[dns-operations] Split view autoconfiguration

Petr Menšík pemensik at redhat.com
Thu Nov 12 21:19:57 UTC 2020

On 11/12/20 9:00 PM, Florian Weimer wrote:
> * Petr Menšík:
>> I'll try to rephrase. Connection provides list of domains, it considers
>> internal. All names in that domains should be resolved using DNS servers
>> provided by that connection. Because common network connection managed
>> by NM or systemd-networkd does not have "internal domains" property,
>> systemd-resolved and dnssec-trigger uses DHCP search (119) option.
> Is it really a list, though?
> I expect corporate networks to use RPZ to manage things like
> typo-squatting, so it's going to be very long, and perhaps not even
> readily disclosable for contractual reasons.
I don't think they should share the whole RPZ zone via that list. I
should be able to send all queries to VPN for safety checking and only
selected to my local/home network, reversing the functionality. I expect
that domain list per connection would be usually limited to 5 names, not
hundred of names. Just bare minimum for basic functionality, not RPZ
protection for any bad site on the internet. Something like
"corp.example.net, labs.example.org".

Since I have installed my own system not managed or supported by our IT
and have also own internet connection, I don't think the VPN (nor the
company) has to monitor all my internet usage. Therefore I would like
send there only traffic directed to VPN, avoiding personal queries to go
there as well.

I am refering to Split DNS change proposed to Fedora [1]. I have been
using dnssec-trigger for years. Think there should be some standard way
to define configuration in more standard way.

It is also question, how should VPN connection be configured to send all
queries to the VPN or not. An employer might require it in the contract.
When I need multiple VPN connections, it would have to choose somehow. How?

1. https://fedoraproject.org/wiki/Changes/systemd-resolved#Split_DNS
> Thanks,
> Florian

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201112/f5a4d4cc/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201112/f5a4d4cc/attachment.sig>

More information about the dns-operations mailing list