Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 20:57, Paul Wouters wrote: > On Mon, 7 Dec 2015, Matthew Miller wrote: > >> I read your whole post. Those possibilities seem pretty limited, from >> the point of view of serious regressions in Fedora usability. It isn't >> that I "like" Fedora being less than technically correct

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/17/2015 10:19 AM, Harald Hoyer wrote: > On 07.12.2015 20:57, Paul Wouters wrote: >> On Mon, 7 Dec 2015, Matthew Miller wrote: >> >>> I read your whole post. Those possibilities seem pretty limited, from >>> the point of view of serious regressions in Fedora usability. It isn't >>> that I

Re: F24 System Wide Change: Default Local DNS Resolver

P J P wrote: >> On Wednesday, 2 December 2015 6:33 PM, Neal Becker wrote: > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1287607 > > > Thank you for filing the bug. > > >> * howto prevent dnsmasq from starting (right now I'm just manually >> killing it for testing) > > # systemctl

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 12:23:34PM +0100, Lennart Poettering wrote: > On Mon, 07.12.15 10:48, Tomas Hozza (tho...@redhat.com) wrote: > > > On 04.12.2015 15:57, Lennart Poettering wrote: > > > On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com) wrote: > > As you've said, this is basically an

Re: F24 System Wide Change: Default Local DNS Resolver

Tomasz Torcz wrote: > On Wed, Dec 16, 2015 at 09:33:18AM -0500, Neal Becker wrote: >> P J P wrote: >> >> >> On Wednesday, 2 December 2015 6:33 PM, Neal Becker wrote: >> > >> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1287607 >> > >> > >> > Thank you for filing the bug. >> > >> > >>

Re: F24 System Wide Change: Default Local DNS Resolver

On Wed, Dec 16, 2015 at 09:33:18AM -0500, Neal Becker wrote: > P J P wrote: > > >> On Wednesday, 2 December 2015 6:33 PM, Neal Becker wrote: > > > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1287607 > > > > > > Thank you for filing the bug. > > > > > >> * howto prevent dnsmasq from

Re: F24 System Wide Change: Default Local DNS Resolver

On Wed, 2015-12-16 at 10:45 -0500, Neal Becker wrote: > Tomasz Torcz wrote: > > > On Wed, Dec 16, 2015 at 09:33:18AM -0500, Neal Becker wrote: > > > P J P wrote: > > > > > > > > On Wednesday, 2 December 2015 6:33 PM, Neal Becker wrote: > > > > > > > > > >

Re: F24 System Wide Change: Default Local DNS Resolver

>>> Really, the biggest issue people fear is their split view DNS. Which is >>> easilly solved by extending the concept of firewalld zones into Network >>> Manager, and always use broken DNS forwarders on "trusted networks". >> >> Hmmm... "easily solved" is not "solved": >> * Has this "biggest

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/12/2015 09:11 PM, Oron Peled wrote: > On Friday 11 December 2015 09:09:28 Paul Wouters wrote: >> On 12/09/2015 06:02 PM, Oron Peled wrote: >>> Why don't we plan this feature in two stages: >>> * Fedora 24: turn it on by default, but *keep using results* from bad DNS >>> servers, >>>

Re: F24 System Wide Change: Default Local DNS Resolver

On Monday 14 December 2015 09:34:56 Paul Wouters wrote: > On 12/12/2015 09:11 PM, Oron Peled wrote: > > Still, IMO, the goal to warn users can be achieved quite easily. Two > > examples from the top of my head. > > 1. log + notify: > >* The information may be logged with special prefix (or

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/14/2015 04:26 PM, Oron Peled wrote: >>> 2. dbus: >>>* The local DNS server would send specific DBUS signal (e.g: >>> net.dnsseq.InsecureDNSReply). >>>* A desktop process would listen on these signals and show proper >>> desktop notification. >> >> But these solutions can quickly

Re: F24 System Wide Change: Default Local DNS Resolver

On Friday 11 December 2015 09:09:28 Paul Wouters wrote: > On 12/09/2015 06:02 PM, Oron Peled wrote: > > Why don't we plan this feature in two stages: > > * Fedora 24: turn it on by default, but *keep using results* from bad DNS > > servers, > >just issue a user-visible warning, possibly with

