10
9
Fork
You've already forked linux-app
14

Handle DNS over TLS #636

Closed
opened 2025年04月28日 01:36:22 +02:00 by Mikilio · 6 comments

So it seems my Uni is not operating eduVPN with the ability to handle DNS over TLS. It was a quite the journey to learn that this was even an issue. I do not know if my Uni is at fault here as I couldn't find anything on this on any issue here. As such, I'd like to propose two alternatives that could avoid this problem.

  1. Require a certain DNS over TLS setting from VPN providers and add a dns-over-tls line to the connections section.
  2. Somehow check the capabilities of the peer before setting the dns-over-tls line.

Currently, dns-over-tls is not handled at all. However, programs like systemd-resolved may cause dns-over-tls to be the default in some systems.

So it seems my Uni is not operating eduVPN with the ability to handle DNS over TLS. It was a quite the journey to learn that this was even an issue. I do not know if my Uni is at fault here as I couldn't find anything on this on any issue here. As such, I'd like to propose two alternatives that could avoid this problem. 1. Require a certain DNS over TLS setting from VPN providers and add a `dns-over-tls` line to the connections section. 2. Somehow check the capabilities of the peer before setting the `dns-over-tls` line. Currently, `dns-over-tls` is not handled at all. However, programs like systemd-resolved may cause `dns-over-tls` to be the default in some systems.

Hi, I am not sure I understand. What is the use case? When you're connected to a VPN the DNS traffic is already encrypted

Hi, I am not sure I understand. What is the use case? When you're connected to a VPN the DNS traffic is already encrypted
Author
Copy link

I didn't really want to start a discussion on whether DoT is usefull on VPN networks.
What I wanted to point out is that eduVPN may not work when DoT is globally enabled (which for some people it is, since we are not always connected to a VPN).
In my case, the workaround was to turn off DoT for the eduVPN interface only, which is not trivial (not achievable via nm-applet e.g.)
Using one of my proposed solutions or just setting dns-over-tls=0 for the connection would already be enough to reduce frustration for many users without really hurting anyone.

I didn't really want to start a discussion on whether DoT is usefull on VPN networks. What I wanted to point out is that eduVPN may not work when DoT is globally enabled (which for some people it is, since we are not always connected to a VPN). In my case, the workaround was to turn off DoT for the eduVPN interface only, which is not trivial (not achievable via nm-applet e.g.) Using one of my proposed solutions or just setting `dns-over-tls=0` for the connection would already be enough to reduce frustration for many users without really hurting anyone.

DoT is globally enabled

This seems unfortunate, as whether or not DoT is available depends very much on the DNS server you configured. It seems globally enabling that is a configuration mistake.

Which Linux distributions do you know that out of the box enable DoT globally for all DNS servers?

If you configure DoT yourself, it may be much better to configure it per link and not globally:

In addition to this global DNSOverTLS= setting systemd-networkd.service(8) also maintains per-link DNSOverTLS= settings. For system DNS servers (see above), only the global DNSOverTLS= setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.

If you enable DoT "globally" and you "roam" with your laptop to various different locations I guess DNS will be broken most of the time anyway?

> DoT is globally enabled This seems unfortunate, as whether or not DoT is available depends very much on the DNS server you configured. It seems globally enabling that is a configuration mistake. Which Linux distributions do you know that out of the box enable DoT globally for all DNS servers? If you configure DoT yourself, it may be much better to configure it [per link](https://www.freedesktop.org/software/systemd/man/latest/resolved.conf.html#DNSOverTLS=) and not globally: > In addition to this global DNSOverTLS= setting systemd-networkd.service(8) also maintains per-link DNSOverTLS= settings. For system DNS servers (see above), only the global DNSOverTLS= setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead. If you enable DoT "globally" and you "roam" with your laptop to various different locations I guess DNS will be broken most of the time anyway?
Author
Copy link

I do not experience a lot of issues with "roaming".

As mentioned before, I do actually end up configuring per link, but rather to turn DoT off.
I believe I am not the only person that turns on privacy preserving settings "just in case".

Even if you feel like this configuration shouldn't be accommodated for, it would be nice to keep this issue open for discoverability and see if there will be another instance of it.

I do not experience a lot of issues with "roaming". As mentioned before, I do actually end up configuring per link, but rather to turn DoT off. I believe I am not the only person that turns on privacy preserving settings "just in case". Even if you feel like this configuration shouldn't be accommodated for, it would be nice to keep this issue open for discoverability and see if there will be another instance of it.

Honestly, I am not sure what to exactly do here. Let me know what the client could do better

Honestly, I am not sure what to exactly do here. Let me know what the client could do better

Honestly, I am not sure what to exactly do here. Let me know what the client could do better

@jwijenbergh For me personally, an option Ignore DNS settings provided by VPN would be appreciated. I'm using DoT globally, and do not trust DNS settings provided by any connection, e.g. DHCP over ethernet / wifi. I neither want nor need the DNS settings of the VPN and now I have to manually strip it after connecting using nmcli or resolvectl as the forced insertion breaks connectivity.

> Honestly, I am not sure what to exactly do here. Let me know what the client could do better @jwijenbergh For me personally, an option `Ignore DNS settings provided by VPN` would be appreciated. I'm using DoT globally, and do not trust DNS settings provided by any connection, e.g. DHCP over ethernet / wifi. I neither want nor need the DNS settings of the VPN and now I have to manually strip it after connecting using `nmcli` or `resolvectl` as the forced insertion breaks connectivity.
Sign in to join this conversation.
No Branch/Tag specified
master
upstream-deb
openvpn-persistent
1.x
4.7.2
4.7.1
4.7.0
4.6.0
4.5.1
4.5.0
4.4.99.0
4.4.0
4.3.1
4.3.0
4.2.99.1
4.2.99.0
4.2.1
4.2.0
4.1.99.0
4.1.3
4.1.2
4.1.1
4.1.0
3.1.1
4.0.1
4.0.0
pr-3.3.1
pr-3.3.0
pr-3.2.0
3.1.0
3.0.0
2.2.1
2.2.0
2.1.0
2.0.0
1.1
1.0.3
1.0.2
1.0.1
1.0rc17
1.0rc16
1.0rc15
1.0rc14
1.0rc13
1.0rc12
1.0rc11
1.0rc10
1.0rc9
1.0rc8
1.0rc7
1.0rc6
1.0rc5
1.0rc4
1.0rc3
1.0rc2
1.0rc1
0.8
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5.1
0.5
0.3
0.2.1
0.2
0.1.1
0.1
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eduVPN/linux-app#636
Reference in a new issue
eduVPN/linux-app
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?