On Tue, Sep 29, 2020 at 4:00 AM Lennart Poettering <mzerq...@0pointer.de> wrote:
> On Di, 29.09.20 03:49, John M. Harris Jr (joh...@splentity.com) wrote: > > > Search domains have absolutely nothing to do with routing. Search > domains are > > specifically used for resolving non-FQDN to FQDN. This isn't a reliable > way to > > see what domains are handled by a VPN, or by any DNS server. > > > > The Red Hat VPN is a good example of this, as not every internal > subdomain is > > in search domains. That's the case for many VPNs, corporate or personal. > > Please read what I wrote: we have nothing better. And no it's not a > perfectly complete solution, I am aware of that. Configure the routes > explicitly if you want, it's easy, and add the extra domains to the > per-interface route and all will be jolly. If you don't, then things > will still work, but mean that queries that aren't listed in any > search domains will be sent to both the VPN and the main iface DNS, > thus the RH VPN will work perfectly fine — only drawback is that > those internal domains not listed as search domains might be seen on > the internet. But what would expect here happens? If you don't tell us > the routing we cannot do fully perfect routing to your wishes, you > need to give us something. > > Search domains on VPNs are an indicator that these domains are handled > by the VPN, that's why we use them also as routing domains. But this > doesn't mean it's the *only* routing domains we use. We use the ones > you configure, primarily. But since the concept didn't previously exist > we make the best from what we have. > These heuristics seem fairly problematic, but this is solvable. Fedora has a considerable amount of influence on GNOME and NetworkManager. How about adjusting the UI to actually cover these cases? The idea that the VPN configuration would go off into the weeds if a new checkbox showed up seems silly — setting up a VPN is fundamentally a power user operation. This could all be first class parts of VPN config. There could be a set of options: use this VPN to look up all DNS domains or use this VPN to look up the following domains. Each domain in the list could have an optional indication that the user *also* wants it to be a “search domain” to get the behavior that a query with no trailing dot will try that domain as a suffix. And the behavior of broadcasting queries in parallel to the non-VPN network should be configurable as well. As someone who has configured corporate and personal VPNs, I would have made use of these options, and my various VPNs would all be configured differently. Right now we have a situation where the underlying system is quite configurable, but (in networking and elsewhere) GNOME likes to hide detailed configuration in gsettings or otherwise make it very hard to discover. For things like touchpad config, I respect GNOME’s goal of keeping it simple even if I disagree. For networking, I think that the genuinely simple cases (connect to WiFi, use that WiFI) should be approachable to non-technical users, but setting up something like a VPN is inherently complex, and trying to hide that complexity makes everything harder.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