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/09/2015 06:02 PM, Oron Peled wrote: > Why don't we plan this feature in two stages: > * Fedora 24: turn it on by default, but *keep using results* from bad DNS > servers, >just issue a user-visible warning, possibly with a link to a page with > friendly >explanation and

Re: F24 System Wide Change: Default Local DNS Resolver

Am 11.12.2015 um 15:09 schrieb Paul Wouters: On 12/09/2015 06:02 PM, Oron Peled wrote: Why don't we plan this feature in two stages: * Fedora 24: turn it on by default, but *keep using results* from bad DNS servers, just issue a user-visible warning, possibly with a link to a page

Re: F24 System Wide Change: Default Local DNS Resolver

Paul Wouters píše v St 09. 12. 2015 v 13:37 -0500: > On 12/09/2015 01:04 PM, Debarshi Ray wrote: > > On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: > > > On 04.12.2015 15:57, Lennart Poettering wrote: > > > > How do other popular desktop/consumer OSes deal with this? > > > > Windows,

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/11/2015 05:25 PM, Jiri Eischmann wrote: So my worry is that we would be an OS which is more secure than others, but doesn't work in many networks. If something doesn't work reliably, the logical consequence to me would be to keep it strictly optional (opt-in) and not to make it default.

Re: F24 System Wide Change: Default Local DNS Resolver

Test > On Dec 11 2015, at 5:08 pm, Ralf Corsepius rc040...@freenet.de wrote: > > On 12/11/2015 05:25 PM, Jiri Eischmann wrote: > > So my worry is that we would be an OS which is more secure than others, but doesn't work in many networks. If something doesn't work reliably, the logical

Re: F24 System Wide Change: Default Local DNS Resolver

On 10.12.2015 00:02, Oron Peled wrote: > On Wednesday 09 December 2015 13:37:12 Paul Wouters wrote: >> On 12/09/2015 01:04 PM, Debarshi Ray wrote: >>> Since this is likely to break networking on a lot of client-side systems, I >>> would have expected you to do this research before submitting it

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: > On 04.12.2015 15:57, Lennart Poettering wrote: > > How do other popular desktop/consumer OSes deal with this? Windows, > > MacOS, iOS, Android, ChromeOS? Does any of them do client-side DNSSEC > > validation by default and how are they

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-09 19:04 GMT+01:00 Debarshi Ray : > On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: >> On 04.12.2015 15:57, Lennart Poettering wrote: >> > How do other popular desktop/consumer OSes deal with this? Windows, >> > MacOS, iOS, Android, ChromeOS? Does any of

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/09/2015 01:04 PM, Debarshi Ray wrote: > On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: >> On 04.12.2015 15:57, Lennart Poettering wrote: >>> How do other popular desktop/consumer OSes deal with this? Windows, MacOS, >>> iOS, Android, ChromeOS? Does any of them do client-side

Re: F24 System Wide Change: Default Local DNS Resolver

On Wednesday 09 December 2015 13:37:12 Paul Wouters wrote: > On 12/09/2015 01:04 PM, Debarshi Ray wrote: > > Since this is likely to break networking on a lot of client-side systems, I > > would have expected you to do this research before submitting it as a System > > Wide Change. > > We did.

Re: F24 System Wide Change: Default Local DNS Resolver

Am 08.12.2015 um 10:25 schrieb Petr Spacek: On 8.12.2015 09:41, Gerd Hoffmann wrote: Hi, Start moving away from split DNS because that's going to be very hard to support. Seriously? How do you suggest to handle DNS for my 192.168.2.0/24 home network then? Making the forward zone for

Re: F24 System Wide Change: Default Local DNS Resolver

On 8.12.2015 09:41, Gerd Hoffmann wrote: > Hi, > >> Start moving away from >> split DNS because that's going to be very hard to support. > > Seriously? How do you suggest to handle DNS for my 192.168.2.0/24 home > network then? Making the forward zone for home.kraxel.org public would > at

Re: F24 System Wide Change: Default Local DNS Resolver

Hi, > Start moving away from > split DNS because that's going to be very hard to support. Seriously? How do you suggest to handle DNS for my 192.168.2.0/24 home network then? Making the forward zone for home.kraxel.org public would at least work, although I fail to see the point in having

