On So, 15.11.20 10:18, Marius Schwarz (fedora...@cloud-foo.de) wrote: > Am 11.11.20 um 16:58 schrieb Lennart Poettering: > > So if you configure 4 DNS servers then each will still get roughly > > 1/4th of your requests? That's still quite a lot of info. > the more you use, and i did, the better it protects against tracking by the > dns cache owners. > > How about putting this as a feature request in resolved?
Please file an RFE issue on github: https://github.com/systemd/systemd/issues/new?template=Feature_request.md Implementing this does not come without drawbacks though: right now resolved tries hard to use the same server if at all possible, since we want to use newer DNS features if possible, but many DNS servers (wifi routers, yuck) tend to support them quite badly. This means resolved has an elaborate scheme to learn about the feature set of the DNS servers it contacts. And that can be slow, in particular on servers where we step-by-step have to downgrade to the most minimal of DNS protocols. This learning phase is run only when first contacting some server (and after some grace period). If we'd switch servers all the time, for every single lookup, then we'd start from zero every time, not knowing what the server supports, and thus having to learn about it over and over again. This would hence make all, *every*single* transaction pretty slow. And that sucks. It might be something to add as opt-in, and come with the warning that you better list DNS servers that aren't crap if you want to use that, so that we never have to downgrade protocol level, and thus the learning phase is short. (There have been suggestions to probe ahead-of-time, i.e. already before we have to dispatch the first lookup request to it, i.e. at the time the DNS server address is configured. However that is a privacy issue, too, since it means systems would suddenly start contacting DNS servers, even without anyone needing it.) > It should of course use encrypted protocols first. It supports DoT since a longer time. Is currently opt-in on Fedora though, but we should change that. DoT becomes efficient when we can reuse the established TCP/TLS connection for multiple lookups. But if we'd switch servers all the time, then of course there's no reuse of TCP/TLS connections possible. or in other words: adding this conflicts with other (and I think more important) goals here. Thus if we add this, only as option i figure. It's not suitable as sensible default. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
