From 14b2fafb3688a4170a9c15235d1c3feb7ddeaf9d Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Oct 06 2020 12:09:53 +0000 Subject: resolve: remove the fallback dns server list DNS questions (which necessarilly include IP addresses) are personally indentifying information in the sense of GDPR (https://gdpr.eu/eu-gdpr-personal-data/ explicitly lists IP address as PII). Sending those packets to Google or Cloudflare is "forwarding" this PII to them. GDPR says that information which is not enough to identify individuals still needs to be protected because it may be combined with other information or processed with improved technology later. So even though the information in DNS alone it not very big, it may be interpreted as protected information in various scenarios. When Fedora is installed by an end-user, they must have the reasonable expectation that Fedora will contant Fedora servers for updates and status checks and such. But the case of DNS packets is different, because the dns servers are not under our control. While most of the time the information leak through DNS is negligible, we can't rule out scenarios where it could be considered more important. Another thing to consider is that ISP and other local internet access mechanisms are probably worse overall for privacy compared to google and cloudflare dns servers. Nevertheless, they are more obvious to users and fit better in the regulatory framework, because there are local laws that govern them and implicitic or explicit agreements for their use. Whereas US-based servers are foreign and are covered by different rules. The fallback DNS servers don't matter most of the time because NetworkManager will include the servers from a DHCP lease. So hopefully users will not see any effect from the change done in this patch. Right now I think it is better to avoid the legal and privacy risk. If it turns out this change causes noticable problems, we might want to reconsider. In particular we could use the fallback servers only in containers and such which are not "personal" machines and there is no particular person attached to them. https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3C4KESHIMZDB6XCFO4EOBEDV4Q2AVVQ5/ I think we could provide a default dns server list more reasonably if there was some kind of privacy policy published by Fedora and users could at least learn about those defaults. Sadly, we don't have any relevant privacy policy (https://pagure.io/Fedora-Council/tickets/issue/53). --- diff --git a/0001-Document-some-reasonable-DNS-servers-in-the-example-.patch b/0001-Document-some-reasonable-DNS-servers-in-the-example-.patch new file mode 100644 index 0000000..535fdfc --- /dev/null +++ b/0001-Document-some-reasonable-DNS-servers-in-the-example-.patch @@ -0,0 +1,34 @@ +From b6c05e03c2e6e98e2f0f129ff5256780bb65bdb2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 6 Oct 2020 13:59:25 +0200 +Subject: [PATCH] Document some reasonable DNS servers in the example config + file + +We have an option to set the fallback list, so we don't know what the contents +are. It may in fact be empty. Let's add some examples to make it easy for a user +stranded without any DNS to fill in something that would work. As a bonus, this +also gives names to the entries we provide by default. +(I added google and cloudflare because that's what we have currently, and quad9 +because it seems to be a good privacy-concious and fast choice and was requested +in #12499. As a minimum, things we should include should be well-known global +services with a documented privacy policy and both IPv4 and IPv6 support and +decent response times.) +--- + src/resolve/resolved.conf.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index 082ad71626..514021792f 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -12,6 +12,10 @@ + # See resolved.conf(5) for details + + [Resolve] ++# Some examples of DNS servers which may be used for DNS= and FallbackDNS=: ++# Cloudflare: 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 ++# Google: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 ++# Quad9: 9.9.9.9 2620:fe::fe + #DNS= + #FallbackDNS=@DNS_SERVERS@ + #Domains= diff --git a/systemd.spec b/systemd.spec index 538f19b..ee64d30 100644 --- a/systemd.spec +++ b/systemd.spec @@ -78,6 +78,7 @@ Patch0005: 0004-test-path-use-Type-exec.patch Patch0006: 0001-test-acl-util-output-more-debug-info.patch Patch0007: 0001-Do-not-assert-in-test_add_acls_for_user.patch +Patch0008: 0001-Document-some-reasonable-DNS-servers-in-the-example-.patch Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch @@ -369,6 +370,7 @@ CONFIGURE_OPTS=( -Dsysvinit-path=/etc/rc.d/init.d -Drc-local=/etc/rc.d/rc.local -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' + -Ddns-servers= -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin -Dservice-watchdog= -Ddev-kvm-mode=0666