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/07/2015 09:40 PM, Paul Wouters wrote: > On Mon, 7 Dec 2015, Florian Weimer wrote: > >>> Clearly, fedora cannot be changed to hijack a real domain, so >>> Fritzbox better >>> solve this quickly with an update, even if no one actually will >>> update their >>> router :( >> >> Well, AVM could

Re: F24 System Wide Change: Default Local DNS Resolver

On 7.12.2015 20:35, Lennart Poettering wrote: > On Mon, 07.12.15 15:31, Björn Persson (Bjorn@rombobjörn.se) wrote: > >> Lennart Poettering wrote: >>> You *have* to use the local DNS servers by default, even if they are >>> crap. >> >> I for one want my laptop to be

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 10:17:20AM +0100, Tomas Hozza wrote: > > Older Netgear routers also used http://routerlogin.net before they were > > set up. > If they don't own the domain, then this is simply hijacking of domain > name space, which is not owned by them. It is expected, that these >

Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 12:23, Lennart Poettering wrote: > On Mon, 07.12.15 10:48, Tomas Hozza (tho...@redhat.com) wrote: > >> On 04.12.2015 15:57, Lennart Poettering wrote: >>> On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com) wrote: >>> You are not mistaken. This is the third time,

Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 14:52, Matthew Miller wrote: > On Mon, Dec 07, 2015 at 12:23:34PM +0100, Lennart Poettering wrote: > >> As you've said, this is basically an attack and hijacking of someone's > >> else domain name space. It is not correct and it is not expected that > >> this will work with DNSSEC.

Re: F24 System Wide Change: Default Local DNS Resolver

Lennart Poettering wrote: > You *have* to use the local DNS servers by default, even if they are > crap. I for one want my laptop to be suspicious of random DNS servers it encounters in public places, and bypass them if they're found to be lying. I also want to be able to

Re: F24 System Wide Change: Default Local DNS Resolver

On 7 December 2015 at 14:04, Tomas Hozza wrote: > I took this conversation as a mean for improvement. When an email is titled "F24 System Wide Change" I think a lot of people (like me) were under the impression you wanted this to be a new feature in Fedora 24. Richard. --

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 03:04:06PM +0100, Tomas Hozza wrote: > > On Mon, Dec 07, 2015 at 02:59:18PM +0100, Tomas Hozza wrote: > > >> I agree with Lennart. Whether or not this is expected to work with > > >> DNSSEC is of academic interest given that people will expect it to work > > >> with _their

Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 15:15, Richard Hughes wrote: > On 7 December 2015 at 14:04, Tomas Hozza wrote: >> I took this conversation as a mean for improvement. > > When an email is titled "F24 System Wide Change" I think a lot of > people (like me) were under the impression you wanted

Re: F24 System Wide Change: Default Local DNS Resolver

On 01/12/15 15:59, Randy Barlow wrote: > This sounds overall pretty neat to me! One detail came to my mind: how > would this interact with VPN DNS servers? In my experience with VPNs, > it's common for them to provide a DNS server that allows internal host > resolution to work. Would this local

Re: F24 System Wide Change: Default Local DNS Resolver

On Dec 7, 2015 1:49 AM, "Tomas Hozza" wrote: > > On 04.12.2015 15:57, Lennart Poettering wrote: > > On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com) wrote: > > > >> You are not mistaken. > >> > >> This is the third time, because previously we rather moved the change to

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 07.12.15 13:25, Gerd Hoffmann (kra...@redhat.com) wrote: > Hi, > > > Quite frankly: a setup like this one isn't just very typical for home > > router networks, but also in many companies, where ".lan" or > > ".companyname" or something like that is frequently established in the > >

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 02:59:18PM +0100, Tomas Hozza wrote: > > I agree with Lennart. Whether or not this is expected to work with > > DNSSEC is of academic interest given that people will expect it to work > > with _their computers_, regardless of what they're running. > I guess next time I'll

Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 15:00, Matthew Miller wrote: > On Mon, Dec 07, 2015 at 02:59:18PM +0100, Tomas Hozza wrote: > >> I agree with Lennart. Whether or not this is expected to work with > >> DNSSEC is of academic interest given that people will expect it to work > >> with _their computers_, regardless of

