[systemd-devel] Antw: [EXT] Re: [systemd‑devel] [RFC] systemd‑resolved: Send d‑bus signal after DNS resolution
>>> Lennart Poettering schrieb am 16.02.2022 um 18:59 in Nachricht : > On Mi, 16.02.22 12:13, Dave Howorth (syst...@howorth.org.uk) wrote: > >> > This could be used by applications for auditing/logging services >> > downstream of the resolver, or to update the firewall on the system. >> >> Perhaps an example use case would help but I'm not clear how a DNS >> resolution would usefully cause a state change in the firewall without >> some further external guidance? > > Yeah, I am not sure I grok the relationship to firewalls here, > either. Updatign firewalls asynchronously based on DNS lookups sounds > wrong to me... Unless you want to implement nice backdoors ;-) > > Lennart > > ‑‑ > Lennart Poettering, Berlin
Re: [systemd-devel] [RFC] systemd-resolved: Send d-bus signal after DNS resolution
On Mi, 16.02.22 12:13, Dave Howorth (syst...@howorth.org.uk) wrote: > > This could be used by applications for auditing/logging services > > downstream of the resolver, or to update the firewall on the system. > > Perhaps an example use case would help but I'm not clear how a DNS > resolution would usefully cause a state change in the firewall without > some further external guidance? Yeah, I am not sure I grok the relationship to firewalls here, either. Updatign firewalls asynchronously based on DNS lookups sounds wrong to me... Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] [RFC] systemd-resolved: Send d-bus signal after DNS resolution
On Wed, Feb 16, 2022 at 12:37 AM Suraj Krishnan wrote: > Hello, > > > > I’m reaching out to the community to gather feedback about a feature to > broadcast a d-bus signal notification from systemd-resolved when a DNS > query is completed. The message would contain information about the query > and IP addresses received from the DNS server. > IMO, broadcasts that are visible to everyone on the system bus are *really not a good idea*, especially for multi-user systems. (Not a fan of `ipconfig.exe /displaydns` being open to non-admins, either.) If such logging has to exist at all, it should only go to some specific destination. I'm kinda guessing you want this for situations where resolved uses DNS-over-TLS? If audit logging is necessary, maybe it would be better to use the existing "audit framework" – systemd already links to libaudit for service start/stop operations (via audit_log_user_comm_message). Not sure how or why domain resolution be integrated with the firewall, though. -- Mantas Mikulėnas
Re: [systemd-devel] [RFC] systemd-resolved: Send d-bus signal after DNS resolution
On Di, 15.02.22 22:37, Suraj Krishnan (sura...@microsoft.com) wrote: > Hello, > > I'm reaching out to the community to gather feedback about a feature > to broadcast a d-bus signal notification from systemd-resolved when > a DNS query is completed. The message would contain information > about the query and IP addresses received from the DNS server. Broadcasting this on the system bus sounds like a bit too heavy. I am sure there are setups which will resolve a *lot* of names in a very short time, and you'd flood the bus with that. D-Bus is expressly not built for streaming more than control data, but if you have a flood of DNS requests it becomes substantially more than that. Also, given that in 99.9%of all cases the broadcast messages would just be dropped by the broker because nothig is listening this sounds needlessly expensive. What would make sense is adding a Varlink interface for this however. resolved uses varlink anyway it could just build on that. Varlink has the benefit that no broker is involved: if noone is listening we wouldn't do anything and not have to pay for it. Moreover varlink has no issues with streaming large amounts of data. And its easy to secure to ensure nobody unprivileged will see this (simply by making the socket have a restrictive access mode). So yes, i think adding the concept makes a ton of sense. But not via D-Bus, but via Varlink. Would love to review/merge a patch that adds that and then exposes this via "resolvectl monitor" or so. Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] [RFC] systemd-resolved: Send d-bus signal after DNS resolution
On Tue, 15 Feb 2022 22:37:41 + Suraj Krishnan wrote: > Hello, > > I'm reaching out to the community to gather feedback about a feature > to broadcast a d-bus signal notification from systemd-resolved when a > DNS query is completed. The message would contain information about > the query and IP addresses received from the DNS server. Sorry, I'm just an ignorant user but surely this woulkd have privacy implications? If I make a DNS request from an application, I expect that to be private, not shared with whatever other processes or users might be on the system. > This could be used by applications for auditing/logging services > downstream of the resolver, or to update the firewall on the system. Perhaps an example use case would help but I'm not clear how a DNS resolution would usefully cause a state change in the firewall without some further external guidance? > I'm not familiar with how the code is written to be able to determine > the feasibility of this approach, or if there is a better way to > accomplish this. I welcome suggestions for this feature. > > Thanks, > Suraj