systemd internal default resolver might leak to Google

Post your bugs here.
User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

systemd internal default resolver might leak to Google

Postby ilu » 08 Jun 2019 21:40

Should /etc/systemd/resolved.conf have a setting for FallbackDNS which is not Google (or be left empty?) to ensure that the hardcoded fallback to Google never applies?

https://wiki.debian.org/PrivacyIssues
https://manpages.debian.org/stretch/sys ... .5.en.html
https://wiki.archlinux.org/index.php/Sy ... d#Fallback
https://bugs.launchpad.net/ubuntu/+sour ... ug/1449001
https://bugs.debian.org/cgi-bin/bugrepo ... bug=761658

Even if resolved is not enabled now there is some hinting that it might become enabled in the future (which we might miss).

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: systemd internal default resolver might leak to Google

Postby kurotsugi » 09 Jun 2019 10:54

I haven't followed systemd development recently but IIRC this mechanism is rarely used so it should not a major concern for most of us (i.e: it's not used unless there's no other conf). personally I prefer to not mess with resolver setting since it's kind of personal setting for most of us

User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

Re: systemd internal default resolver might leak to Google

Postby ilu » 09 Jun 2019 16:57

The problem is that the present resolve mechanism will get deprecated sooner or later and then the internal systemd fallback will kick in which is google if we don't set a different fallback or none at all.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: systemd internal default resolver might leak to Google

Postby kurotsugi » 09 Jun 2019 17:36

perhaps we should hear other's opinion first. last time I've heard that redhat is pushing to local resolver so the problem AFAIK is a theorical problem. even if they use google dns instead, debian is conservative so it won't happened in debian realm soon. considering the timeline, we will have roughly two years to think carefully until new debian got released

btw, which dns do you think should be used as fallback?

User avatar
Arjen Balfoort
Site Admin
Posts: 9283
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: systemd internal default resolver might leak to Google

Postby Arjen Balfoort » 09 Jun 2019 17:38

kurotsugi wrote:
09 Jun 2019 17:36
btw, which dns do you think should be used as fallback?
You beat me to it! :D


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

Re: systemd internal default resolver might leak to Google

Postby ilu » 11 Jun 2019 14:44

The most common recommendation in the sources I quoted seems to be to set the fallback to empty-string. And if you read the bug report I quoted you see that there is nothing "conservative" about systemd developers. They don't even see the problem.

And you are right that we still have at least 2 years. It just came to my attention now and I thought I mention it because I will surely forget about it otherwise.

There's also the other DNS problem involving firefox and cloudflare which will need a decision soon. That should probably get its own topic to hear opinions.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: systemd internal default resolver might leak to Google

Postby kurotsugi » 12 Jun 2019 01:30

last time I've heard that fedora/systemd is pushing internal resolver so I believe there won't be a radical decision soon. the fallback dns is set by "someone" to google just because they need something which nearly always work in all condition. AFAIK it should be harmless since the fallback dns only used when everything else doesn't work.

anyway, since it's dns related issue IMO it's no harm to discuss it here. my personal preference would be using cloudfare's dns (1.1.1.1) due to it's performance and security reason. though, most of us here would choose opendns instead. that being said, leaving it empty might be a better option.

User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

Re: systemd internal default resolver might leak to Google

Postby ilu » 12 Jun 2019 11:37

kurotsugi wrote:that being said, leaving it empty might be a better option.
That was the consensus outside of systemd development if I understood the issue correctly (and I'm not sure about that). If conf is missing a service should just fail - forcing it to work through some undocumented internal code could lead to nasty consequences under bad circumstances.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: systemd internal default resolver might leak to Google

Postby kurotsugi » 13 Jun 2019 00:57

that's good for some people like you and me but most people want things just works. I mean, it's called fallback for a reason :lol:
well...my personal choice would be:
1. empty
2. cloudfare
3. opendns

User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

Re: systemd internal default resolver might leak to Google

Postby ilu » 13 Jun 2019 05:09

No, you misunderstand: If some configuration method changes and there is no fallback the service fails - thats a signal that we need to do something about it - ie configure it correctly. This will usually surface on testing. If a fallback just works we might not notice and that's bad.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: systemd internal default resolver might leak to Google

Postby kurotsugi » 13 Jun 2019 06:12

nope. I think I understand it correctly :3

when someone without technical knowledge connect his device, he expect his device works OOTB. this is epecially true for a new linux user (which is one of our main market). even for someone with proper technical knowledge it's quite a long step to know which part doesn't work on his networking stack. when dns failed you simply can't visit your favourite sites. however, finding that dns failure is the reason behind that problem is not that easy. dns is something that almost guaranteed to work. dns would be among the last thing need to be checked after firewall, wrong config file, hardware failure, etc. let's try to be honest, do you ever check your dns setting when you can't visit your favourite sites?

you might not notice it but even without a specific setting you'll still could resolve the address name. when you connect to a wifi router, your wifi router have it's own dns setting. even if that didn't work, your isp still has it's own. there are layers that ensure that the you could resolve the addresses without touching anything. the systemd's fallback mechanism only serve as the last safety net, which I believe, almost not used in real situation.

this issue could be used as a sign that whoever wrote systemd doesn't care about privacy and security but I believe the risk is almost none.

User avatar
ilu
Posts: 2495
Joined: 09 Oct 2013 12:45

Re: systemd internal default resolver might leak to Google

Postby ilu » 13 Jun 2019 15:03

If I say "we" and "us" I mean the team not the user. We should not be "without technical knowledge" - hopefully :mrgreen: If resolve fails during testing we notice (as long as systemd doesn't interfere) and configure it correctly without affecting anybody but maybe EE folks.

And yeah, we agree on "empty".


Return to “Bug Control”

Who is online

Users browsing this forum: No registered users and 0 guests