Re: F24 System Wide Change: Default Local DNS Resolver

Lennart Poettering wrote: > in germany "Fritzbox" wifi routers are very > popular. Their configuration page is reachable under the "fritz.box" > pseudo-domain from inside their wifi network, and all other systems on > the network are also eachable below this domain under

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 12:23:34PM +0100, Lennart Poettering wrote: > > As you've said, this is basically an attack and hijacking of someone's > > else domain name space. It is not correct and it is not expected that > > this will work with DNSSEC. > Humm, I find that way too cavalier... I am

Re: F24 System Wide Change: Default Local DNS Resolver

Am 07.12.2015 um 15:56 schrieb Pádraig Brady: On 01/12/15 15:59, Randy Barlow wrote: This sounds overall pretty neat to me! One detail came to my mind: how would this interact with VPN DNS servers? In my experience with VPNs, it's common for them to provide a DNS server that allows internal

Re: F24 System Wide Change: Default Local DNS Resolver

On 07.12.2015 16:44, Andrew Lutomirski wrote: > > On Dec 7, 2015 1:49 AM, "Tomas Hozza" > wrote: > > > > On 04.12.2015 15:57, Lennart Poettering wrote: > > > On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com > > > )

Re: F24 System Wide Change: Default Local DNS Resolver

On 05.12.2015 18:57, Florian Weimer wrote: > On 11/30/2015 05:14 PM, Jan Kurik wrote: >> We want to have Unbound server installed and running on localhost by >> default on Fedora systems. Where necessary, have also dnssec-trigger >> installed and running by default > > Would someone please

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 07.12.15 10:48, Tomas Hozza (tho...@redhat.com) wrote: > On 04.12.2015 15:57, Lennart Poettering wrote: > > On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com) wrote: > > > >> You are not mistaken. > >> > >> This is the third time, because previously we rather moved the change to >

Re: F24 System Wide Change: Default Local DNS Resolver

Hi, > Quite frankly: a setup like this one isn't just very typical for home > router networks, but also in many companies, where ".lan" or > ".companyname" or something like that is frequently established in the > internal network. And you will make Fedora incompatible with all these > networks

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 07.12.15 10:15, Tomas Hozza (tho...@redhat.com) wrote: > On 05.12.2015 18:57, Florian Weimer wrote: > > On 11/30/2015 05:14 PM, Jan Kurik wrote: > >> We want to have Unbound server installed and running on localhost by > >> default on Fedora systems. Where necessary, have also

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 04:12:20PM +0100, Lennart Poettering wrote: > On Mon, 07.12.15 13:25, Gerd Hoffmann (kra...@redhat.com) wrote: > > > Quite frankly: a setup like this one isn't just very typical for home > > > router networks, but also in many companies, where ".lan" or > > > ".companyname"

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 07.12.15 17:23, Tomas Hozza (tho...@redhat.com) wrote: > > Can you elaborate a bit? Is the intent that, if .box were private, then > > .box would be forwarded to DHCP-provided revolvers regardless of whether > > those resolvers were functional when asking for DNSSEC signature data? > >

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 07.12.15 15:31, Björn Persson (Bjorn@rombobjörn.se) wrote: > Lennart Poettering wrote: > > You *have* to use the local DNS servers by default, even if they are > > crap. > > I for one want my laptop to be suspicious of random DNS servers it > encounters in public

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 7, 2015 at 11:31 AM, Lennart Poettering wrote: > On Mon, 07.12.15 17:23, Tomas Hozza (tho...@redhat.com) wrote: > >> > Can you elaborate a bit? Is the intent that, if .box were private, then >> > .box would be forwarded to DHCP-provided revolvers regardless of

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 7 Dec 2015, Lennart Poettering wrote: Hmm? If I work for a company "Foo Corp" that defined .foocorp as its private TLD, then I won't be able to access servers in that local network until I added .foocorp to a local whitelist Foo Corp should not have done that. If you had picked .hotel

Re: F24 System Wide Change: Default Local DNS Resolver

Am 07.12.2015 um 20:48 schrieb Paul Wouters: Move your own domains within one of your real legitimate domains, and you have the freedom to do whatever you want. Start moving away from split DNS because that's going to be very hard to support. that's simply not possible for every environment

