On 18.8.2022 19.39, Suraj Krishnan wrote:
Hi all,
I wanted to revive this thread and provide an update on the status of this
feature/PR.
The feature adds a mechanism for privileged users to monitor DNS resolutions on
the system, by adding a new varlink interface that exposes a method for clients
to subscribe to such notifications. The feature will be off by default.
Lennart's suggestion to use varlink for this turned out to be quite valuable
and we've been successfully using this patch for the last few months. We're
using it to update the firewall (drop by default) based on pre-configured
allow-list of hostnames. We also leverage nftable's queue feature to address
race conditions associated with asynchronously updating the network firewall.
I received great feedback from the community on the PR, much of which is
already incorporated. There are two more suggestions that aren't incorporated
yet:
1) Add "resolvectl monitor" functionality to provide a built-in way to monitor
the notifications and try out the feature easily (note that varlink CLI tools are just as
easy to setup/use)
2) Add a d-bus property when the feature is in use. This allows unprivileged
clients to be aware that DNS requests are monitored on the system.
At this point, I'm writing to gauge if the devs would be open to accepting this
patch in its current form, or would like to have 1) and/or 2) incorporated into
the same PR, or have any concerns about the feature in general.
https://github.com/systemd/systemd/pull/22845
I planned to do something similar with
https://github.com/systemd/systemd/issues/17053
and https://github.com/systemd/systemd/pull/17126
but I didn't find a good solution for updating the firewall by resolved
itself or indirectly with NFT sets. An external daemon is probably the
best choice and then varlink interface makes a lot of sense. I don't
need the monitor or d-bus properties.
For simple resolver clients like systemd-timesyncd, which only needs a
few names resolved and then it's happy to use the resulting IP addresses
forever, the firewall doesn't need much managing, perhaps a NFT flush
when the client exits or restarts. It would be nice to use the filtering
and firewalling for more complex use cases like browser but then the
lifetime of the firewall rules and when to drop them isn't very clear to
me. Identifying the client robustly to the level I want seems to be also
difficult, the best would be to use a combination of stuff like cgroups,
UID/GID and SELinux domain of the client. May I ask what's your use case
for the firewall integration?
-Topi
Thanks
Suraj
-----Original Message-----
From: Lennart Poettering <lenn...@poettering.net>
Sent: Wednesday, February 16, 2022 9:53 AM
To: Suraj Krishnan <sura...@microsoft.com>
Cc: systemd-devel@lists.freedesktop.org; Andre Muezerie
<andre.mueze...@microsoft.com>
Subject: [EXTERNAL] Re: [systemd-devel] [RFC] systemd-resolved: Send d-bus
signal after DNS resolution
[You don't often get email from lenn...@poettering.net. Learn why this is
important at http://aka.ms/LearnAboutSenderIdentification.]
On Di, 15.02.22 22:37, Suraj Krishnan (sura...@microsoft.com) wrote:
Hello,
I'm reaching out to the community to gather feedback about a feature
to broadcast a d-bus signal notification from systemd-resolved when a
DNS query is completed. The message would contain information about
the query and IP addresses received from the DNS server.
Broadcasting this on the system bus sounds like a bit too heavy. I am sure
there are setups which will resolve a *lot* of names in a very short time, and
you'd flood the bus with that. D-Bus is expressly not built for streaming more
than control data, but if you have a flood of DNS requests it becomes
substantially more than that.
Also, given that in 99.9%of all cases the broadcast messages would just be
dropped by the broker because nothig is listening this sounds needlessly
expensive.
What would make sense is adding a Varlink interface for this however. resolved
uses varlink anyway it could just build on that. Varlink has the benefit that
no broker is involved: if noone is listening we wouldn't do anything and not
have to pay for it. Moreover varlink has no issues with streaming large amounts
of data. And its easy to secure to ensure nobody unprivileged will see this
(simply by making the socket have a restrictive access mode).
So yes, i think adding the concept makes a ton of sense. But not via D-Bus, but via
Varlink. Would love to review/merge a patch that adds that and then exposes this via
"resolvectl monitor" or so.
Lennart
--
Lennart Poettering, Berlin
