Page 1 of 1

systemd internal default resolver might leak to Google

Posted: 08 Jun 2019 21:40
by ilu
Should /etc/systemd/resolved.conf have a setting for FallbackDNS which is not Google (or be left empty?) to ensure that the hardcoded fallback to Google never applies?

https://wiki.debian.org/PrivacyIssues
https://manpages.debian.org/stretch/sys ... .5.en.html
https://wiki.archlinux.org/index.php/Sy ... d#Fallback
https://bugs.launchpad.net/ubuntu/+sour ... ug/1449001
https://bugs.debian.org/cgi-bin/bugrepo ... bug=761658

Even if resolved is not enabled now there is some hinting that it might become enabled in the future (which we might miss).

Re: systemd internal default resolver might leak to Google

Posted: 09 Jun 2019 10:54
by kurotsugi
I haven't followed systemd development recently but IIRC this mechanism is rarely used so it should not a major concern for most of us (i.e: it's not used unless there's no other conf). personally I prefer to not mess with resolver setting since it's kind of personal setting for most of us

Re: systemd internal default resolver might leak to Google

Posted: 09 Jun 2019 16:57
by ilu
The problem is that the present resolve mechanism will get deprecated sooner or later and then the internal systemd fallback will kick in which is google if we don't set a different fallback or none at all.

Re: systemd internal default resolver might leak to Google

Posted: 09 Jun 2019 17:36
by kurotsugi
perhaps we should hear other's opinion first. last time I've heard that redhat is pushing to local resolver so the problem AFAIK is a theorical problem. even if they use google dns instead, debian is conservative so it won't happened in debian realm soon. considering the timeline, we will have roughly two years to think carefully until new debian got released

btw, which dns do you think should be used as fallback?

Re: systemd internal default resolver might leak to Google

Posted: 09 Jun 2019 17:38
by Arjen Balfoort
kurotsugi wrote:
09 Jun 2019 17:36
btw, which dns do you think should be used as fallback?
You beat me to it! :D

Re: systemd internal default resolver might leak to Google

Posted: 11 Jun 2019 14:44
by ilu
The most common recommendation in the sources I quoted seems to be to set the fallback to empty-string. And if you read the bug report I quoted you see that there is nothing "conservative" about systemd developers. They don't even see the problem.

And you are right that we still have at least 2 years. It just came to my attention now and I thought I mention it because I will surely forget about it otherwise.

There's also the other DNS problem involving firefox and cloudflare which will need a decision soon. That should probably get its own topic to hear opinions.

Re: systemd internal default resolver might leak to Google

Posted: 12 Jun 2019 01:30
by kurotsugi
last time I've heard that fedora/systemd is pushing internal resolver so I believe there won't be a radical decision soon. the fallback dns is set by "someone" to google just because they need something which nearly always work in all condition. AFAIK it should be harmless since the fallback dns only used when everything else doesn't work.

anyway, since it's dns related issue IMO it's no harm to discuss it here. my personal preference would be using cloudfare's dns (1.1.1.1) due to it's performance and security reason. though, most of us here would choose opendns instead. that being said, leaving it empty might be a better option.

Re: systemd internal default resolver might leak to Google

Posted: 12 Jun 2019 11:37
by ilu
kurotsugi wrote:that being said, leaving it empty might be a better option.
That was the consensus outside of systemd development if I understood the issue correctly (and I'm not sure about that). If conf is missing a service should just fail - forcing it to work through some undocumented internal code could lead to nasty consequences under bad circumstances.

Re: systemd internal default resolver might leak to Google

Posted: 13 Jun 2019 00:57
by kurotsugi
that's good for some people like you and me but most people want things just works. I mean, it's called fallback for a reason :lol:
well...my personal choice would be:
1. empty
2. cloudfare
3. opendns

Re: systemd internal default resolver might leak to Google

Posted: 13 Jun 2019 05:09
by ilu
No, you misunderstand: If some configuration method changes and there is no fallback the service fails - thats a signal that we need to do something about it - ie configure it correctly. This will usually surface on testing. If a fallback just works we might not notice and that's bad.

Re: systemd internal default resolver might leak to Google

Posted: 13 Jun 2019 06:12
by kurotsugi
nope. I think I understand it correctly :3

when someone without technical knowledge connect his device, he expect his device works OOTB. this is epecially true for a new linux user (which is one of our main market). even for someone with proper technical knowledge it's quite a long step to know which part doesn't work on his networking stack. when dns failed you simply can't visit your favourite sites. however, finding that dns failure is the reason behind that problem is not that easy. dns is something that almost guaranteed to work. dns would be among the last thing need to be checked after firewall, wrong config file, hardware failure, etc. let's try to be honest, do you ever check your dns setting when you can't visit your favourite sites?

you might not notice it but even without a specific setting you'll still could resolve the address name. when you connect to a wifi router, your wifi router have it's own dns setting. even if that didn't work, your isp still has it's own. there are layers that ensure that the you could resolve the addresses without touching anything. the systemd's fallback mechanism only serve as the last safety net, which I believe, almost not used in real situation.

this issue could be used as a sign that whoever wrote systemd doesn't care about privacy and security but I believe the risk is almost none.

Re: systemd internal default resolver might leak to Google

Posted: 13 Jun 2019 15:03
by ilu
If I say "we" and "us" I mean the team not the user. We should not be "without technical knowledge" - hopefully :mrgreen: If resolve fails during testing we notice (as long as systemd doesn't interfere) and configure it correctly without affecting anybody but maybe EE folks.

And yeah, we agree on "empty".