pemensik
commented
5 days ago Maybe a discussion is better place for such ideas.
Open pemensik opened 1 month ago
pemensik
commented
5 days ago Maybe a discussion is better place for such ideas.
We are working on implementing DNS over TLS in RHEL. And I have hit multiple times, that there is no simple way to obtain desired resolvers by applications or even by DNS cache implementation itself.
There are multiple implementations able to provide DNS over TLS and local caching. At least on VPS machines, they often receive fixed IP addresses directly from host. But there is not a good protocol for specifying fixed resolvers to use from the host also, when it should use local cache at the same time.
Because to do so now, the host needs to know in advance, which cache implementation and its configuration would be used. And therefore use implementation specific configuration format.
When no cache is used, /etc/resolv.conf can provide fixed name servers. And they are often specified fixed way. But if we want to use local DNS cache, localhost must be present in resolv.conf. Of course, it is not possible to use DNS over TLS, eventually also DNS over HTTPS or even DNS over QUIC protocols. For those encrypted variants, just IP address is often not enough. It needs to know also expected hostname in certificate.
Because this would make sense to be used across distributions and from multiple DNS caches, would it make sense to define such format here? Is there a better place for such proposal?
The problem is, if I define DNS= in /etc/systemd/resolved.conf, that would be used only by resolved. Of course I can also use /etc/unbound/unbound.conf. Or I can use dnsmasq configured in /etc/dnsmasq.conf. Whatever I use, the configuration differs a lot in syntax. But the result would be more or less the same in /etc/resolv.conf. That would just point to localhost (exact address may vary a bit).
I may want to use tools like dig or unbound-host to query not localhost, but information on forwarders. But specification by hand, when more parameters than TLS neeeds to be specified, can be somehow tiring. They could just read that information from the file itself and I would use a single parameter to tell it not to use /etc/resolv.conf, but something like /etc/resolver.conf.
Another issue is simple way to query from applications, where does local cache forward. And even more important, how is that forwarding protected, if any way used. Runtime configuration may contain additions to static configuration from file.