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 7 Dec 2015, Matthew Miller wrote: I read your whole post. Those possibilities seem pretty limited, from the point of view of serious regressions in Fedora usability. It isn't that I "like" Fedora being less than technically correct (especially around security-related features), but I

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/07/2015 08:31 PM, Lennart Poettering wrote: > Hmm? If I work for a company "Foo Corp" that defined .foocorp as its > private TLD, then I won't be able to access servers in that local > network until I added .foocorp to a local whitelist, is that what you > are saying? Or do you want to ship

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/07/2015 07:21 PM, Paul Wouters wrote: > Well, there is going to be a very interesting lawsuit about damage then > because in a few months .box will be live run by a Hong Kong company > called "NS1 Limited" > > https://www.icann.org/resources/agreement/box-2015-11-12-en > > .box

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 7 Dec 2015, Lennart Poettering wrote: In case this is blocked on the network, Unbound is configured to tunnel the DNS queries to Fedora public infrastructure over TCP (80, 443) or SSL (443), in which case this is similar to the first situation, when Unbound forwards queries to the

Fwd: Re: F24 System Wide Change: Default Local DNS Resolver (fwd)

(resending - looks like mty @redhat.com is not subscribed) On 12/07/2015 04:48 AM, Tomas Hozza wrote: So, here's a question: in germany "Fritzbox" wifi routers are very popular. Their configuration page is reachable under the "fritz.box" pseudo-domain from inside their wifi network, and all

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, 7 Dec 2015, Florian Weimer wrote: Clearly, fedora cannot be changed to hijack a real domain, so Fritzbox better solve this quickly with an update, even if no one actually will update their router :( Well, AVM could just register fritz.box and leave it unsigned, which solves the

Re: F24 System Wide Change: Default Local DNS Resolver

Am 07.12.2015 um 21:40 schrieb Paul Wouters: On Mon, 7 Dec 2015, Florian Weimer wrote: Clearly, fedora cannot be changed to hijack a real domain, so Fritzbox better solve this quickly with an update, even if no one actually will update their router :( Well, AVM could just register

Re: F24 System Wide Change: Default Local DNS Resolver

On Monday 07 December 2015 14:57:36 Paul Wouters wrote: > But you gain nothing with waiting. There is no "fix" to wait for. Those > stolen domains are broken and they will start to fail. The only difference > could be that fedora won't be the first where this breaks on, but I > thought "First" was

Re: F24 System Wide Change: Default Local DNS Resolver

Lennart Poettering wrote: > On Mon, 07.12.15 15:31, Björn Persson (Bjorn@rombobjörn.se) wrote: > > > Lennart Poettering wrote: > > > You *have* to use the local DNS servers by default, even if they are > > > crap. > > > > I for one want my laptop to

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/07/2015 04:48 AM, Tomas Hozza wrote: >> So, here's a question: in germany "Fritzbox" wifi routers are very >> popular. Their configuration page is reachable under the "fritz.box" >> pseudo-domain from inside their wifi network, and all other systems on >> the network are also eachable below

Re: F24 System Wide Change: Default Local DNS Resolver

On Mon, Dec 07, 2015 at 08:49:03AM -0500, Matthew Miller wrote: > On Mon, Dec 07, 2015 at 10:17:20AM +0100, Tomas Hozza wrote: > > > Older Netgear routers also used http://routerlogin.net before they were > > > set up. > > If they don't own the domain, then this is simply hijacking of domain > >

Re: F24 System Wide Change: Default Local DNS Resolver

On 12/04/2015 09:46 PM, Dan Williams wrote: > On Fri, 2015-12-04 at 16:09 +0100, Timotheus Pokorra wrote: >>> is deployed in probably half of the homes in Germany... Also I am >>> pretty sure other routers form other manufacturers do the same >>> thing. Now, if we default to DNSSEC validation

Re: F24 System Wide Change: Default Local DNS Resolver

On 11/30/2015 05:14 PM, Jan Kurik wrote: > We want to have Unbound server installed and running on localhost by > default on Fedora systems. Where necessary, have also dnssec-trigger > installed and running by default Would someone please clarify the proposal if Unbound would run as a forwarder,

