systemd-resolved uses domain limited DNS servers for all requests potentially a privacy issue
Bug #1588230 reported by
Andy Whitcroft
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd |
Fix Released
|
Unknown
|
|||
systemd (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
When configuring a DNS server for a link for specific domains (via the Domains= ~foo syntax) systemd-resolved correctly routes requests for those domains to that DNS server. However even without ~. on the list it also routes all other requests there (and in parallel to the primary servers) appearing to pick the fastest responder. This (to my mind) represents a privacy issue as requests that that DNS server is not intended to see are routed there.
I would have expected the ~. syntax to allow me to request this behaviour and in its absence to not see general requests routed to these servers.
Changed in systemd (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in systemd (Ubuntu): | |
milestone: | none → ubuntu-16.10 |
assignee: | nobody → Martin Pitt (pitti) |
Changed in systemd (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in systemd: | |
status: | Unknown → New |
Changed in systemd: | |
status: | New → Fix Released |
To post a comment you must log in.
To illustrate: if I have a global DNS server 1.1.1.1, and a VPN networkd device with
DNS=2.2.2.2
Domains= ~company
Then trying to resolve google.com should *only* hit 1.1.1.1, not 2.2.2.2.
If OTOH I would have configured
Domains= ~company ~.
then it's okay to hit both.