On 11/12/20 9:00 PM, Florian Weimer wrote: > * Petr Menšík: > >> I'll try to rephrase. Connection provides list of domains, it considers >> internal. All names in that domains should be resolved using DNS servers >> provided by that connection. Because common network connection managed >> by NM or systemd-networkd does not have "internal domains" property, >> systemd-resolved and dnssec-trigger uses DHCP search (119) option. > > Is it really a list, though? > > I expect corporate networks to use RPZ to manage things like > typo-squatting, so it's going to be very long, and perhaps not even > readily disclosable for contractual reasons. I don't think they should share the whole RPZ zone via that list. I should be able to send all queries to VPN for safety checking and only selected to my local/home network, reversing the functionality. I expect that domain list per connection would be usually limited to 5 names, not hundred of names. Just bare minimum for basic functionality, not RPZ protection for any bad site on the internet. Something like "corp.example.net, labs.example.org".
Since I have installed my own system not managed or supported by our IT and have also own internet connection, I don't think the VPN (nor the company) has to monitor all my internet usage. Therefore I would like send there only traffic directed to VPN, avoiding personal queries to go there as well. I am refering to Split DNS change proposed to Fedora [1]. I have been using dnssec-trigger for years. Think there should be some standard way to define configuration in more standard way. It is also question, how should VPN connection be configured to send all queries to the VPN or not. An employer might require it in the contract. When I need multiple VPN connections, it would have to choose somehow. How? 1. https://fedoraproject.org/wiki/Changes/systemd-resolved#Split_DNS > > Thanks, > Florian > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: [email protected] PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