Re: F24 System Wide Change: Default Local DNS Resolver

On Tue, 01.12.15 11:15, Tomas Hozza (tho...@redhat.com) wrote: > You are not mistaken. > > This is the third time, because previously we rather moved the change to the > next Fedora to bring better user experience. Every time there was something > enhanced, since we learned a lot about user

Re: F24 System Wide Change: Default Local DNS Resolver

> is deployed in probably half of the homes in Germany... Also I am > pretty sure other routers form other manufacturers do the same > thing. Now, if we default to DNSSEC validation soon, does this mean Same for Vodafone Routers in Germany: I go to http://easy.box to configure my router. -- devel

Re: F24 System Wide Change: Default Local DNS Resolver

And some German Cable-ISP uses kabel.box across all their CPE devices. Am 04.12.2015 16:09 schrieb Timotheus Pokorra : > > > is deployed in probably half of the homes in Germany... Also I am > > pretty sure other routers form other manufacturers do the same

Re: F24 System Wide Change: Default Local DNS Resolver

On Fri, 2015-12-04 at 16:09 +0100, Timotheus Pokorra wrote: > > is deployed in probably half of the homes in Germany... Also I am > > pretty sure other routers form other manufacturers do the same > > thing. Now, if we default to DNSSEC validation soon, does this mean > > Same for Vodafone

Re: F24 System Wide Change: Default Local DNS Resolver

> On Wednesday, 2 December 2015 6:33 PM, Neal Becker wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=1287607 Thank you for filing the bug. > * howto prevent dnsmasq from starting (right now I'm just manually killing > it for testing) # systemctl disable dnsmasq > * howto get

Re: F24 System Wide Change: Default Local DNS Resolver

On 02.12.2015 14:03, Neal Becker wrote: > Neal Becker wrote: > >> P J P wrote: >> >>> Hello Neal, >>> On Wednesday, 2 December 2015 1:03 AM, Neal Becker wrote: For example, when I'm at work, I can access hostA.work.com where resolving hostA only works by talking to

Re: F24 System Wide Change: Default Local DNS Resolver

P J P wrote: > Hello Neal, > >> On Wednesday, 2 December 2015 1:03 AM, Neal Becker wrote: >> For example, when I'm at work, I can access hostA.work.com >> where resolving hostA only works by talking to dnsserverA.work.com, >> which was setup by the usual dhcp and then when I'm at home >> >>

Re: F24 System Wide Change: Default Local DNS Resolver

P J P wrote: > Hello Neal, > >> On Wednesday, 2 December 2015 1:03 AM, Neal Becker wrote: >> For example, when I'm at work, I can access hostA.work.com >> where resolving hostA only works by talking to dnsserverA.work.com, >> which was setup by the usual dhcp and then when I'm at home >> >>

Re: F24 System Wide Change: Default Local DNS Resolver

Neal Becker wrote: > P J P wrote: > >> Hello Neal, >> >>> On Wednesday, 2 December 2015 1:03 AM, Neal Becker wrote: >>> For example, when I'm at work, I can access hostA.work.com >>> where resolving hostA only works by talking to dnsserverA.work.com, >>> which was setup by the usual dhcp and

Re: F24 System Wide Change: Default Local DNS Resolver

On Tue, 1 Dec 2015, Randy Barlow wrote: This sounds overall pretty neat to me! One detail came to my mind: how would this interact with VPN DNS servers? In my experience with VPNs, it's common for them to provide a DNS server that allows internal host resolution to work. Would this local

Re: F24 System Wide Change: Default Local DNS Resolver

Hello Neal, > On Wednesday, 2 December 2015 1:03 AM, Neal Becker wrote: > For example, when I'm at work, I can access hostA.work.com > where resolving hostA only works by talking to dnsserverA.work.com, > which was setup by the usual dhcp and then when I'm at home > > google.com is resolved as

Re: F24 System Wide Change: Default Local DNS Resolver

I think in order to make dnssec/local resolver the default, it should be required to work for a naive user who works in a changing environment such as: moving between work, which has it's own private dns and home, which has usual, public dns without that user needing to understand anything

Re: F24 System Wide Change: Default Local DNS Resolver

Hello Vit, > On Tuesday, 1 December 2015 1:45 PM, Vít Ondruch wrote: > > If I am not mistaken, this is at least 3rd time this change is proposed. > Can somebody post some short summary what was changed, that you believe > it will be successful this time? True, it was postponed couple of times

