diff options
| author | Martin Pitt <martin.pitt@ubuntu.com> | 2016-09-30 09:30:08 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-09-30 09:30:08 +0200 |
| commit | b9fe94cad99968a58e169592d999306fd059eb14 (patch) | |
| tree | d791e9c45716a8842338f0ec4ac3562b79dfc751 /man | |
| parent | a86b76753d7868c2d05f046f601bc7dc89fc2203 (diff) | |
resolved: don't query domain-limited DNS servers for other domains (#3621)
DNS servers which have route-only domains should only be used for
the specified domains. Routing queries about other domains there is a privacy
violation, prone to fail (as that DNS server was not meant to be used for other
domains), and puts unnecessary load onto that server.
Introduce a new helper function dns_server_limited_domains() that checks if the
DNS server should only be used for some selected domains, i. e. has some
route-only domains without "~.". Use that when determining whether to query it
in the scope, and when writing resolv.conf.
Extend the test_route_only_dns() case to ensure that the DNS server limited to
~company does not appear in resolv.conf. Add test_route_only_dns_all_domains()
to ensure that a server that also has ~. does appear in resolv.conf as global
name server. These reproduce #3420.
Add a new test_resolved_domain_restricted_dns() test case that verifies that
domain-limited DNS servers are only being used for those domains. This
reproduces #3421.
Clarify what a "routing domain" is in the manpage.
Fixes #3420
Fixes #3421
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.network.xml | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 9c1b10fc5c..08dd157e31 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -475,8 +475,8 @@ <para>The specified domains are also used for routing of DNS queries: look-ups for host names ending in the domains specified here are preferably routed to the DNS servers configured for this interface. If a domain - name is prefixed with <literal>~</literal>, the domain name becomes a pure "routing" domain, is used for - DNS query routing purposes only and is not used in the described domain search logic. By specifying a + name is prefixed with <literal>~</literal>, the domain name becomes a pure "routing" domain, the DNS server + is used for the given domain names only and is not used in the described domain search logic. By specifying a routing domain of <literal>~.</literal> (the tilde indicating definition of a routing domain, the dot referring to the DNS root domain which is the implied suffix of all valid DNS names) it is possible to route all DNS traffic preferably to the DNS server specified for this interface. The route domain logic is |