, 2016
DNS servers which have route-only domains without "~." should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. As documented, adding "~." to Domains= is the way to describe "use that server for all domains", i. e. make it a global name server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. Fixes systemd#3420 Fixes systemd#3421
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Jun 30, 2016
DNS servers which have route-only domains without "~." should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. As documented, adding "~." to Domains= is the way to describe "use that server for all domains", i. e. make it a global name server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. Fixes systemd#3420 Fixes systemd#3421
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Jun 30, 2016
DNS servers which have route-only domains without "~." should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. As documented, adding "~." to Domains= is the way to describe "use that server for all domains", i. e. make it a global name server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. Fixes systemd#3420 Fixes systemd#3421
I created a test harness/case for this: https://gist.github.com/martinpitt/71990ad79ba03d46a4766cc39a3fd92b This makes it much easier to play around with this, as this provides full control and access to the involved DNS servers and logs. It isn't factorized yet, but that can happen once we extend it to other scenarios. |
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Sep 26, 2016
DNS servers which have route-only domains should only be used for the specified domains. Routing queries about other domains there is a privacy violation, prone to fail (as that DNS server was not meant to be used for other domains), and puts unnecessary load onto that server. Introduce a new helper function dns_server_limited_domains() that checks if the DNS server should only be used for some selected domains, i. e. has some route-only domains without "~.". Use that when determining whether to query it in the scope, and when writing resolv.conf. Extend the test_route_only_dns() case to ensure that the DNS server limited to ~company does not appear in resolv.conf. Add test_route_only_dns_all_domains() to ensure that a server that also has ~. does appear in resolv.conf as global name server. These reproduce systemd#3420. Add a new test_resolved_domain_restricted_dns() test case that verifies that domain-limited DNS servers are only being used for those domains. This reproduces systemd#3421. Clarify what a "routing domain" is in the manpage. Fixes systemd#3420 Fixes systemd#3421
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submission type
NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!
systemd version the issue has been seen with
Used distribution
This is closely related to issue #3420. If you have a
.network
unit with domain-limited DNS servers, then that DNS server also gets queries which do not match theDomains= ~...
list, even if~.
is not in the list. This is at least a privacy violation, but might also cause lookup loops and is generally not expected to work anyway -- after all, you specifically configured it to not apply to every domain. This can be demonstrated in an nspawn container with--private-network
(it's not container specific at all, but this avoids having to hack up your actual system):Let's first create a device which acts as your "normal" internet connection:
Now create a device which acts your "company VPN":
Create the devices:
# systemctl restart systemd-networkd
This also reproduces issue domain-limited DNS servers should not appear as global nameservers in resolved's resolv.conf #3420:
/run/systemd/resolve/resolv.conf
now hasnameserver 192.168.1.1
(correct), and alsonameserver 10.0.1.1
(that's wrong).Launch
to see which servers resolved is talking to.
for a "company" address, the behaviour is correct and it only uses the 10.0.1.1 server:
However, for an unrelated address, both the global and the
~company
name server are contacted:(The operations will time out of course as these are bogus servers, but that's not the point here).
The text was updated successfully, but these errors were encountered: