nss-dns is allright. All you need to have is dns server with domain configurable servers.
Those are: - unbound (with dnssec-trigger autoconfigured) - dnsmasq - systemd-resolved - probably knot-resolver - bind (not more difficult to reconfigure runtime) Maybe more. It is not about nss, because /etc/resolv.conf does not support any domain:server-ip tuples. It would work better with local cache. resolved is not the only possibility. Just use /etc/resolv.conf set to localhost and configure forwarders in your server from NM (or networkd). On 9/28/20 5:43 PM, Florian Weimer wrote: > * Michael Catanzaro: > >> On Mon, Sep 28, 2020 at 5:18 pm, Florian Weimer <fwei...@redhat.com> >> wrote: >>> But the DNS view provided by the Red Hat VPN is what disables the >>> centralized DNS resolvers in browsers in these configurations. The >>> magic browser probe no longer fails with the change in DNS routing >>> (which the proposal confusingly names “Split DNS”) because it goes >>> out over the public Internet, where it is not filtered, unlike the >>> Red Hat VPN. >> >> Hm, I'm pretty sure this is a Firefox-specific issue, right? Fedora's >> Firefox is patched to use system DNS, so it shouldn't matter for us. >> I'm not aware of any other browser that ignores system DNS; at least, >> I'm fairly certain Chrome and Epiphany will both never do this. > > It seems that you are right about Chromium: > > | We have no plans to support this approach. We believe that our > | deployment model is significantly different from Mozilla's, and as a > | result canary domains won't be needed. > > <https://www.chromium.org/developers/dns-over-https> > > However, you wrote earlier that “split DNS” is not available over > nss_dns, so I think Chromium is still impacted because it uses the same > interfaces that nss_dns would use in this mode (i.e., not nss_resolve). > > Thanks, > Florian > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
