Hello,
This post is a call for action. It is to spread the word about a newly proposed system wide change in Fedora, to install a trusted local DNS resolver listening on 127.0.0.1:53. Please
see:
-> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
-> https://www.piratepad.ca/p/dnssec-requisites-configurations
Domain Name System(DNS) is the ‘core’ internet infrastructure. It is an integral part of each computer system. Without it, we can not use the Internet as we do today. Yet in its current form, it is a fairly weak system. It can be exploited to disrupt services and compromise user’s privacy; Which makes it an easy target for the malicious mind. Especially with the backdrop of the increasingly snooping governments and service providers world wide. To mitigate this risk and to improve user experience, it is proposed to install a trusted DNS resolver in Fedora.
Being an integral part of each system, the proposed system wide change is bound to break existing work-flows and applications. For ex:
“This is gonna conflict a bit with docker, and other users of network namespaces,
like systemd-nspawn. When docker runs, it picks up the current ‘/etc/resolv.conf’
and puts it in the container, but the container itself runs in a network namespace,
so it gets its own loopback device. This will mean 127.0.0.1:53 points to the container,
and not the host, so dns resolving in the container will not work.“ [1]
We want to avoid any such breakage caused by the proposed local DNS resolver. Towards that end, we are collecting all the possible information about these use cases; So that we can duly fix the ensuing bugs well before time when the proposed system wide change goes live(Ie. F22). Aim is to build a robust, reliable and secure DNS solution. One which works out of the box without any user intervention.
The etherpad & wiki page above document the requisites and the new work-flow. If you think that the proposed change would break any application on Fedora or if you’ve feature requests for the new default DNS resolver(including NetworkManager), please edit the etherpad page or let me know about it. Alternatively, you could enable the local DNS resolver in your set-up, as described in the wiki page and submit bug reports if you encounter any.
See -> https://tinyurl.com/fedora-dnssec-trigger-bugs
Your comments, suggestions, opinions about this topic are welcome too. Please help us by spreading this message to more and more users.
Thank you! π
—
[1] https://lists.fedoraproject.org/pipermail/devel/2014-April/198706.html
pjp's blog 
This is an interesting idea, but surely it’d be better to just provide (and more importantly use) a DNSSEC enabled resolver throughout the OS? Ditto for anywhere when TLS certificates are used, these must also be SHA512 hash verified in DNSSEC using DANE.
If you provide (and use) the correct resolver as a shared library in Fedora then it’ll make no difference whether or not it loops back through 127.0.0.1:53. If you can’t guarantee that programs are using the correct DNS resolver, you similarly can’t be sure that they’ll respect /etc/resolv.conf anyway.
> itβd be better to just provide (and more importantly use) a DNSSEC enabled resolver throughout the OS?
Yes, that is the idea. π
About resolver as shared library, it has inherent issues with thread safety and handling of cache etc. Virtually all programs today use name servers in ‘/etc/resolv.conf’ via standard stub resolver(3). Applications(ex: Tor) can always bypass system settings, may it be ‘/etc/resolv.conf’ or a shared library or anything else. It’s not about forcing them to use a single instance. But making security the default.
[…] More here: Local DNS resolver in Fedora | pjp's blog […]
[…] see how it worked and report bugs if any. You can find more information about it on wiki page and PJP’s blog. This was followed by Pizzas at Lunch and sad to say that we were short of them because of wrong […]