systemd-resolved uses domain limited DNS servers for all requests potentially a privacy issue
Bug #1588230 reported by
Andy Whitcroft
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| systemd |
Fix Released
|
Unknown
|
|||
| systemd (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt | ||
Bug Description
When configuring a DNS server for a link for specific domains (via the Domains= ~foo syntax) systemd-resolved correctly routes requests for those domains to that DNS server. However even without ~. on the list it also routes all other requests there (and in parallel to the primary servers) appearing to pick the fastest responder. This (to my mind) represents a privacy issue as requests that that DNS server is not intended to see are routed there.
I would have expected the ~. syntax to allow me to request this behaviour and in its absence to not see general requests routed to these servers.
Revision history for this message
| Martin Pitt (pitti) wrote | #1 |
| Changed in systemd (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Changed in systemd (Ubuntu): | |
| milestone: | none → ubuntu-16.10 |
| assignee: | nobody → Martin Pitt (pitti) |
| Changed in systemd (Ubuntu): | |
| status: | Triaged → Fix Committed |
| Changed in systemd: | |
| status: | Unknown → New |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in systemd (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Changed in systemd: | |
| status: | New → Fix Released |
To post a comment you must log in.
To illustrate: if I have a global DNS server 1.1.1.1, and a VPN networkd device with
DNS=2.2.2.2
Domains= ~company
Then trying to resolve google.com should *only* hit 1.1.1.1, not 2.2.2.2.
If OTOH I would have configured
Domains= ~company ~.
then it's okay to hit both.