Re: F24 System Wide Change: Default Local DNS Resolver

You are not mistaken. This is the third time, because previously we rather moved the change to the next Fedora to bring better user experience. Every time there was something enhanced, since we learned a lot about user use-cases, so this is definitely not the same change as before, only the root

Re: F24 System Wide Change: Default Local DNS Resolver

If I am not mistaken, this is at least 3rd time this change is proposed. Can somebody post some short summary what was changed, that you believe it will be successful this time? Thx Vít Dne 30.11.2015 v 17:14 Jan Kurik napsal(a): > = Default Local DNS Resolver = >

Re: F24 System Wide Change: Default Local DNS Resolver

Tomas Hozza wrote: > - dnssec-trigger does not do the Captive Portal detection and handling and > we rather rely on NM for the detection and on Gnome Shell for the Portal > login Can I assume that users of non-Gnome desktops will also be able to log in to a portal if they

Re: F24 System Wide Change: Default Local DNS Resolver

On 01.12.2015 16:06, Björn Persson wrote: > Tomas Hozza wrote: > > - dnssec-trigger does not do the Captive Portal detection and handling and > > we rather rely on NM for the detection and on Gnome Shell for the Portal > > login > > Can I assume that users of non-Gnome

Re: F24 System Wide Change: Default Local DNS Resolver

This sounds overall pretty neat to me! One detail came to my mind: how would this interact with VPN DNS servers? In my experience with VPNs, it's common for them to provide a DNS server that allows internal host resolution to work. Would this local resolver be notified by NM of a new VPN

Re: F24 System Wide Change: Default Local DNS Resolver

On Út, 2015-12-01 at 11:15 +0100, Tomas Hozza wrote: > You are not mistaken. > > This is the third time, because previously we rather moved the change to the > next Fedora to bring better user experience. Every time there was something > enhanced, since we learned a lot about user use-cases, so

Re: F24 System Wide Change: Default Local DNS Resolver

On 01.12.2015 13:28, Tomas Mraz wrote: > On Út, 2015-12-01 at 11:15 +0100, Tomas Hozza wrote: > > You are not mistaken. > > > > This is the third time, because previously we rather moved the change to the > > next Fedora to bring better user experience. Every time there was something > > enhanced,

Re: F24 System Wide Change: Default Local DNS Resolver

On Tue, 1 Dec 2015, Björn Persson wrote: Tomas Hozza wrote: - dnssec-trigger does not do the Captive Portal detection and handling and we rather rely on NM for the detection and on Gnome Shell for the Portal login Can I assume that users of non-Gnome desktops will also

F24 System Wide Change: Default Local DNS Resolver

= Default Local DNS Resolver = https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver Change owner(s): * P J P * Pavel Šimerda * Tomas Hozza * Petr Špaček Plain DNS protocol is insecure and therefore vulnerable from various attacks (e.g. cache poisoning). A client can never be

F24 System Wide Change: Default Local DNS Resolver

= Default Local DNS Resolver = https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver Change owner(s): * P J P * Pavel Šimerda * Tomas Hozza * Petr Špaček Plain DNS protocol is insecure and therefore vulnerable from various attacks (e.g. cache poisoning). A client can never be

Re: F24 System Wide Change: Default Local DNS Resolver

Is DNS by itself sufficient, or should we also address other network facing capabilities with security impact such as secure time? On Mon, 2015-11-30 at 17:14 +0100, Jan Kurik wrote: > = Default Local DNS Resolver = > https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver > > Change

Re: F24 System Wide Change: Default Local DNS Resolver

Hello Russell, > On Tuesday, 1 December 2015 12:21 AM, Russell Doty wrote: >> Is DNS by itself sufficient, or should we also address other network > facing capabilities with security impact such as secure time? Yes, we could do that. But that would have to be an independent Change request. ---

Re: F24 System Wide Change: Default Local DNS Resolver

On Monday, November 30, 2015 01:50:54 PM Russell Doty wrote: > Is DNS by itself sufficient, or should we also address other network > facing capabilities with security impact such as secure time? The use case for the dnscache_test is to look for evidence of a system trying to reach a known